44caliber | f8158de1bdae482f1550ec4dce629a83fe36855cdbbe3b83df25f92cea93b4eb

Analysis

max time kernel
4s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084b0e0d9ba4905509b88aae7371d9ce.exe
Size

274KB
MD5

084b0e0d9ba4905509b88aae7371d9ce
SHA1

588f931ea58470b55b54cb68f0439d77bf3ace00
SHA256

f8158de1bdae482f1550ec4dce629a83fe36855cdbbe3b83df25f92cea93b4eb
SHA512

cf62e7c76e1aac4f7190b124c0957650946c9e14f9c1a8b84540d77a938713cf6b23584adcd56761bb217a0828266ab7b05f5c461e48997284a965e443ee5f77
SSDEEP

6144:pf+BLtABPDdtNoC56e3zJKiNp41V6GIeyXiRA1D0Vtd:ntqe3zJK6Y69eyXH1Dod

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/874203276105646101/5nzbSE8EceBOwJOrwMPVirH8jtpIQeEz0qVvjd8kcIpKCmQx_CmuWLlLT2qSd2VvURKc

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	freegeoip.app
6	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	084b0e0d9ba4905509b88aae7371d9ce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	084b0e0d9ba4905509b88aae7371d9ce.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	084b0e0d9ba4905509b88aae7371d9ce.exe
1924	084b0e0d9ba4905509b88aae7371d9ce.exe
1924	084b0e0d9ba4905509b88aae7371d9ce.exe
1924	084b0e0d9ba4905509b88aae7371d9ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	084b0e0d9ba4905509b88aae7371d9ce.exe

C:\Users\Admin\AppData\Local\Temp\084b0e0d9ba4905509b88aae7371d9ce.exe
"C:\Users\Admin\AppData\Local\Temp\084b0e0d9ba4905509b88aae7371d9ce.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
421B

MD5
d8cbf6b987472dc4514d077722538c5b

SHA1
7c0675acde835016a6e38e77f68eae9a4ac64184

SHA256
752f845d166150f912fd1a4cbba627a9309255be43a193a8a5832706e9f071e0

SHA512
415d877c6c5ed28f51ba3b11f519685c0c9b0d9b83533e67764de074bfa515e692ae0e0cb3345fed9d8b1c4d8a03cd95fab21c0192daf529d292ff4f01e9d80a

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
748B

MD5
be987d043188885e01156c8d0e51d5c2

SHA1
a85292323fae8d878da11d1610feca554db65137

SHA256
109810d7538a5f23cefa6fbb40f817de26dd4459b6b2e014db6d13ea281904b9

SHA512
35eb8a79f0e1a83bdfb94a6c1d44ac53e9a5c8c6437ea1b0bbf5edf09b1cc12fc93498ba2f90ef5f26f1b8a38f1a5da7346738c93f0ae7c00d8c9e0151be075a

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
a8ebb4cffe9dd3dac5dc0a5a2c24a59a

SHA1
ea0d3d2cfa192d6fde4d7bac0174fea5715b7961

SHA256
8973e94748688a7b4282a9021432821394733049532a46143b2ebc197acc498d

SHA512
a8f74680781a3066e31ddb26c4f3446991f019efcb34224dad5e9d2930a7f2d70aa878378c23f81e6b385fcf6fdd02c5c124feb41cdb67852db2a01c68ec6084

Download Submit
memory/1924-0-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1924-31-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/1924-30-0x00007FF9ADD80000-0x00007FF9AE841000-memory.dmp

Filesize
10.8MB

Download
memory/1924-124-0x00007FF9ADD80000-0x00007FF9AE841000-memory.dmp

Filesize
10.8MB

Download