44caliber | d3e832fc80acdc65b025a2f2ddf27f9b6ee273434a9f57df9a5afe977dfdcac3

Resubmissions

24-09-2023 08:26

230924-kcbw1aeg88 10

22-08-2023 14:37

230822-rzc6xacg63 10

Analysis

max time kernel
80s
max time network
179s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXPENSIVE LOADER.exe
Size

1.3MB
MD5

bfb9334833749790c0df81ab1489c5a9
SHA1

b38e3080dfb1d35ae303b9f0c14a7cf12621de7c
SHA256

cc16768fe66b11c07282c6d5d543701b85b283a44de51fdd4a9bd2a014f37b68
SHA512

e41a66d9932f7853c9015ef0361cfbf4702a31d356e97dae1fb9ece085b808cac0e9a5d6d70a2763d08b3f940aacc074181bae6755077933d97f9a92b93c65d1
SSDEEP

24576:bw3SBs2Mhfs2OcpIi5aO9z1dn7Az8Zk61NlPXYpky7vKCB/nO:E3P2MhkPTaz1tswiKPXYpkyjKCB/O

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

EXPENSIVE LOADER.exe

pid process

1220 EXPENSIVE LOADER.exe
1220 EXPENSIVE LOADER.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXPENSIVE LOADER.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EXPENSIVE LOADER.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EXPENSIVE LOADER.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

EXPENSIVE LOADER.exe

pid	process
1220	EXPENSIVE LOADER.exe
1220	EXPENSIVE LOADER.exe
1220	EXPENSIVE LOADER.exe
1220	EXPENSIVE LOADER.exe
1220	EXPENSIVE LOADER.exe
1220	EXPENSIVE LOADER.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXPENSIVE LOADER.exe

description pid process

Token: SeDebugPrivilege 1220 EXPENSIVE LOADER.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXPENSIVE LOADER.exe

pid process

1220 EXPENSIVE LOADER.exe

description	pid	process
Token: SeDebugPrivilege	1220	EXPENSIVE LOADER.exe

C:\Users\Admin\AppData\Local\Temp\EXPENSIVE LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\EXPENSIVE LOADER.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
742B

MD5
75b3526ad3d24c4c8edd4e5663bcdac7

SHA1
c822563243e44c38f79685e4deadaecedd1aa817

SHA256
6f691f0c268c5e90d8912a645c359b305ac706d349866205ca239a313a9ed97a

SHA512
fe7a8cd4c745bc219dc7856f3992053cf688e470ffcc6b2ac215e93c194106f59549cf16dbd826094b900eb639f98a366d2db1a8ab2e9f75bcc85dc07d48001d

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
e19be32e7fedff3924782f63422933e2

SHA1
59134800bab8a1450eff34ef0b3d4ee41918b10f

SHA256
88db7f3cef9a0febabaf6654fe1159aff9cf5a509f4705e0f91a7637379a8476

SHA512
dee2cfde3512299f9c991169384bb0146e5ab5d792ac67df1c2df6b1b4707de842b3c0c1f4e97a6c433eadd016ae1a920f97575740b651b1d13124d30cbf3fcc

Download Submit
memory/1220-12-0x0000000000CC0000-0x00000000010CA000-memory.dmp

Filesize
4.0MB

Download
memory/1220-0-0x0000000000CC0000-0x00000000010CA000-memory.dmp

Filesize
4.0MB

Download
memory/1220-11-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1220-13-0x0000000000CC0000-0x00000000010CA000-memory.dmp

Filesize
4.0MB

Download
memory/1220-14-0x0000000009760000-0x0000000009770000-memory.dmp

Filesize
64KB

Download
memory/1220-17-0x000000000A510000-0x000000000A5A2000-memory.dmp

Filesize
584KB

Download
memory/1220-10-0x00000000778D2000-0x00000000778D3000-memory.dmp

Filesize
4KB

Download
memory/1220-38-0x000000000B2B0000-0x000000000B7AE000-memory.dmp

Filesize
5.0MB

Download
memory/1220-2-0x0000000000CC0000-0x00000000010CA000-memory.dmp

Filesize
4.0MB

Download
memory/1220-1-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/1220-108-0x0000000009E50000-0x0000000009EB6000-memory.dmp

Filesize
408KB

Download
memory/1220-111-0x0000000000CC0000-0x00000000010CA000-memory.dmp

Filesize
4.0MB

Download
memory/1220-112-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download