44caliber | af0c48ca1ed3431b936d489bf1e8255a5d4182bd6164946bd6179ae3f212d0b1

General

Target

RP.sfx.exe
Size

10.0MB
MD5

e335f71c0f053c393626691bd60a58a4
SHA1

0cc99df70cca24c5f96edf36672ea297fe71043f
SHA256

af0c48ca1ed3431b936d489bf1e8255a5d4182bd6164946bd6179ae3f212d0b1
SHA512

eaa5b09100e133cd7241258255c02be262d3f6061774f9d32424922aaae8fa04d148f665d7c61c6f7ac1f1a23e87994b7bc6b0ba7fdd2fd0fa2d4575ac460195
SSDEEP

196608:uchhf7FHaM6MkwG2ea8oQoidqpcO49UEahKBXSmLnS0rCqs2vm9EGgy:dvfBdPG2QzoY1OgUEPV7r9s2+9bgy

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1162710207558852689/c241__Tv-C5fSE0jsivUVIhYUTy9AQG_2q-Wedc4i61WcTidBFF8dAoQzbri3Cz5u5KI

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RP.sfx.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation RP.sfx.exe
Executes dropped EXE 1 IoCs

Processes:

RP.EXE

pid process

260 RP.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 freegeoip.app
16 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RP.sfx.exe

pid	process
260	RP.EXE

flow	ioc
15	freegeoip.app
16	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RP.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RP.EXE

Modifies registry class 2 IoCs

Processes:

RP.sfx.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	RP.sfx.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RP.EXE

pid process

260 RP.EXE
260 RP.EXE
260 RP.EXE
260 RP.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RP.EXE

description pid process

Token: SeDebugPrivilege 260 RP.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

880 OpenWith.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

RP.sfx.exe

description pid process target process

PID 2392 wrote to memory of 260 2392 RP.sfx.exe RP.EXE
PID 2392 wrote to memory of 260 2392 RP.sfx.exe RP.EXE

pid	process
260	RP.EXE
260	RP.EXE
260	RP.EXE
260	RP.EXE

description	pid	process
Token: SeDebugPrivilege	260	RP.EXE

pid	process
880	OpenWith.exe

description	pid	process	target process
PID 2392 wrote to memory of 260	2392	RP.sfx.exe	RP.EXE
PID 2392 wrote to memory of 260	2392	RP.sfx.exe	RP.EXE

C:\Users\Admin\AppData\Local\Temp\RP.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RP.sfx.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\RESOURCEPACK\RP.EXE
"C:\Users\Admin\AppData\Local\Temp\RESOURCEPACK\RP.EXE"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
4b7c08bdfa1d8cb11ae90c6f2b77e8f6

SHA1
1a128800834138632cf06235a3253ead0acce5b1

SHA256
1d2e7c9f2accdc9d8e6028e065f85572caa7b51c26d08f01f3c9935b999fa4f8

SHA512
388fbb74463fc1d0d1cd78ad96e2b3a58ca8a9727012df3d5cfda19970df6e7e2d04b5bdc0661d8d163f24413064f6b1c01b47dc39337920e6373fd75ea93681

Download Submit
C:\ProgramData\44\Process.txt

Filesize
739B

MD5
53beca5dc1bd602374735a95b598f2f5

SHA1
a55ef1edbfd86f55f6627aee92d35a42d003f6e7

SHA256
f58cc98fe9ee9b1d01b0230757a500d84d5d0122143e27a5c804107848c4e77a

SHA512
93db0f8707c3bfa46cacedd138b621c664375822c596e7f7dc20efbf038bd7033574cc9ed6c7752fa7530ac702b1df4f8ccb06100f7772137f46c7710dae1f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESOURCEPACK\RP.EXE

Filesize
251KB

MD5
513286e3e241f1c93556f45db4f8dc23

SHA1
32c83261b6ac5663e91664764aab429e6cd424d1

SHA256
a46070cb169ed0754c0fb624ad29f59fbc66fb75df9d2b3daefda76bc0d0d893

SHA512
890a2d7a72cf9975ebd716ad3c6f05f595afd1218106054c3c33ff1b9d41baf52c0013b8f65d975d372151b3303311f6554cb412fbcbbb0cf01dc8e81109f693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESOURCEPACK\RP.exe

Filesize
251KB

MD5
513286e3e241f1c93556f45db4f8dc23

SHA1
32c83261b6ac5663e91664764aab429e6cd424d1

SHA256
a46070cb169ed0754c0fb624ad29f59fbc66fb75df9d2b3daefda76bc0d0d893

SHA512
890a2d7a72cf9975ebd716ad3c6f05f595afd1218106054c3c33ff1b9d41baf52c0013b8f65d975d372151b3303311f6554cb412fbcbbb0cf01dc8e81109f693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESOURCEPACK\RP.exe

Filesize
251KB

MD5
513286e3e241f1c93556f45db4f8dc23

SHA1
32c83261b6ac5663e91664764aab429e6cd424d1

SHA256
a46070cb169ed0754c0fb624ad29f59fbc66fb75df9d2b3daefda76bc0d0d893

SHA512
890a2d7a72cf9975ebd716ad3c6f05f595afd1218106054c3c33ff1b9d41baf52c0013b8f65d975d372151b3303311f6554cb412fbcbbb0cf01dc8e81109f693

Download Submit
memory/260-15-0x000001A026C10000-0x000001A026C56000-memory.dmp

Filesize
280KB

Download
memory/260-20-0x00007FFFA9F50000-0x00007FFFAAA11000-memory.dmp

Filesize
10.8MB

Download
memory/260-33-0x000001A028800000-0x000001A028810000-memory.dmp

Filesize
64KB

Download
memory/260-138-0x00007FFFA9F50000-0x00007FFFAAA11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing