44caliber | be163731cfe152309f2f36332968aa275edef44ede0544d9fa37d26ce530cb77

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37ac48c6a31ec8e83e4b92f03e729917.exe
Size

274KB
MD5

37ac48c6a31ec8e83e4b92f03e729917
SHA1

ae3fb437257f048177223eff1df8f4a009aa6545
SHA256

be163731cfe152309f2f36332968aa275edef44ede0544d9fa37d26ce530cb77
SHA512

9209bf598ee9caa514700921cea8a2e788ce76eb03bf7acb0f21c462859974792d6bcf41d57a0578db90d79a86355556ed87717ee15caf4a5019448fe8d88c30
SSDEEP

6144:Gf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXyRA1D0kj2:wNKK7zeNL2Y69eyXX1DL2

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app

flow	ioc
3	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

37ac48c6a31ec8e83e4b92f03e729917.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	37ac48c6a31ec8e83e4b92f03e729917.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	37ac48c6a31ec8e83e4b92f03e729917.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

37ac48c6a31ec8e83e4b92f03e729917.exe

pid	process
3284	37ac48c6a31ec8e83e4b92f03e729917.exe
3284	37ac48c6a31ec8e83e4b92f03e729917.exe
3284	37ac48c6a31ec8e83e4b92f03e729917.exe
3284	37ac48c6a31ec8e83e4b92f03e729917.exe
3284	37ac48c6a31ec8e83e4b92f03e729917.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

37ac48c6a31ec8e83e4b92f03e729917.exe

description pid process

Token: SeDebugPrivilege 3284 37ac48c6a31ec8e83e4b92f03e729917.exe

description	pid	process
Token: SeDebugPrivilege	3284	37ac48c6a31ec8e83e4b92f03e729917.exe

C:\Users\Admin\AppData\Local\Temp\37ac48c6a31ec8e83e4b92f03e729917.exe
"C:\Users\Admin\AppData\Local\Temp\37ac48c6a31ec8e83e4b92f03e729917.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
516B

MD5
ebe7de772ba5023732bcf6e9bab7ff59

SHA1
abcd7ca6579bfd6bd396f89077238602e483ee83

SHA256
840fa6110f3cfbf1f06561d3edc479b4f1b14651fc8080a720e56c5aab2a1742

SHA512
9077e9f80732f6af66907c12f9c744493d793ea068457c9a0bc9c9ce1d245210d23a0cac44a9d1ca76c850c174b8693c5ac21044e3f2057fddd999da70f0b880

Download Submit
C:\ProgramData\44\Process.txt

Filesize
759B

MD5
5a53230bc0791e7fabb483095368a9b2

SHA1
03ece9526af92fd1bda797226ea119074f41ca76

SHA256
5deaa448c46606d13995e3b725d0cb17c244835141b6f5a8a986f43223b41b2a

SHA512
5be342ad0f24c9330cfa4e449b20a7fc2012e51605b01dd9d79ad151cc4a7e18abb7ad67c9de96f416dd01fd2cc85593210c0ba2afb3589bf592fc8585c5b1b9

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
2bbdad197491c46933fc9113ba7bd7a0

SHA1
1a6fbe3d849aa19f6257dd3d1990ef666a4f5407

SHA256
5b52c29bb6f9e080810c0bf549235f875ad45c2d1ebc3d1de0a832f5ff7a5436

SHA512
d832d288e24ac85078a6e5b5c8de6c7d30c4b169f010248febbc4a6c69af6f373a10e7254cb1e2200d3fab43ce9129c8653d7173fd7e4c1faac936c722138d82

Download Submit
memory/3284-0-0x0000000000920000-0x000000000096A000-memory.dmp

Filesize
296KB

Download
memory/3284-1-0x00007FF958CD0000-0x00007FF959791000-memory.dmp

Filesize
10.8MB

Download
memory/3284-13-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/3284-130-0x00007FF958CD0000-0x00007FF959791000-memory.dmp

Filesize
10.8MB

Download