44caliber | 239525c06bd5b287d65fc971a2cab16f92c4fbca5f47969aff1e397eef9fe155

General

Target

1127f9f9ecf644ce673c211e185e648c.exe
Size

153KB
MD5

1127f9f9ecf644ce673c211e185e648c
SHA1

a6432449b6302f1fb132dc4e4de31ebfbf64c64e
SHA256

239525c06bd5b287d65fc971a2cab16f92c4fbca5f47969aff1e397eef9fe155
SHA512

03951559b5f24b5576f85bf39471c2b0b6f70dcc2e4b8672082a1856539e97930705efc4696fbadcd0639284007aa2b060a21b3897074773feb867859dec76a1
SSDEEP

3072:oSxI4Va2xhvCSs2gP5PFme+DOwHfEQ6yyF5vtRcbhYqZMo:o8FFs2S5tmH1sjVJI9Q

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1127f9f9ecf644ce673c211e185e648c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1127f9f9ecf644ce673c211e185e648c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1127f9f9ecf644ce673c211e185e648c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1127f9f9ecf644ce673c211e185e648c.exe

pid	process
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1127f9f9ecf644ce673c211e185e648c.exe

description pid process

Token: SeDebugPrivilege 628 1127f9f9ecf644ce673c211e185e648c.exe

description	pid	process
Token: SeDebugPrivilege	628	1127f9f9ecf644ce673c211e185e648c.exe

C:\Users\Admin\AppData\Local\Temp\1127f9f9ecf644ce673c211e185e648c.exe
"C:\Users\Admin\AppData\Local\Temp\1127f9f9ecf644ce673c211e185e648c.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
b16ea889ab97cd4ad880b5ab2fd3e356

SHA1
0a10ac6135969b2416226548128ee156bd2141c4

SHA256
f0428405e8021b3b7fdbc6bdde8fdf70d516286e93a94b7ba34c25af3c74c748

SHA512
e951f975d24d3510335b9919813113da3ca772edb8b77e2fe15794ebf94f15125e37fcea747bbcbd9d22b6649a40b614ccb1f7e3399eaadc75f5b20f50a7d2cd

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
8ffb38ac55f1f9d817a6d5ba5d35c147

SHA1
45c568bc81bd99d25e29fcb29dc8f687321ada39

SHA256
775a9e6f5ae93821151e27c0685f73fc1bcb090f18e1ff37ef513664d7d5efee

SHA512
105269edd40fff6f248495cd9068447521fcb88709ff1c9e36c21dd30efd2de80c13f246b7519758b4731f8643ce97d0ddaa85f7ce72af2d5a44672e8e1a7a24

Download Submit
C:\ProgramData\44\Process.txt
Filesize
729B

MD5
838e65c337e73c0943c9f6795e9eaa71

SHA1
7ba4b08e57c93220341c5fadc440b6debb33f3f3

SHA256
420641ff6c61b007a939b36498c28c814c4b6cf26ecb1e8412c38bf12789d027

SHA512
066e274bbf1fe9882e3abd9d9d91aa420558b3eb23e0993f20439f1713bd26e1787d478d905292964266c5f7d3731f49b131881b38abb34f9c552d49ff781f49

Download Submit
C:\ProgramData\44\Process.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\44\Process.txt
Filesize
975B

MD5
4b7b487278ccd1415b12c97231c23a73

SHA1
1916c194d5e005cf605a88a5c95592e1a7abbd01

SHA256
eb702b99d7db2994cfb3771474cc5676d7ca1a5befe48a81a5ac835c44562dcf

SHA512
8ac5087743115906d258809181657116f79ee90e3afefc564ca67f5fd734696c36ad303eb4e8a4eaa1600ae4a360899c4c255d8eed9d10f4a340078287ef67d7

Download Submit
C:\ProgramData\44\Process.txt
Filesize
932B

MD5
0b22a3964a1a9746d48849cb202b2e05

SHA1
a08abd2e1be0b477ac36d08e772f95b27b59cdb6

SHA256
449cb685277c6201c7585bb6da4200654744a2f8949536428bb9637a984f6278

SHA512
586d8649c767fe7342f008a2dc20004cc0d170d664f459f0eae908cac45e8254c90757aa51b80fb93897c698f9c9f9c10aff70161dd9bc9e8615a95c8dd17dbd

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
25451807c7c29ae817806fbb850ea361

SHA1
8dd50a6f4984ac9ef7d05089c7f0ab4662e610a2

SHA256
7d621d32d877778977c6287116a367df968eb4a651558cbdfb449fa14dd29e11

SHA512
0dd879a89e128230f74d8aeeba297570abc97a9c2af96fc23394d3da3c9d04d059bf4b2877aae2acde0a6b24d5d8a6ebc28918cf663d61bff0ae6b8cf131cb6a

Download Submit
memory/628-0-0x0000000000700000-0x000000000072C000-memory.dmp

Filesize
176KB

Download
memory/628-34-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/628-33-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/628-18-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/628-2-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/628-1-0x0000000001000000-0x000000000104C000-memory.dmp

Filesize
304KB

Download
memory/628-130-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing