44caliber | 1dd828521ed3c93e5da0bf56cf25dd789d887fe12e1498081f6baad35850b25e

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnnamedFree.exe
Size

274KB
MD5

78ae73a2befd88689698f392a0df4468
SHA1

f4294f0b07401cada2c4411deda7e2070dd489f4
SHA256

004fbef0b21fbd40bfb0b81356cd8d0423d94a0cf580ab8bc629c5204515e6b7
SHA512

b597feaa687e5c11d1fa72d83b2a772217154311b61894a76009012fa0c29a0f5c5ce6eccde2095d60269f06e1310fbb6b8e4133d392b367cf5101a1bd0a0d88
SSDEEP

6144:Nf+BLtABPDR45GpbeKpwaUxnaGqqlYeJelA1D0Wl1:f4sFKaUxnaslYep1D/1

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/972090409700438017/FHYZJLIDFB1b4XU06S3DBw5xGN0xv6Ab2vtU1t8_ONL8owU3Qa0pE7RqDTsmfc1lxsPy

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app

flow	ioc
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UnnamedFree.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	UnnamedFree.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UnnamedFree.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

UnnamedFree.exe

pid process

3948 UnnamedFree.exe
3948 UnnamedFree.exe
3948 UnnamedFree.exe
3948 UnnamedFree.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UnnamedFree.exe

description pid process

Token: SeDebugPrivilege 3948 UnnamedFree.exe

pid	process
3948	UnnamedFree.exe
3948	UnnamedFree.exe
3948	UnnamedFree.exe
3948	UnnamedFree.exe

description	pid	process
Token: SeDebugPrivilege	3948	UnnamedFree.exe

C:\Users\Admin\AppData\Local\Temp\UnnamedFree.exe
"C:\Users\Admin\AppData\Local\Temp\UnnamedFree.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
86e73b73c3c442f5af3c0aaffd5e2299

SHA1
104d8ad570f2a79a1df7d96da356f4430376815b

SHA256
9063d6f97da655c53419a521498ed367f1c1376d8b6bd2baceb1a86d1797ff48

SHA512
0cae1268a5f0d29b778719b893869905b221e5fe2dfb2a8ee03b94c40614198ca9103661759eb67ab1c519aa05cf74a38a22b304f448abda56931d6f283092f6

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
490B

MD5
2473bf36230cdb73a62f69301f007841

SHA1
2fbdbfc5066b32be20451bc52dc2772b2aea1b6a

SHA256
d8673a42dfb5806a15c794923e6cf2ca62f85ed6703a0920d758b8ab426ab0dc

SHA512
10666af4205f777b84b0524b1b2fed56307345eb1a06a0fef7721f8dc9f91a3c10b6b6d99fbcce0a23fbf0f6dab27b3f552329387203fd38f115e3d20176750f

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
730B

MD5
8578fe8a0c6bbc6bc2a3e3189bf53540

SHA1
638ec76d9eaf1911da3e260e86d3dadf19ad3e59

SHA256
32e31209cd7381d964dc6ad92d9faa1d2d0a08d37848e92c913ade4c41837808

SHA512
ba73d4e879cad1114abbd72487b99ebec6734e43ea5942d004e89e13dc24314573dc4c0975eb34f8211a3ccd9dd65801cced73f041cc7de74ffefd9f84c1b781

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
2e9487bdd53c32d2886bd747cb3ec562

SHA1
077969c93724da95308f193213045999d856b458

SHA256
47c289f9646aba3623955cb48a3c989f9fd5a1eaba48fcf1c774234c65ffa066

SHA512
c6fbc35be65dd397484218a37255cf2291b43065af4bd309d250c74aa085d1109afc88a333d70f6b81e199023f820d6693dbcdb42325c16d45cfd646bc7fd5a5

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
86e73b73c3c442f5af3c0aaffd5e2299

SHA1
104d8ad570f2a79a1df7d96da356f4430376815b

SHA256
9063d6f97da655c53419a521498ed367f1c1376d8b6bd2baceb1a86d1797ff48

SHA512
0cae1268a5f0d29b778719b893869905b221e5fe2dfb2a8ee03b94c40614198ca9103661759eb67ab1c519aa05cf74a38a22b304f448abda56931d6f283092f6

Download Submit
memory/3948-0-0x00000134D32C0000-0x00000134D330A000-memory.dmp

Filesize
296KB

Download
memory/3948-12-0x00007FFF03530000-0x00007FFF03FF1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-14-0x00000134ED8D0000-0x00000134ED8E0000-memory.dmp

Filesize
64KB

Download
memory/3948-123-0x00007FFF03530000-0x00007FFF03FF1000-memory.dmp

Filesize
10.8MB

Download