44caliber | b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f

General

Target

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Size

413KB
MD5

1777bf83c011f0788ada715b52109451
SHA1

94a8481b3a7230d8afa0f33f1a23dc538c4857d7
SHA256

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f
SHA512

c23d4b04fa22f1b22d9b066fd5a3947090bd7f07ffaa0b18f6ec76f4aab6189f4010b8c07deeec0b6cb714076b2c5979d8a9210457c07169365dd640170463bb
SSDEEP

3072:3YRz3q+7/MIx2jgG0k68TlzWh14aPrEBCS4YLOZ2IJWvSnE9lmyg9:34Dq+jMIx8Ikxl6UaPg7ty2/SEet

Score

10^/10

44caliber evasion persistence spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1167482850669506590/XPbC-QMgZk-g5lpCED6exclk3YJMn-e8Xl96345o1pqvB_PUpcdO3qdCTNwrb0TbEW7h

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1200 netsh.exe

pid	process
1200	netsh.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

aminer-watchdog.exeRat.exeстиллер с отправкорй дс.exesvchost.exe

pid process

2412 aminer-watchdog.exe
1956 Rat.exe
2560 стиллер с отправкорй дс.exe
1560 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exe

pid process

2340 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
1956 Rat.exe
1956 Rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2412	aminer-watchdog.exe
1956	Rat.exe
2560	стиллер с отправкорй дс.exe
1560	svchost.exe

pid	process
2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
1956	Rat.exe
1956	Rat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	freegeoip.app
2	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

стиллер с отправкорй дс.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	стиллер с отправкорй дс.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	стиллер с отправкорй дс.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

стиллер с отправкорй дс.exesvchost.exe

pid	process
2560	стиллер с отправкорй дс.exe
2560	стиллер с отправкорй дс.exe
2560	стиллер с отправкорй дс.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
2560	стиллер с отправкорй дс.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1560 svchost.exe

pid	process
1560	svchost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeстиллер с отправкорй дс.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Token: SeDebugPrivilege	2560	стиллер с отправкорй дс.exe
Token: SeDebugPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe
Token: 33	1560	svchost.exe
Token: SeIncBasePriorityPrivilege	1560	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exesvchost.exe

description	pid	process	target process
PID 2340 wrote to memory of 2412	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	aminer-watchdog.exe
PID 2340 wrote to memory of 2412	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	aminer-watchdog.exe
PID 2340 wrote to memory of 2412	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	aminer-watchdog.exe
PID 2340 wrote to memory of 1956	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 2340 wrote to memory of 1956	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 2340 wrote to memory of 1956	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 2340 wrote to memory of 1956	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 2340 wrote to memory of 2560	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	стиллер с отправкорй дс.exe
PID 2340 wrote to memory of 2560	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	стиллер с отправкорй дс.exe
PID 2340 wrote to memory of 2560	2340	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	стиллер с отправкорй дс.exe
PID 1956 wrote to memory of 1560	1956	Rat.exe	svchost.exe
PID 1956 wrote to memory of 1560	1956	Rat.exe	svchost.exe
PID 1956 wrote to memory of 1560	1956	Rat.exe	svchost.exe
PID 1956 wrote to memory of 1560	1956	Rat.exe	svchost.exe
PID 1560 wrote to memory of 1200	1560	svchost.exe	netsh.exe
PID 1560 wrote to memory of 1200	1560	svchost.exe	netsh.exe
PID 1560 wrote to memory of 1200	1560	svchost.exe	netsh.exe
PID 1560 wrote to memory of 1200	1560	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
"C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe"
2⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\Temp\Rat.exe
"C:\Users\Admin\AppData\Local\Temp\Rat.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1200

C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe
"C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rat.exe

Filesize
36KB

MD5
1f92924f88549ef4ec633facbe8a5964

SHA1
a90d0143193d7c56107a65bb256b2bebb6f43d94

SHA256
3c2eb6c579ea713245afb823f1980f6dad2353a1c944aafbf4a349b1d19f06de

SHA512
67b3b0518d0801c654d1635edb65337d2359e885b51fe3e2d0ac771950b5244b370424566ef5c5d4bfb1372dcdf0fd5f0c0f3e49f73766cfb50a62a3cb71b793

Download Submit
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe

Filesize
191KB

MD5
c2aa2a25b93351967e7397fe5aeab5a8

SHA1
bea7ef5b712876ee056d0111fbd266ac569d01e1

SHA256
49071374655e5971923199d86f473dd39d734233bb18aee7f177b95b82607ad5

SHA512
96b458bd9a7b48e8ed5b55f78c42f36f0879d9fabe965ffc3cb275dca56886c8b517c1494a2f8b9b05f6f7adb55d222c9f068ba3182f719426c153893c9c69ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe

Filesize
187KB

MD5
2a9aef1487c581c252a9c20bc88e110e

SHA1
1d61cd6f4cbedc7266036d9b2661626c64138a9a

SHA256
7b155431f5efe4a59887357d7a4ea28dfbe5997c5cb7855c1836e1abc787d43e

SHA512
4f2bc4edbf89e3919c523b4c8213e7e75ae24c6bc94849394e4b18055e1fef4498a826e9c84e90e14fc373be576cd3d02931abeb2628f7114a4fec66709cb30c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
439B

MD5
66a60c4fce276d52556c766940693b57

SHA1
e7fd9deda612cbdd5dd9b83d91eeb9e661e34df1

SHA256
deca5c5136b441820002645afd0ea1bebbdc73bf865da82c5ab48f7aa4d3a49f

SHA512
f6a7f96aa6c281e2f6bc8ddfd73467bdefd143c3440b0aa0104149e650df7cbb8566927ab1317349d71cde8d2b6a63743dac6fc95522c0c3c9ba4a8d60bd9ba8

Download Submit
\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe

Filesize
10KB

MD5
6302b39d3fd9323a4fef54b8101f8e4f

SHA1
67067e2aa09b0c6736fa50bd5080d9dda2b6f6a8

SHA256
992823f27fb9432fe83f2f6283bd0327b31f8197eae0aa8af98e7ba71854ae33

SHA512
6b82570e46a0721133339547e9a8f7f7acfb937e98852c5f831a0f68898bd50adbd6cbf66acaf096258de430d3aeb9323bdea56539ba023976e557c72d735c44

Download Submit
memory/1560-97-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-98-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/1560-63-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-64-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/1956-24-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-62-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-22-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-20-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2340-23-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-0-0x00000000013C0000-0x000000000142E000-memory.dmp

Filesize
440KB

Download
memory/2340-31-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2340-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-32-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-2-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2412-12-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-19-0x000000001AD30000-0x000000001ADB0000-memory.dmp

Filesize
512KB

Download
memory/2412-21-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-11-0x000000013F1E0000-0x000000013F1E6000-memory.dmp

Filesize
24KB

Download
memory/2560-34-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2560-96-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-30-0x0000000000BD0000-0x0000000000C1A000-memory.dmp

Filesize
296KB

Download
memory/2560-33-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads