44caliber | efc7c7dd299cd861e9196153e2f42b0365c17f6ed2e1336c0aa8b14342d4069e

Analysis

max time kernel
128s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caliber.exe
Size

274KB
MD5

51ef1b5bd832c2dd5527026a2c8385dd
SHA1

f4cdb36b3bb2f7cb8328f7821a6c9f1a67abf69e
SHA256

efc7c7dd299cd861e9196153e2f42b0365c17f6ed2e1336c0aa8b14342d4069e
SHA512

b6e19a0a9e414c30388d4af1e9490547505de26eaedcb9ecf022b1b818073be8cb00cc96a63c1537caeebb5a6c4db635b801ee45e2815d3254374b93a52be631
SSDEEP

6144:jf+BLtABPDZ1o2NjNRScMH5cgowlqg0lI1D0oeB:51HocY5cgJ51DaB

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1122141363941679136/q6BCXosW-M2T548ZAXG2lmcxF3COhfB4HKP6TsvadEd_-GW37BPl1h9nkHpx_As2wrMj

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
2 freegeoip.app

flow	ioc
4	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caliber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	caliber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	caliber.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

caliber.exe

pid process

4944 caliber.exe
4944 caliber.exe
4944 caliber.exe
4944 caliber.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caliber.exe

description pid process

Token: SeDebugPrivilege 4944 caliber.exe

pid	process
4944	caliber.exe
4944	caliber.exe
4944	caliber.exe
4944	caliber.exe

description	pid	process
Token: SeDebugPrivilege	4944	caliber.exe

C:\Users\Admin\AppData\Local\Temp\caliber.exe
"C:\Users\Admin\AppData\Local\Temp\caliber.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
738B

MD5
a8bbef23c38a7e80c66ba39091fb7be9

SHA1
af4ae161d0212303e03e789417ade744299d594e

SHA256
ca115c9adac47f726f8239f9e4b0fe180a866c49257c6e654c4c7eb9c9ed05b8

SHA512
2b670c2e913711392cf67c6e6b4c31c50b463c6c9e7233162f27d7ce10e5e4ad2a7ac32e155a756c201e63cc268942c9ba2d472ba65b0740cbe0f80f99586db7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
820B

MD5
f697f9f9893a1f40c01f558e6aae3fad

SHA1
14d592f33d555e0481efebea4658c94f2be2712b

SHA256
39f2f4cec69f758a3e2ed1e1c4179834727765861de2d2af5b21d0da0ccd8b49

SHA512
ef5401bd4b2e8e912272db49082d7fddd84c61bfbf6e799a73dbc06cb902853d7e1fd23e34690932679466118f12383b5363a2f2a1675271f895a90cc7dbe49d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
820B

MD5
f697f9f9893a1f40c01f558e6aae3fad

SHA1
14d592f33d555e0481efebea4658c94f2be2712b

SHA256
39f2f4cec69f758a3e2ed1e1c4179834727765861de2d2af5b21d0da0ccd8b49

SHA512
ef5401bd4b2e8e912272db49082d7fddd84c61bfbf6e799a73dbc06cb902853d7e1fd23e34690932679466118f12383b5363a2f2a1675271f895a90cc7dbe49d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
d9ab86beb64c2158c496160f5daf7514

SHA1
98f199c04095216249db7bee5596efbf4053e1d9

SHA256
eaa70f1b2af243c0255f20a548e39a548d96174109bd06e229709b3ad7a45789

SHA512
e7308f532080234aec9af88fc00b346df26897ddc115d25fc5ada24a617d665615ce5672432f70a89108a3930d882d66924e8ccddb2f261bdc165bcb20dd1694

Download Submit
memory/4944-0-0x000001B046070000-0x000001B0460BA000-memory.dmp

Filesize
296KB

Download
memory/4944-31-0x00007FF9E4150000-0x00007FF9E4C11000-memory.dmp

Filesize
10.8MB

Download
memory/4944-32-0x000001B047F00000-0x000001B047F10000-memory.dmp

Filesize
64KB

Download
memory/4944-117-0x00007FF9E4150000-0x00007FF9E4C11000-memory.dmp

Filesize
10.8MB

Download