44caliber | e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.scr.exe
Size

282KB
MD5

9dc5e3d364fba20137971eb948ed5089
SHA1

5848daad55e30e542e17213ea83d4c4e8ad66641
SHA256

e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89
SHA512

a0eac98d1b820b59fa2ed0ab98bd70b3fa96af2d0d1498f6ad2e23829f6d1852bbc7512d9683ed1985c4d221bada57461a65ea18556d48235d7a8f6a127eefa9
SSDEEP

6144:if+BLtABPDMtBBfn1Y0gIoHOQpafTyUlI1D0fVg9MtW:JtVvgIoHOOZ1DKg96

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1184504729359896607/fPAMX9PDaXX6cd_-7EdUwUPRgvGLKrETMXz361gwk0y19F6LqJJCESeLcwPQReg9mLu9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
1 freegeoip.app

flow	ioc
3	freegeoip.app
1	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.scr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	123.scr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	123.scr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

123.scr.exe

pid process

4900 123.scr.exe
4900 123.scr.exe
4900 123.scr.exe
4900 123.scr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

123.scr.exe

description pid process

Token: SeDebugPrivilege 4900 123.scr.exe

pid	process
4900	123.scr.exe
4900	123.scr.exe
4900	123.scr.exe
4900	123.scr.exe

description	pid	process
Token: SeDebugPrivilege	4900	123.scr.exe

C:\Users\Admin\AppData\Local\Temp\123.scr.exe
"C:\Users\Admin\AppData\Local\Temp\123.scr.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
364B

MD5
d24a14bcd891f76ca1a2d5038207d3ee

SHA1
651c4e863bd85cb248d1c76d65c03f14ab161bd4

SHA256
f65998d3e293345ffc1e751c22b57ffea78bebf1e361dd55f5bcd4a34d726e34

SHA512
addf48229d769d574b1505d5670125129f0a6ae49acd9c1a257d7310759fde976fa918987b8c4eb82041df68fda2ccd82d8a7a59f8408e971ec1bbd54c94aacb

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
884B

MD5
6d11827bc408778a8da8358e4b68e1eb

SHA1
0f8e641c3ded650c4566c146b19b6c21eb0b7099

SHA256
307da8192c7b138e1114e01f8f4d6d8e95afd6dce96fca88e92029e33ae9106a

SHA512
69b102eb77a604f20533ccf6b18a4e3f8873f5d0650181bfd9a1f591e45957c168438f8351d97bb5a5587c06eec96e1e58a80e5aeb9fbddcd2cf9a9dd41e2d26

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
c199b05f5e09b2c724f66bc6ecd6a9c1

SHA1
63508ad576be3d6a41bf18c8d09f66076dc7c187

SHA256
41e08485f17b52b483fe74e18d9b3aada3aba11e4703c3e232d92d0f1861f867

SHA512
26f45ba84b7f61683218f1245a6fedd6f359d2699e2e18011900d9d5f97f930f67c61316151874261ffcf0ca08b3af3a9fff13b090067dae6efc9ac6ed30f340

Download Submit
memory/4900-0-0x000001E6761E0000-0x000001E67622C000-memory.dmp

Filesize
304KB

Download
memory/4900-31-0x00007FFAE9E40000-0x00007FFAEA901000-memory.dmp

Filesize
10.8MB

Download
memory/4900-32-0x000001E6789A0000-0x000001E6789B0000-memory.dmp

Filesize
64KB

Download
memory/4900-123-0x00007FFAE9E40000-0x00007FFAEA901000-memory.dmp

Filesize
10.8MB

Download