44caliber | 239525c06bd5b287d65fc971a2cab16f92c4fbca5f47969aff1e397eef9fe155

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1127f9f9ecf644ce673c211e185e648c.exe
Size

153KB
MD5

1127f9f9ecf644ce673c211e185e648c
SHA1

a6432449b6302f1fb132dc4e4de31ebfbf64c64e
SHA256

239525c06bd5b287d65fc971a2cab16f92c4fbca5f47969aff1e397eef9fe155
SHA512

03951559b5f24b5576f85bf39471c2b0b6f70dcc2e4b8672082a1856539e97930705efc4696fbadcd0639284007aa2b060a21b3897074773feb867859dec76a1
SSDEEP

3072:oSxI4Va2xhvCSs2gP5PFme+DOwHfEQ6yyF5vtRcbhYqZMo:o8FFs2S5tmH1sjVJI9Q

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1127f9f9ecf644ce673c211e185e648c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1127f9f9ecf644ce673c211e185e648c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe
628	1127f9f9ecf644ce673c211e185e648c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	1127f9f9ecf644ce673c211e185e648c.exe

C:\Users\Admin\AppData\Local\Temp\1127f9f9ecf644ce673c211e185e648c.exe
"C:\Users\Admin\AppData\Local\Temp\1127f9f9ecf644ce673c211e185e648c.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
b16ea889ab97cd4ad880b5ab2fd3e356

SHA1
0a10ac6135969b2416226548128ee156bd2141c4

SHA256
f0428405e8021b3b7fdbc6bdde8fdf70d516286e93a94b7ba34c25af3c74c748

SHA512
e951f975d24d3510335b9919813113da3ca772edb8b77e2fe15794ebf94f15125e37fcea747bbcbd9d22b6649a40b614ccb1f7e3399eaadc75f5b20f50a7d2cd

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
8ffb38ac55f1f9d817a6d5ba5d35c147

SHA1
45c568bc81bd99d25e29fcb29dc8f687321ada39

SHA256
775a9e6f5ae93821151e27c0685f73fc1bcb090f18e1ff37ef513664d7d5efee

SHA512
105269edd40fff6f248495cd9068447521fcb88709ff1c9e36c21dd30efd2de80c13f246b7519758b4731f8643ce97d0ddaa85f7ce72af2d5a44672e8e1a7a24

Download Submit
C:\ProgramData\44\Process.txt

Filesize
729B

MD5
838e65c337e73c0943c9f6795e9eaa71

SHA1
7ba4b08e57c93220341c5fadc440b6debb33f3f3

SHA256
420641ff6c61b007a939b36498c28c814c4b6cf26ecb1e8412c38bf12789d027

SHA512
066e274bbf1fe9882e3abd9d9d91aa420558b3eb23e0993f20439f1713bd26e1787d478d905292964266c5f7d3731f49b131881b38abb34f9c552d49ff781f49

Download Submit
C:\ProgramData\44\Process.txt

Filesize
975B

MD5
4b7b487278ccd1415b12c97231c23a73

SHA1
1916c194d5e005cf605a88a5c95592e1a7abbd01

SHA256
eb702b99d7db2994cfb3771474cc5676d7ca1a5befe48a81a5ac835c44562dcf

SHA512
8ac5087743115906d258809181657116f79ee90e3afefc564ca67f5fd734696c36ad303eb4e8a4eaa1600ae4a360899c4c255d8eed9d10f4a340078287ef67d7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
932B

MD5
0b22a3964a1a9746d48849cb202b2e05

SHA1
a08abd2e1be0b477ac36d08e772f95b27b59cdb6

SHA256
449cb685277c6201c7585bb6da4200654744a2f8949536428bb9637a984f6278

SHA512
586d8649c767fe7342f008a2dc20004cc0d170d664f459f0eae908cac45e8254c90757aa51b80fb93897c698f9c9f9c10aff70161dd9bc9e8615a95c8dd17dbd

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
25451807c7c29ae817806fbb850ea361

SHA1
8dd50a6f4984ac9ef7d05089c7f0ab4662e610a2

SHA256
7d621d32d877778977c6287116a367df968eb4a651558cbdfb449fa14dd29e11

SHA512
0dd879a89e128230f74d8aeeba297570abc97a9c2af96fc23394d3da3c9d04d059bf4b2877aae2acde0a6b24d5d8a6ebc28918cf663d61bff0ae6b8cf131cb6a

Download Submit
memory/628-0-0x0000000000700000-0x000000000072C000-memory.dmp

Filesize
176KB

Download
memory/628-34-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/628-33-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/628-18-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/628-2-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/628-1-0x0000000001000000-0x000000000104C000-memory.dmp

Filesize
304KB

Download
memory/628-130-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download