44caliber | e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

Analysis

max time kernel
88s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.scr
Size

282KB
MD5

9dc5e3d364fba20137971eb948ed5089
SHA1

5848daad55e30e542e17213ea83d4c4e8ad66641
SHA256

e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89
SHA512

a0eac98d1b820b59fa2ed0ab98bd70b3fa96af2d0d1498f6ad2e23829f6d1852bbc7512d9683ed1985c4d221bada57461a65ea18556d48235d7a8f6a127eefa9
SSDEEP

6144:if+BLtABPDMtBBfn1Y0gIoHOQpafTyUlI1D0fVg9MtW:JtVvgIoHOOZ1DKg96

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1184504729359896607/fPAMX9PDaXX6cd_-7EdUwUPRgvGLKrETMXz361gwk0y19F6LqJJCESeLcwPQReg9mLu9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
4 freegeoip.app

flow	ioc
1	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.scr

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	123.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	123.scr

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

123.scr

pid process

5104 123.scr
5104 123.scr
5104 123.scr
5104 123.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

123.scr

description pid process

Token: SeDebugPrivilege 5104 123.scr

pid	process
5104	123.scr
5104	123.scr
5104	123.scr
5104	123.scr

description	pid	process
Token: SeDebugPrivilege	5104	123.scr

C:\Users\Admin\AppData\Local\Temp\123.scr
"C:\Users\Admin\AppData\Local\Temp\123.scr" /S
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
635B

MD5
aba1a0d8a50cfb13367cdf21214e9eb3

SHA1
83d4e2870757db51f6f8724ddc8d81f77b5fcfc2

SHA256
1e6e34936fcf42d65b43a89ef8659bab3a8a265cd40d978a659de0be2ca0a73b

SHA512
1a0a2e28ece8061cae56677d00b2dfc9cc50680643626c66725447f63b21fd0af49e2cc97f28829492219248bf8df1ad844bb3e67761abf545aa6b129e4d14b7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
73c9782058dae14f22b55e8e552f3e24

SHA1
3e32ec32151c9d2713d262cc6ab7263aa5e9347a

SHA256
618bee2d6be08746bdb4bc6767e169d5a4e061c736c37366a934c6a2f8014a2f

SHA512
65e1ee70a672913cec2f20f5a03efc3db4fa7c4ecf7cbc8687dead981d832b0902620a4f041758d78b4c3e4bd691123b30dab78f508a872eea737a01b14a140c

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
98fde64dba941077a5a0d60e5ebd9da1

SHA1
7b162f3c61ade430b0df6e47669fe42d2fa1a89f

SHA256
decb414ee0069f67df11d0e19398441916e53690ba26435062d2bafd392d1dd6

SHA512
86939f328ae0cefa93317a86b6cd3b121365345641625452365c5cf9de8d8b990088000b3f1558fe63fa7a4bcd082fe04bcb852bbdccd4df80ce73deca077ad5

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
4b9569c51d85bcbd3681053e7198aa26

SHA1
c9d6c6d0787ace15e3fb72e7c72858f8122acf7c

SHA256
659cca5ea22f97ca71f819c649f4da6568c9066b1320976fba6941c4efe20219

SHA512
2d0fd481b841858e377f059a375a507426df9dc34512f0e1bd38609fa4b6f2f8e0fc134ca7e903460b7e2c9f531376a70803d8034e0785dc41358de777ff61e4

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
2e3f24a593f464a2567dad4a35e40aaa

SHA1
0b5cad9418444dbad257bf3dfbcfb9e3fae5f977

SHA256
4a1eb2ea99e3039891615529f359eef31a9f9c3b647ba29b5bdda87f62a2d9d1

SHA512
211811c5869525fa6a1854e308c34aad393822ed727f3c36d439329e9763964be4d84080a4c9680708c4c020be752f6aea1a1fbfff48bb01721954c5804410d4

Download Submit
memory/5104-0-0x000001FCD3D20000-0x000001FCD3D6C000-memory.dmp

Filesize
304KB

Download
memory/5104-16-0x00007FFF06890000-0x00007FFF07351000-memory.dmp

Filesize
10.8MB

Download
memory/5104-25-0x000001FCEE2A0000-0x000001FCEE2B0000-memory.dmp

Filesize
64KB

Download
memory/5104-125-0x00007FFF06890000-0x00007FFF07351000-memory.dmp

Filesize
10.8MB

Download