44caliber | a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337

General

Target

f3f3c591de1ed8ea2c00dcf8c03b86bf.exe
Size

415KB
MD5

f3f3c591de1ed8ea2c00dcf8c03b86bf
SHA1

02e9dee6e17a41b74054d11a2f0e7abc0b963b12
SHA256

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337
SHA512

61b2a9d6c011babe0540db4016627a584161c7fac432820424cd8c85cd85cb1ca537e1b202cceec241b99592865ace30cf9f47362563b82250053dfb63abb214
SSDEEP

6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/5c8gWe3JB2AgMmqP:2ToPWBv/cpGrU3yVtX+t4V5cWe5A+mqP

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1136773243261427722/PblfbxA7GVJqBDdmJ8FJrCPSUvE8iRRElfnrMu-WTqPYsrO633tdDs3xiZCowAI13ArQ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 1 IoCs

pid	Process
2000	loader.exe

Loads dropped DLL 4 IoCs

pid	Process
816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe
816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe
816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe
816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2000	loader.exe
2000	loader.exe
2000	loader.exe
2000	loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2000	816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe	28
PID 816 wrote to memory of 2000	816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe	28
PID 816 wrote to memory of 2000	816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe	28
PID 816 wrote to memory of 2000	816	f3f3c591de1ed8ea2c00dcf8c03b86bf.exe	28

C:\Users\Admin\AppData\Local\Temp\f3f3c591de1ed8ea2c00dcf8c03b86bf.exe
"C:\Users\Admin\AppData\Local\Temp\f3f3c591de1ed8ea2c00dcf8c03b86bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
411B

MD5
9d42f7b3ac5d31f97569a6bcccbd36dd

SHA1
83e55567023e0e61b4003159b5b2936281d19730

SHA256
a1da420881a1d460f0a6ee628dba646d208f3761be99b7786a436862ef324370

SHA512
0efd288204b423579de07afefc1f15935e533e50bf2a080f44f0756e0d4eebc753a549c9ef9caa72abbf95ce9d1f5cd19ac684c5ac0338c2f35a3c3509b2584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
memory/2000-15-0x00000000012A0000-0x00000000012EA000-memory.dmp

Filesize
296KB

Download
memory/2000-16-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2000-17-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2000-65-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing