44caliber | b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb

Analysis

max time kernel
132s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
Size

274KB
MD5

57ccf63a7e54b14239f13b49c90c6624
SHA1

dad4d1a51104b449f5c68d6e367c1e330c3d689b
SHA256

b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb
SHA512

4061844766b440f483bce85e900e1e121780eb57e7b47d7a13ddcd34c48de02bd9c55fc2350174e3efeeccecb6505d112feac8c8049414857e6f1d5fb90ef271
SSDEEP

6144:uf+BLtABPDM5pPTgxWGomsXSb6WtafTy8lI1D0lvP:R57hmsXS6Yx1DSP

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1180235571138936842/0LJ571UFuTLaKpO7KBs12_uE0OnG-UkEHb7l8uaUnAlrrOyMv1lU6nnxKlX7bg-fad7L

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app

flow	ioc
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

pid	process
4988	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
4988	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
4988	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
4988	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

description pid process

Token: SeDebugPrivilege 4988 b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

description	pid	process
Token: SeDebugPrivilege	4988	b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe

C:\Users\Admin\AppData\Local\Temp\b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe
"C:\Users\Admin\AppData\Local\Temp\b1182007e714621a5ecbfd6fbe486889cd16c2099eea069ab787b8edeade1cdb.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
735B

MD5
917eef34f993df60b80be0fe31e2ba41

SHA1
a0ece1b9d25573e3c6faf0d158a86052aaab4dcd

SHA256
40e05d06d040ecc0784b32588e57eeec8db02c60cbe2f6f7bd2145f9c735f482

SHA512
93d5b4805a9718c2c77898589b29d1d097897bfb805fb5d9defc2bd268ac997967db3846690eed696e96daae099f9fee1a44f1647ded6cb51dfd812a1fc0ad45

Download Submit
C:\ProgramData\44\Process.txt

Filesize
749B

MD5
2f9af51d3d249a28002e2917b80f5922

SHA1
314c0b5c44ba99e8e8c87c584999c286efda4456

SHA256
5e48e94aff53f83028f3e05d0d6b5eee823bcb48d23a64b9b3137cf1c4758c2b

SHA512
b107eee17628cecc97b26e90597a1dcbd045692b0280ecba8f68ae0db7cf5704ffcf189860d9b7370e766dc5b1af44ef6c1f2b2192adbed7c08c06e873089995

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
c4f20f544fdbb613473a8d4247a774d7

SHA1
d6bb05300aa00d2216182a2d1c4062df6c25d816

SHA256
fa52845f122f63e299837f60a5a249bd8d3795534e3698d69c25c39429722f93

SHA512
fba83c558a1f020e2c3a9244e94c5c01968b4c3e5677d08523f80fabc72f03d1c176949dd336f3b7cfd2685676c7b03ac3505a2526cf14593e8bcbec7931b0f0

Download Submit
memory/4988-0-0x000001B8DEC40000-0x000001B8DEC8A000-memory.dmp

Filesize
296KB

Download
memory/4988-31-0x00007FF805120000-0x00007FF805BE1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-32-0x000001B8E0810000-0x000001B8E0820000-memory.dmp

Filesize
64KB

Download
memory/4988-123-0x00007FF805120000-0x00007FF805BE1000-memory.dmp

Filesize
10.8MB

Download