44caliber | a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337

General

Target

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
Size

415KB
MD5

f3f3c591de1ed8ea2c00dcf8c03b86bf
SHA1

02e9dee6e17a41b74054d11a2f0e7abc0b963b12
SHA256

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337
SHA512

61b2a9d6c011babe0540db4016627a584161c7fac432820424cd8c85cd85cb1ca537e1b202cceec241b99592865ace30cf9f47362563b82250053dfb63abb214
SSDEEP

6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/5c8gWe3JB2AgMmqP:2ToPWBv/cpGrU3yVtX+t4V5cWe5A+mqP

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1136773243261427722/PblfbxA7GVJqBDdmJ8FJrCPSUvE8iRRElfnrMu-WTqPYsrO633tdDs3xiZCowAI13ArQ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 1 IoCs

Processes:

loader.exe

pid process

2984 loader.exe

pid	process
2984	loader.exe

Loads dropped DLL 4 IoCs

Processes:

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe

pid	process
2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

loader.exe

pid process

2984 loader.exe
2984 loader.exe
2984 loader.exe
2984 loader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

loader.exe

description pid process

Token: SeDebugPrivilege 2984 loader.exe

pid	process
2984	loader.exe
2984	loader.exe
2984	loader.exe
2984	loader.exe

description	pid	process
Token: SeDebugPrivilege	2984	loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe

description	pid	process	target process
PID 2912 wrote to memory of 2984	2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	loader.exe
PID 2912 wrote to memory of 2984	2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	loader.exe
PID 2912 wrote to memory of 2984	2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	loader.exe
PID 2912 wrote to memory of 2984	2912	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	loader.exe

C:\Users\Admin\AppData\Local\Temp\a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
"C:\Users\Admin\AppData\Local\Temp\a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
458B

MD5
a44b9665bf618f148fabef94a48309e3

SHA1
4f34277912c94b88bd82c85b92bf8bff5c11aef3

SHA256
5e2058751c623d55b0444b06544bee16b12bc3dbd7f9215113396e3a4e5a861a

SHA512
6a4f829d46b2c56ce7e1d2ef59e5a2edeecbedc4777224c2f91d50f1f8d2374180af0e8a351cf3bb7d020257a0f5562582025c2fa4b26b9171f5a37dcd74140e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
memory/2984-15-0x0000000000B40000-0x0000000000B8A000-memory.dmp

Filesize
296KB

Download
memory/2984-16-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2984-17-0x000000001A8A0000-0x000000001A920000-memory.dmp

Filesize
512KB

Download
memory/2984-66-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads