44caliber | 8f172bf2e40df72ccbf6a764bd376d2032463a8aa30a3810e63478d4aaa43299

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
Size

274KB
MD5

e94364b4239eb39286dd3b07a9ea469c
SHA1

95a3fc71b5a4f63e1ce10c163af55b56f168a6f8
SHA256

c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f
SHA512

bb924f1c1f8b851c70d5639abed43ed047452bac62580d060229e7a054d5f1be269e2888a3dfe511b434ac5a785dcf37216c95cffd8baaa9432cd930670acc13
SSDEEP

6144:8f+BLtABPDWlR1ZroWT0Ilb5wqlYeJ6lA1D0wIk:RluK0Ilb5/lYed1DMk

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1101119692103491584/GTMNvMSwfNfgMdtSqTcvjCvj1QDXJYPNxW9vEtgHszOELGeSAQDBrIp9Qf7oWif26BJd

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

pid	process
1968	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
1968	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
1968	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
1968	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

description pid process

Token: SeDebugPrivilege 1968 c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

description	pid	process
Token: SeDebugPrivilege	1968	c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe

C:\Users\Admin\AppData\Local\Temp\c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe
"C:\Users\Admin\AppData\Local\Temp\c2ade6498bf4fe3991c76104a2d5a8ad880ab4baaf0756f707eb3b22d9734a8f.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
445B

MD5
c9b0fec8ad9f3b2a30482f17128b2981

SHA1
9abfde45dc2ee4b2dd18dfd6bd00b9164aa31d81

SHA256
6b383fc04e85fac292e68a03a186028208c53121fb3f9f97ca6caec5387e1034

SHA512
29788c602b382f10649e5462ea2b21f9e3d281361c84bd42391f7a970bd481949090d01f789cac3f95227b0f901d63a38d4fcc71b9f6fd9dc29b193396d3caf4

Download Submit
memory/1968-0-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1968-1-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-2-0x000000001A840000-0x000000001A8C0000-memory.dmp

Filesize
512KB

Download
memory/1968-51-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download