44caliber | 51cfc971849b6d809df4f567616db7f420874a754752490b981134f1d40ff47c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1c3a1b70fc8f37ea642c4df3a2f66b.exe
Size

448KB
MD5

df1c3a1b70fc8f37ea642c4df3a2f66b
SHA1

87b9d4bacc776489efb68f762913b76ef86908bf
SHA256

51cfc971849b6d809df4f567616db7f420874a754752490b981134f1d40ff47c
SHA512

a5a3e83d48f6eb0bd1ccbd4f48567c04d66ec1ba11b4afaf55df5f120b186ad3c764dd78b9835f8b2fb37b0d76d3f77ec08657f355c6734960359017e00fb512
SSDEEP

6144:+efG+g1L+8z7eoRDemTD+uf9+GV6eauyGFyInlXYWbgqtS4zbvhdaDz/A7Ah5lL2:+3S8xTiG04nTbcAcDq

Score

10^/10

44caliber agilenet spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4836-0-0x0000000000400000-0x0000000000476000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
6 freegeoip.app

flow	ioc
2	freegeoip.app
6	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df1c3a1b70fc8f37ea642c4df3a2f66b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

df1c3a1b70fc8f37ea642c4df3a2f66b.exe

pid	process
4836	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4836	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4836	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4836	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

df1c3a1b70fc8f37ea642c4df3a2f66b.exe

description pid process

Token: SeDebugPrivilege 4836 df1c3a1b70fc8f37ea642c4df3a2f66b.exe

description	pid	process
Token: SeDebugPrivilege	4836	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe
"C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
e15efa0cb0d30f5d2a49cc0b7dac8a44

SHA1
894b115ada199c6d8a4a05f7933b3dfcd8fba96c

SHA256
040ea91680cbf360fe3d073772594976d486a35c98d392c619c46e2895fb7112

SHA512
519e4c191a1f2f039de35150bd4c7d5d6fe724def8628705767e37f1724028e61cdd5c4a738aada07b338f2556c817dda68ec09932b2bcfe1ca7f05edc4bad39

Download Submit
memory/4836-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4836-32-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4836-31-0x00007FF923190000-0x00007FF923C51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-126-0x000000001B800000-0x000000001B902000-memory.dmp

Filesize
1.0MB

Download
memory/4836-127-0x00007FF923190000-0x00007FF923C51000-memory.dmp

Filesize
10.8MB

Download