44caliber | 80d0de1de27f659bdc31d0aab393837167b348ff4029e354be394fb2b79ba371

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

224e8b219e855f118375d487e6ac15f0.exe
Size

252KB
MD5

224e8b219e855f118375d487e6ac15f0
SHA1

02397f0e277508ce202d7f90b325c4ed7298eeb4
SHA256

80d0de1de27f659bdc31d0aab393837167b348ff4029e354be394fb2b79ba371
SHA512

c03b4714973936f93032e6cf5b50b12637c9a9d562221b9887b4f34c717ee03e49824dc1a2fe33d7b03c495255ab7ccb05c623807680230e8534d3cf6f1c7d4f
SSDEEP

3072:nI7+8kQQHL+ueDVpsXMpI9B0p3DvsR2P4COdP0V9y40z4Ekz1eaMjAmectmqy3hb:4+8MHMt+9B0lvq2P4Lm9y1k1z1eRbpd

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/869635461541429258/hxEYazB2m_bqWOWdlnRrBOnLi8waabSchbnYiXPHDudSBlAEOry51hz3i902VgDh1LGm

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
6	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	224e8b219e855f118375d487e6ac15f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	224e8b219e855f118375d487e6ac15f0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4828	224e8b219e855f118375d487e6ac15f0.exe
4828	224e8b219e855f118375d487e6ac15f0.exe
4828	224e8b219e855f118375d487e6ac15f0.exe
4828	224e8b219e855f118375d487e6ac15f0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	224e8b219e855f118375d487e6ac15f0.exe

C:\Users\Admin\AppData\Local\Temp\224e8b219e855f118375d487e6ac15f0.exe
"C:\Users\Admin\AppData\Local\Temp\224e8b219e855f118375d487e6ac15f0.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
bef6473f75c3de14d7e1650f91a7504c

SHA1
93b085119f3501307861e2982779ca5b8de6b7f7

SHA256
249ebdfeb5f1b31613665959bddcd94657ae4afa6f1952cd2beb674817685d25

SHA512
c2e510ddf7c5cfa5c7ec8e1f916560cb4611d22c02251cdb996e70208771181dd7278c13f5c8f9f33176f532bd2a0fd5ed7741496b9d14d26326fa931e1d3b5c

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
224B

MD5
6d56f211858455da1551c69ad687d364

SHA1
4b6e671ab67615f1ff8a2f659b3b3d90ee035e02

SHA256
f5af81c37769c4d79cf922ba736036bb67a26f157eae664a43d27730d8940840

SHA512
f39b238c500e947618fcf88c858cd15d129a0806d1ac505829b1a7b8ebf71f48ab9cfb00f87fc53014205cc17b8ed6cd73c45106623a4fd17e362297146eea82

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
735B

MD5
dc3fae1ea1db99083a534dbaa8615d51

SHA1
d38aa12e3aa68b1f53fcf4c307aa93238493ef73

SHA256
38c0c088f57dd79dc0cf349bcd8ede5a54cd7ca951b52dd12557f40a14169aa9

SHA512
a7c2ae32979dea8a474ca95618e7fc9ef83dea3104b36c6bc2d2347eb76e4444fd54a1b658975ae5165b0922648c543b044d7e25752b1450a8b0dae69632ee57

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
221b905f245f969ee26becc75da1ddb1

SHA1
cfc13dc9b5e5df181d10ea0021b841efc3d9a254

SHA256
d238d95b014407005984e5372d66dd4d6c28734eab10c9fc531623786b282d0f

SHA512
aaadffc7f425e17f8e1ec7d21eeb6f134b6e1602ec25a2e2b7aa0ae632e9c48361c6d9a9e85ef134bc5f99d9025af3f880297bc814d17a84fd3c23edad1a8f62

Download Submit
memory/4828-0-0x0000000000C30000-0x0000000000C76000-memory.dmp

Filesize
280KB

Download
memory/4828-30-0x00007FFBAE610000-0x00007FFBAF0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-31-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/4828-126-0x00007FFBAE610000-0x00007FFBAF0D1000-memory.dmp

Filesize
10.8MB

Download