44caliber | da170b064b7c9947a5ec0710c7a3e360efe1e1c0bf0d24cd553a942f4345588c

General

Target

53012929ee31b655bbba1ac99d13cd3e.exe
Size

2.8MB
MD5

53012929ee31b655bbba1ac99d13cd3e
SHA1

b697673a10128a22baffe14f4887774c17283b3d
SHA256

da170b064b7c9947a5ec0710c7a3e360efe1e1c0bf0d24cd553a942f4345588c
SHA512

62128b9963e04bd7a83eaee84b1aa32fcfed60a3b5559855ac019fbce0abab9e63ea39ab5e563a957be0ea99dfa0543647877e6aa71d9530949012c7bb953ace
SSDEEP

49152:Njbb999c63It6zuxmN27nod8Ml2YBzGDMV4pFb+squ+Of1whSKJ3a:Njbb99953G0uxmcToaYBa5N3zfDwa

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53012929ee31b655bbba1ac99d13cd3e.exeJGDPS.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	53012929ee31b655bbba1ac99d13cd3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	JGDPS.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

JGDPS.sfx.exeJGDPS.exe

pid process

216 JGDPS.sfx.exe
2368 JGDPS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 freegeoip.app
40 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
216	JGDPS.sfx.exe
2368	JGDPS.exe

flow	ioc
39	freegeoip.app
40	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JGDPS.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	JGDPS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JGDPS.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

JGDPS.exe

pid process

2368 JGDPS.exe
2368 JGDPS.exe
2368 JGDPS.exe
2368 JGDPS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JGDPS.exe

description pid process

Token: SeDebugPrivilege 2368 JGDPS.exe

pid	process
2368	JGDPS.exe
2368	JGDPS.exe
2368	JGDPS.exe
2368	JGDPS.exe

description	pid	process
Token: SeDebugPrivilege	2368	JGDPS.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

53012929ee31b655bbba1ac99d13cd3e.exeJGDPS.sfx.exe

description	pid	process	target process
PID 4952 wrote to memory of 216	4952	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 4952 wrote to memory of 216	4952	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 4952 wrote to memory of 216	4952	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 216 wrote to memory of 2368	216	JGDPS.sfx.exe	JGDPS.exe
PID 216 wrote to memory of 2368	216	JGDPS.sfx.exe	JGDPS.exe

C:\Users\Admin\AppData\Local\Temp\53012929ee31b655bbba1ac99d13cd3e.exe
"C:\Users\Admin\AppData\Local\Temp\53012929ee31b655bbba1ac99d13cd3e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\JGDPS.exe
"C:\Users\Admin\AppData\Local\Temp\JGDPS.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JGDPS.exe

Filesize
382KB

MD5
3df913cefd39bded6862ed515f3145b3

SHA1
ed72009d15567b6925adf38706251ac5c2e5059a

SHA256
6f31c90571a69752ff303795355e2e3092e7a3dd53dc2a53dfcd043dd748187d

SHA512
1190d6a015bc06eeafc96093e2ef6fa8a0291d5c57247499e756e2ed18211a558bf51c982036dde25470793184514849d1efc38c7ae366a21bc3d6da7fc62f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe

Filesize
473KB

MD5
5e05118e00c2aa9e18899187d63d759a

SHA1
db404917b1a7ba64bde351782f61b0935065e266

SHA256
573f8fa4a9a0348951de8021aab0ff43cd07cd6d75ceaece5426dbd487c53c8b

SHA512
44f79aea9e9dce80b9de2bd9a575fbcc5e6916ca126e3806e5bc85cf620d94ee918cf92ffa7fd3b7281e2d2ef4122f48a8b2c3ca4172b9f2ad4ab5f1ef039edc

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
97f93d106126be8f57a8b36f3bb838e4

SHA1
44b741923a81c127e2d518bd29823bfa66d7c0fd

SHA256
3d0f1e95c21c3805b61001c86e0e1bf8641a7b4e47aab5dffd3e3174b608b3ee

SHA512
1cb2b56948b0d631a925a82d9357eae2d1fe4d646334fab0a5666e627ba7da9e5aec08e6447e210b885a7a2242393d09294e114bdeb2ae004d73b878bc87881d

Download Submit
memory/2368-23-0x00000000007D0000-0x0000000000836000-memory.dmp

Filesize
408KB

Download
memory/2368-40-0x00007FFE07090000-0x00007FFE07B51000-memory.dmp

Filesize
10.8MB

Download
memory/2368-54-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/2368-149-0x00007FFE07090000-0x00007FFE07B51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads