44caliber | 02aad493c8daaca9ac8ebe11f072d1dc500aeb72ee2e3fcdd1ec4b1fc2a40bb1

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b4c449beb189f0825e16754103a4ab1.exe
Size

1.7MB
MD5

3b4c449beb189f0825e16754103a4ab1
SHA1

53405948ae32606096dfce7ab63e9aa2c26c4f0a
SHA256

02aad493c8daaca9ac8ebe11f072d1dc500aeb72ee2e3fcdd1ec4b1fc2a40bb1
SHA512

092525e85563de7abeb55d4b728d488a2890c255363063e0c94b83c21f776978369334a541579b16f985801d8e280c8ce962fb805b387a9ed4dcfe580cc6f549
SSDEEP

49152:65Paa0OScMGQg1Fsm+3GSky9kY/pKVYWuHiEc7J:CPa9OSRvmwky9kY/JHi7l

Score

10^/10

44caliber blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot1938169884:AAGbfbPPFVakdCHJgp_PIDvE8jD7mA52LB0/sendMessage?chat_id=1143386592

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1680	3b4c449beb189f0825e16754103a4ab1.exe
1680	3b4c449beb189f0825e16754103a4ab1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3b4c449beb189f0825e16754103a4ab1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	3b4c449beb189f0825e16754103a4ab1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1680	3b4c449beb189f0825e16754103a4ab1.exe
1680	3b4c449beb189f0825e16754103a4ab1.exe
1680	3b4c449beb189f0825e16754103a4ab1.exe
1680	3b4c449beb189f0825e16754103a4ab1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	3b4c449beb189f0825e16754103a4ab1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	3b4c449beb189f0825e16754103a4ab1.exe

C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe
"C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
169B

MD5
aeb9e15a5bac7175c4cdfd520c63f54c

SHA1
4352c58af29a34da8d2c6e13d7340b8b33b382f1

SHA256
0b196ae69f178cac3d6b655858eefab27c5d9e999a980704df84a32a9d2415af

SHA512
080ec3cc76222aee88fded75daa9eb7c0d22313f8ffbe097d82cdd853279dba6a0e0fc00c3581074415dcd9b42eb5803808136bd80a1e3bb8183555012c67fae

Download Submit
memory/1680-0-0x0000000000930000-0x0000000000E12000-memory.dmp

Filesize
4.9MB

Download
memory/1680-2-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-1-0x0000000000930000-0x0000000000E12000-memory.dmp

Filesize
4.9MB

Download
memory/1680-3-0x0000000005A30000-0x0000000005A70000-memory.dmp

Filesize
256KB

Download
memory/1680-75-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/1680-74-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/1680-79-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-78-0x0000000000930000-0x0000000000E12000-memory.dmp

Filesize
4.9MB

Download