44caliber | a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337

General

Target

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
Size

415KB
MD5

f3f3c591de1ed8ea2c00dcf8c03b86bf
SHA1

02e9dee6e17a41b74054d11a2f0e7abc0b963b12
SHA256

a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337
SHA512

61b2a9d6c011babe0540db4016627a584161c7fac432820424cd8c85cd85cb1ca537e1b202cceec241b99592865ace30cf9f47362563b82250053dfb63abb214
SSDEEP

6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/5c8gWe3JB2AgMmqP:2ToPWBv/cpGrU3yVtX+t4V5cWe5A+mqP

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1136773243261427722/PblfbxA7GVJqBDdmJ8FJrCPSUvE8iRRElfnrMu-WTqPYsrO633tdDs3xiZCowAI13ArQ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	freegeoip.app
8	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4960	loader.exe
4960	loader.exe
4960	loader.exe
4960	loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	loader.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4960	2636	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	80
PID 2636 wrote to memory of 4960	2636	a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe	80

C:\Users\Admin\AppData\Local\Temp\a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe
"C:\Users\Admin\AppData\Local\Temp\a011238f838b9bc61adec2897e0cac87099249a425dbc83064094fbdb987f337.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
0d236a9419ed8d0dab47a6c2e4aaf9d5

SHA1
6e9f0167e55f83a730859924ce16eb5d9b5af8f1

SHA256
41ff03607c01acf1cf8bc12444d3b74bd22b62513155fc46af421a957450d785

SHA512
57fd513d1d55a25de52e4e925862652aade1a82190ed28c0844066823fe9ed381f8e231471c8191b1d1b403366428fdc76fc91f4ed139b0d5ace7f943c5c6f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe

Filesize
274KB

MD5
85b10f8d022b2b82aa276168da0950fe

SHA1
f0ebbadf43bd9fbd5f93706aae076f89230a643b

SHA256
fd45e5b2e40a6a427bc0b2caf7d546a63a632adaa4fe7cb70a9173f74c4c54e2

SHA512
737fccf654e342818da06adfbfa724862d5c816551e110cf94f71313186b8dc19319dcbb26affe47a9a0f7c05ecaaa564d95d1a6a2fd7c6278bddaef9347c53b

Download Submit
memory/4960-12-0x000001A8BE0F0000-0x000001A8BE13A000-memory.dmp

Filesize
296KB

Download
memory/4960-42-0x00007FFD9F6A0000-0x00007FFDA0161000-memory.dmp

Filesize
10.8MB

Download
memory/4960-43-0x000001A8BE530000-0x000001A8BE540000-memory.dmp

Filesize
64KB

Download
memory/4960-129-0x00007FFD9F6A0000-0x00007FFDA0161000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads