44caliber | 3ef9b22bb2941ee55af25105b87c675ef1bf6acf8928b339e36e5da08958e852

General

Target

063adc7edd5785637dff0fe0a606c36b.exe
Size

1.7MB
MD5

063adc7edd5785637dff0fe0a606c36b
SHA1

c2a4fd1c096fbe9cc4347a470355848f597f3af7
SHA256

3ef9b22bb2941ee55af25105b87c675ef1bf6acf8928b339e36e5da08958e852
SHA512

c011c9a11f4dd86ca706a6fae86cc89331b4b6747c29330a79b2c513ac2c5d68dffe0160b8c67e68c4c102002414a7a4675fe2315e3470461fcd889c319b631a
SSDEEP

49152:rFIAvAzZmo08b9N0qmI6pMH6UHP916LSfbqki67bFrp:5IAYzxVb9NR16pMHbHP916aql

Score

10^/10

44caliber blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1932930596:AAGkiZTh1w6VZfvuopWYz6JzBbBOSRI3Ja4/sendMessage?chat_id=1089147415

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
2 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid process

2248 063adc7edd5785637dff0fe0a606c36b.exe

flow	ioc
3	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	063adc7edd5785637dff0fe0a606c36b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	063adc7edd5785637dff0fe0a606c36b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid	process
2248	063adc7edd5785637dff0fe0a606c36b.exe
2248	063adc7edd5785637dff0fe0a606c36b.exe
2248	063adc7edd5785637dff0fe0a606c36b.exe
2248	063adc7edd5785637dff0fe0a606c36b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

description pid process

Token: SeDebugPrivilege 2248 063adc7edd5785637dff0fe0a606c36b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid process

2248 063adc7edd5785637dff0fe0a606c36b.exe

description	pid	process
Token: SeDebugPrivilege	2248	063adc7edd5785637dff0fe0a606c36b.exe

C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe
"C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
156B

MD5
d807c68517f4198613d6cb89c2fea1c7

SHA1
ef6dbff95bd53495ad1117fa9e6d9af62f4b568a

SHA256
7ed9904e3493fc28cdedcfe0c0c5929b1b1b177955bf9b3e5415d40e28631574

SHA512
c0c9dbb9955013fc828a9ffa2f4a91bc2d1a02646c16917511e743aa76742a8f1723558efda5ada6131cf90e1af7063aed7c2419e2476da69201cecebbbe81c2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
345B

MD5
686fceb88c751952a85cc1225692289a

SHA1
db34d2334ff3ef5cdf6bb2400a72177224886a85

SHA256
1180181622432067ee32e864bfc0b82fdfae855b4a7761971e6151db14df7f8b

SHA512
462d23825dbe004c4d8b249923fbcbcb7f5d35ea8ce8e4372a171593624ddd007b9a5486a943b50155660222de9f089533193c48df78f3d0f2c81553856a318f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
412B

MD5
5b6494a7d2bce56f8f0f8238175c8dd2

SHA1
5366bc4c2c9d9005ade82eae1e33ec22211e54a4

SHA256
b45adc5707000403a80e151fc8616747ebbdc5bda7213c6b797df1f9a4016f79

SHA512
6df2f14c52c8b254af82cef14d63796775a2bd3f2b439e57a07a08f6c77d7a617b78e869179bb2ccad1e804a6e9227a7e2a4d00bd4d9b56e3d6dac15913c6ece

Download Submit
memory/2248-0-0x0000000000020000-0x0000000000502000-memory.dmp

Filesize
4.9MB

Download
memory/2248-2-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-1-0x0000000000020000-0x0000000000502000-memory.dmp

Filesize
4.9MB

Download
memory/2248-3-0x0000000005690000-0x00000000056D0000-memory.dmp

Filesize
256KB

Download
memory/2248-68-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/2248-67-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2248-72-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-71-0x0000000000020000-0x0000000000502000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing