Extracted

• • Target

    b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f

  • Size

    413KB

  • MD5

    1777bf83c011f0788ada715b52109451

  • SHA1

    94a8481b3a7230d8afa0f33f1a23dc538c4857d7

  • SHA256

    b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f

  • SHA512

    c23d4b04fa22f1b22d9b066fd5a3947090bd7f07ffaa0b18f6ec76f4aab6189f4010b8c07deeec0b6cb714076b2c5979d8a9210457c07169365dd640170463bb

  • SSDEEP

    3072:3YRz3q+7/MIx2jgG0k68TlzWh14aPrEBCS4YLOZ2IJWvSnE9lmyg9:34Dq+jMIx8Ikxl6UaPg7ty2/SEet

  Score

  10^/10

  44caliberevasionpersistencespywarestealer

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2