44caliber | 3ef9b22bb2941ee55af25105b87c675ef1bf6acf8928b339e36e5da08958e852

General

Target

063adc7edd5785637dff0fe0a606c36b.exe
Size

1.7MB
MD5

063adc7edd5785637dff0fe0a606c36b
SHA1

c2a4fd1c096fbe9cc4347a470355848f597f3af7
SHA256

3ef9b22bb2941ee55af25105b87c675ef1bf6acf8928b339e36e5da08958e852
SHA512

c011c9a11f4dd86ca706a6fae86cc89331b4b6747c29330a79b2c513ac2c5d68dffe0160b8c67e68c4c102002414a7a4675fe2315e3470461fcd889c319b631a
SSDEEP

49152:rFIAvAzZmo08b9N0qmI6pMH6UHP916LSfbqki67bFrp:5IAYzxVb9NR16pMHbHP916aql

Score

10^/10

44caliber blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1932930596:AAGkiZTh1w6VZfvuopWYz6JzBbBOSRI3Ja4/sendMessage?chat_id=1089147415

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 freegeoip.app
36 freegeoip.app

flow	ioc
39	freegeoip.app
36	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid	process
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	063adc7edd5785637dff0fe0a606c36b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	063adc7edd5785637dff0fe0a606c36b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid	process
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe
2568	063adc7edd5785637dff0fe0a606c36b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

description pid process

Token: SeDebugPrivilege 2568 063adc7edd5785637dff0fe0a606c36b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

063adc7edd5785637dff0fe0a606c36b.exe

pid process

2568 063adc7edd5785637dff0fe0a606c36b.exe

description	pid	process
Token: SeDebugPrivilege	2568	063adc7edd5785637dff0fe0a606c36b.exe

C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe
"C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
d089de0a2bece1c4a7f75de417704dc9

SHA1
b73ac979d4d0c54ebc8950b9b4b6cd70a709a7dc

SHA256
2d6016ea2ab97dfc298a58ef847473072aad6978889371601772827d0898ca58

SHA512
7f85eee05c4d5da68a160e3ea857dfb83a069e3056e77d590cb797021d4da722a10bcdf8c0724b946b35018adced0221309d02006746b3fc5582d613a2c2b999

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
4a69f3618baeaee6d8f5b74dd56244b7

SHA1
2a6dc0a89c9575060825f28bd08ba636bfabd275

SHA256
02b4b4d28f23c154d72b91d6184936af37acc43a72effd22836a600caac53914

SHA512
0be42611a72a91ac9d6fe5478954ecd6c1b6c0138e43d13bd37797dffc0717bc7195c2c391c5c216e8a90b21d1599713164bf61bfed39d4769e4084aa76e937d

Download Submit
C:\ProgramData\44\Process.txt

Filesize
484B

MD5
5a05864d8b52c8aba82a06ef5eff745b

SHA1
dda1bfb88453f4f0d6af31347d006d733aa51d54

SHA256
3581e91284368b4ddd732fac90a8941044d33119401f3b02ef8c89919eec3d60

SHA512
187ebb9d9177b8c97da279714c90612c42b5a739578d189b96064baee0be47c89562cbea520a68dab9fd9e063bd14db555e008e2306db5dcab6aa6e31d54c291

Download Submit
C:\ProgramData\44\Process.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2568-4-0x0000000005F20000-0x0000000005F30000-memory.dmp

Filesize
64KB

Download
memory/2568-2-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2568-41-0x0000000005F20000-0x0000000005F30000-memory.dmp

Filesize
64KB

Download
memory/2568-42-0x0000000006DF0000-0x0000000006E82000-memory.dmp

Filesize
584KB

Download
memory/2568-43-0x0000000007440000-0x00000000079E4000-memory.dmp

Filesize
5.6MB

Download
memory/2568-0-0x0000000000200000-0x00000000006E2000-memory.dmp

Filesize
4.9MB

Download
memory/2568-3-0x0000000000200000-0x00000000006E2000-memory.dmp

Filesize
4.9MB

Download
memory/2568-40-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2568-1-0x0000000000200000-0x00000000006E2000-memory.dmp

Filesize
4.9MB

Download
memory/2568-135-0x00000000073B0000-0x0000000007416000-memory.dmp

Filesize
408KB

Download
memory/2568-150-0x00000000014B0000-0x00000000014BA000-memory.dmp

Filesize
40KB

Download
memory/2568-151-0x00000000014C0000-0x00000000014C8000-memory.dmp

Filesize
32KB

Download
memory/2568-152-0x0000000001520000-0x0000000001542000-memory.dmp

Filesize
136KB

Download
memory/2568-153-0x0000000008240000-0x0000000008594000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads