44caliber | hxxps://disk[.]yandex[.]ru/d/5Zf-lN2SiZs0tw

General

Target

https://disk.yandex.ru/d/5Zf-lN2SiZs0tw

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1006790440319721592/JrnMAFLUXBYu-iLZNueo-eJzGfmhsLdmdKG79qvk3RUzIgyqmlVKxvdlq1afH9ErC0VB

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

finj.exe

pid process

3152 finj.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

236 freegeoip.app
237 freegeoip.app
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2364 3116 WerFault.exe Manual Injector.exe

pid	process
3152	finj.exe

flow	ioc
236	freegeoip.app
237	freegeoip.app

pid	pid_target	process	target process
2364	3116	WerFault.exe	Manual Injector.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeинжектить 1 потом red5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	инжектить 1 потом red5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	инжектить 1 потом red5.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Новая папка.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Новая папка.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

инжектить 1 потом red5.exefinj.exerbxfpsunlocker.exe

pid	process
3416	инжектить 1 потом red5.exe
3416	инжектить 1 потом red5.exe
3416	инжектить 1 потом red5.exe
3152	finj.exe
3152	finj.exe
3152	finj.exe
3152	finj.exe
3416	инжектить 1 потом red5.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe
3472	rbxfpsunlocker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

firefox.exe(1) Red5.exeManual Injector.exeинжектить 1 потом red5.exe

description	pid	process
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	4320	(1) Red5.exe
Token: SeDebugPrivilege	3116	Manual Injector.exe
Token: SeDebugPrivilege	3416	инжектить 1 потом red5.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe(1) Red5.exerbxfpsunlocker.exe

pid process

1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
4320 (1) Red5.exe
3472 rbxfpsunlocker.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exerbxfpsunlocker.exe

pid process

1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
3472 rbxfpsunlocker.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exe

pid process

1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
1824 firefox.exe
1824 firefox.exe

pid	process
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
4320	(1) Red5.exe
3472	rbxfpsunlocker.exe

pid	process
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
3472	rbxfpsunlocker.exe

pid	process
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 4540 wrote to memory of 1824	4540	firefox.exe	firefox.exe
PID 1824 wrote to memory of 1436	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 1436	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 2792	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe
PID 1824 wrote to memory of 4692	1824	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://disk.yandex.ru/d/5Zf-lN2SiZs0tw
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://disk.yandex.ru/d/5Zf-lN2SiZs0tw
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.0.1942048990\783538312" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 1780 gpu
3⤵
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.3.1215151197\981079939" -childID 1 -isForBrowser -prefsHandle 2272 -prefMapHandle 2260 -prefsLen 78 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 2276 tab
3⤵
PID:2792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.13.1145890757\269770384" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 6860 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 3620 tab
3⤵
PID:4692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4900

C:\Users\Admin\Desktop\New folder\(1) Red5.exe
"C:\Users\Admin\Desktop\New folder\(1) Red5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4320

C:\Users\Admin\Desktop\New folder\Manual Injector.exe
"C:\Users\Admin\Desktop\New folder\Manual Injector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Users\Admin\Desktop\New folder\finj.exe
"C:\Users\Admin\Desktop\New folder\finj.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 2368
2⤵
- Program crash
PID:2364

C:\Users\Admin\Desktop\New folder\инжектить 1 потом red5.exe
"C:\Users\Admin\Desktop\New folder\инжектить 1 потом red5.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3116 -ip 3116
1⤵
PID:3700

C:\Users\Admin\Desktop\New folder\rbxfpsunlocker.exe
"C:\Users\Admin\Desktop\New folder\rbxfpsunlocker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfbvpzxi.default-release\cert9.db

Filesize
224KB

MD5
3ee91dd3b1e233a823cb8da2996d548b

SHA1
6c16b2d4e93fcdee88051dcbad6e93864d7a65c2

SHA256
e8db7142a85be9d2298751c6562b8bfae4be54b2788430b92f03686b09df38c7

SHA512
65de7c2bb8d84f1d4eb6e5d15f5c091c8e0d794100752938dbc606a6a4da92e2a9051e1a24dbd54c928fae07d177095ffbcaf1420c98696079da371daa254471

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfbvpzxi.default-release\cookies.sqlite

Filesize
512KB

MD5
9a7083e9bff500e1e2a1f6775ddae283

SHA1
94a51a41fb5397175f329b26ac391b11dc436530

SHA256
17804d62f421f4f76fd3dc7a9c17e7ede31ebcd053785f9929f09c6f68b7d827

SHA512
3f739ddc3448f135d54e5dd813499aacbdbcc2ee96ec713977be6528a43fab0e325727e556a4fe51fabe7f4f7081e040bb009125c5d9d443999b5ddaffae48c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfbvpzxi.default-release\places.sqlite

Filesize
5.0MB

MD5
5ef437a8768948fd533b3ef7241d5880

SHA1
8e1b88b833f027ada41a81f3ae578fcf08a8e247

SHA256
d91570ae0f6e575174a977f446738a5bbbeaa712fb30e0eb4782856a478347c9

SHA512
0d4c9e74828ead8e99277cc178ae5b70384aad465b177fee5df393bb03de29d200ba7d9eb1c5cfebc28578f9f4f41989ba3ff8ea104cabf6c1062760850a5321

Download Submit
C:\Users\Admin\Desktop\New folder\finj.exe

Filesize
6.2MB

MD5
9a5954f7325498ad64b7075f9877dd4e

SHA1
3bc8fd9cd93392244ee5f8f9c5f5cfb92b7e9906

SHA256
e3f179be93e4633c932051ade43875f583313687dc6142ca8619da442bbf1cfa

SHA512
a6ed0e46d51361850cdc3faa52755628714f89d9885ccfb7f6cabfb52a36b0f0cc186f864b9d101bf368cd6c2386923b6702b7edd5e74bc2de272f14329193aa

Download Submit
C:\Users\Admin\Desktop\New folder\finj.exe

Filesize
6.2MB

MD5
9a5954f7325498ad64b7075f9877dd4e

SHA1
3bc8fd9cd93392244ee5f8f9c5f5cfb92b7e9906

SHA256
e3f179be93e4633c932051ade43875f583313687dc6142ca8619da442bbf1cfa

SHA512
a6ed0e46d51361850cdc3faa52755628714f89d9885ccfb7f6cabfb52a36b0f0cc186f864b9d101bf368cd6c2386923b6702b7edd5e74bc2de272f14329193aa

Download Submit
memory/3116-137-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/3116-138-0x0000000004C90000-0x0000000004D2E000-memory.dmp

Filesize
632KB

Download
memory/3116-139-0x0000000007090000-0x00000000070B2000-memory.dmp

Filesize
136KB

Download
memory/3152-151-0x0000000000B90000-0x0000000001533000-memory.dmp

Filesize
9.6MB

Download
memory/3152-150-0x0000000000B90000-0x0000000001533000-memory.dmp

Filesize
9.6MB

Download
memory/3152-148-0x0000000000B90000-0x0000000001533000-memory.dmp

Filesize
9.6MB

Download
memory/3152-142-0x0000000000000000-mapping.dmp

Download
memory/3416-140-0x000001C43B0C0000-0x000001C43B10A000-memory.dmp

Filesize
296KB

Download
memory/3416-147-0x00007FFCF3070000-0x00007FFCF3B31000-memory.dmp

Filesize
10.8MB

Download
memory/3416-152-0x00007FFCF3070000-0x00007FFCF3B31000-memory.dmp

Filesize
10.8MB

Download
memory/3416-153-0x00007FFCF3070000-0x00007FFCF3B31000-memory.dmp

Filesize
10.8MB

Download
memory/4320-130-0x0000000000680000-0x00000000006D0000-memory.dmp

Filesize
320KB

Download
memory/4320-136-0x0000000007020000-0x000000000707A000-memory.dmp

Filesize
360KB

Download
memory/4320-135-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

Filesize
80KB

Download
memory/4320-134-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4320-133-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4320-132-0x000000000A100000-0x000000000A6A4000-memory.dmp

Filesize
5.6MB

Download
memory/4320-131-0x00000000096B0000-0x0000000009746000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads