44caliber | b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f

General

Target

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Size

413KB
MD5

1777bf83c011f0788ada715b52109451
SHA1

94a8481b3a7230d8afa0f33f1a23dc538c4857d7
SHA256

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f
SHA512

c23d4b04fa22f1b22d9b066fd5a3947090bd7f07ffaa0b18f6ec76f4aab6189f4010b8c07deeec0b6cb714076b2c5979d8a9210457c07169365dd640170463bb
SSDEEP

3072:3YRz3q+7/MIx2jgG0k68TlzWh14aPrEBCS4YLOZ2IJWvSnE9lmyg9:34Dq+jMIx8Ikxl6UaPg7ty2/SEet

Score

10^/10

44caliber evasion persistence spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1167482850669506590/XPbC-QMgZk-g5lpCED6exclk3YJMn-e8Xl96345o1pqvB_PUpcdO3qdCTNwrb0TbEW7h

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2404 netsh.exe

pid	process
2404	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	Rat.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

aminer-watchdog.exeRat.exeстиллер с отправкорй дс.exesvchost.exe

pid process

2132 aminer-watchdog.exe
4520 Rat.exe
2100 стиллер с отправкорй дс.exe
4064 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2132	aminer-watchdog.exe
4520	Rat.exe
2100	стиллер с отправкорй дс.exe
4064	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
9 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com
9	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

стиллер с отправкорй дс.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	стиллер с отправкорй дс.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	стиллер с отправкорй дс.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

стиллер с отправкорй дс.exesvchost.exe

pid	process
2100	стиллер с отправкорй дс.exe
2100	стиллер с отправкорй дс.exe
2100	стиллер с отправкорй дс.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
2100	стиллер с отправкорй дс.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeстиллер с отправкорй дс.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Token: SeDebugPrivilege	2100	стиллер с отправкорй дс.exe
Token: SeDebugPrivilege	4064	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exesvchost.exe

description	pid	process	target process
PID 4128 wrote to memory of 2132	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	aminer-watchdog.exe
PID 4128 wrote to memory of 2132	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	aminer-watchdog.exe
PID 4128 wrote to memory of 4520	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 4128 wrote to memory of 4520	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 4128 wrote to memory of 4520	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	Rat.exe
PID 4128 wrote to memory of 2100	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	стиллер с отправкорй дс.exe
PID 4128 wrote to memory of 2100	4128	b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe	стиллер с отправкорй дс.exe
PID 4520 wrote to memory of 4064	4520	Rat.exe	svchost.exe
PID 4520 wrote to memory of 4064	4520	Rat.exe	svchost.exe
PID 4520 wrote to memory of 4064	4520	Rat.exe	svchost.exe
PID 4064 wrote to memory of 2404	4064	svchost.exe	netsh.exe
PID 4064 wrote to memory of 2404	4064	svchost.exe	netsh.exe
PID 4064 wrote to memory of 2404	4064	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
"C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe"
2⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\Rat.exe
"C:\Users\Admin\AppData\Local\Temp\Rat.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2404

C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe
"C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
476ad9febee172182539df41c2e368b4

SHA1
ebaebf009f62aa26b2831a1dac3cfd01a0389f31

SHA256
c288ffad4636717bb4db847a14f7dfd8b12800b4f8f9d64d77aaff3830a26ae6

SHA512
ca5ae2e119938333fa4a6af94e4ab546b04cd0c224c9147e632f5d5b72550be4204b569fd973c9471ccc15f54f26af00be8313af189809631d4a40e894f97f1f

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
95865253147dea970be25cff825c3c11

SHA1
cb0ddf0e048af3d26be549a93328c58061e51bf5

SHA256
d8cf4cb819dee009aac01d3f3bf8129a67fea34e61a56238f10e0efd22204679

SHA512
08f4e87e58a59514b47314d37cabaab18e680c609a062bcb051e3137d6bbb91b1ecdf4cd44d9c20b8c3a406349472b1d5377fa20ce734adaaa17ee30b53d4e87

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
0c368d3ce303ab3a4b32cceb8d3a572d

SHA1
3cff17850f3b01fde77f6230d51d521a64e94246

SHA256
10a1bd3ed9fdba602347236aefea96f32e625e1655c995d3f2bb918e9fea156a

SHA512
efc396e32099dd0802167e1a86316c27bd895c8bbb4cc85858e7e0ff47f724c809d9cdf715ad35ef79c413cac4ecf612d367cf3ed2086f02dcce938a21502096

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rat.exe

Filesize
36KB

MD5
1f92924f88549ef4ec633facbe8a5964

SHA1
a90d0143193d7c56107a65bb256b2bebb6f43d94

SHA256
3c2eb6c579ea713245afb823f1980f6dad2353a1c944aafbf4a349b1d19f06de

SHA512
67b3b0518d0801c654d1635edb65337d2359e885b51fe3e2d0ac771950b5244b370424566ef5c5d4bfb1372dcdf0fd5f0c0f3e49f73766cfb50a62a3cb71b793

Download Submit
C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe

Filesize
10KB

MD5
6302b39d3fd9323a4fef54b8101f8e4f

SHA1
67067e2aa09b0c6736fa50bd5080d9dda2b6f6a8

SHA256
992823f27fb9432fe83f2f6283bd0327b31f8197eae0aa8af98e7ba71854ae33

SHA512
6b82570e46a0721133339547e9a8f7f7acfb937e98852c5f831a0f68898bd50adbd6cbf66acaf096258de430d3aeb9323bdea56539ba023976e557c72d735c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe

Filesize
1.2MB

MD5
c78ac757e15d0883fcd3ea32e265a5f4

SHA1
53d35eae3d3580e14be1ad2743144e4541bd0cb8

SHA256
ce2ee732be397e177748b4f94f7cdb57d2a4ca9c1b2753b518a18b6836c2bf72

SHA512
163fb6e7b06532b72fa5fd7d489536c20fac9d45a5ed6e7ffc5b05eac206fbe97141dc01a9c2946d501b473586295024252b9a716dd46cef49c092f9eb254c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe

Filesize
1.3MB

MD5
adebd161af9130b5d65c0ce26eb2c68e

SHA1
3f67c180ef0b98349d46319504cdd2fe9113d79c

SHA256
5c52a8c48ee9dacf2f41d27cf8dd823c01bae21ff141e2bf61214b2c5d75629d

SHA512
e58fce1718eab03457b9f01ec59f7cce9198d4029b29e979e249ff0933b86d65cfcb655db24ee728a0272b675ae4187ed3bf45351ee02753531c23986faffcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe

Filesize
738KB

MD5
8be13a2f57a7ce756e99f983861f4191

SHA1
5f8a748239c146aa5febe7b8f3e1cc7dea38cc4e

SHA256
7665714fc8888796468f0266b6ca79b83ab9be5d43e91f2fe7c6347d19d6d6de

SHA512
738d7c0fa0a45dac8026688b35a33204cd4c4cd8671d9dcca7567b54a017c94dc224678cf4b22ab342c29e49078ed2a76be983733d41be0407c65f3d841378d7

Download Submit
memory/2100-187-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/2100-46-0x0000024A658A0000-0x0000024A658B0000-memory.dmp

Filesize
64KB

Download
memory/2100-45-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/2100-43-0x0000024A4B1D0000-0x0000024A4B21A000-memory.dmp

Filesize
296KB

Download
memory/2132-24-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/2132-21-0x00000000009C0000-0x00000000009C6000-memory.dmp

Filesize
24KB

Download
memory/2132-88-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/4064-86-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4064-188-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4064-87-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4128-0-0x00000000001C0000-0x000000000022E000-memory.dmp

Filesize
440KB

Download
memory/4128-44-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/4128-29-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/4128-2-0x000000001ADA0000-0x000000001ADB0000-memory.dmp

Filesize
64KB

Download
memory/4128-1-0x00007FF8EF660000-0x00007FF8F0121000-memory.dmp

Filesize
10.8MB

Download
memory/4520-85-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4520-27-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4520-28-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4520-30-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads