44caliber | 81673703e3620dd4760abc876882185a901fdebdd9db9ec6caad172adce76306

General

Target

58c1a37139dc07fd0d4d800032cc65d0.exe
Size

1.7MB
MD5

58c1a37139dc07fd0d4d800032cc65d0
SHA1

62474977ece1d8b71400474d4998497089918c12
SHA256

81673703e3620dd4760abc876882185a901fdebdd9db9ec6caad172adce76306
SHA512

59dc2d2cf0a321b960af505231d5fbc373abc59a8f5fe2cf6c0c0908d68bb4454a176ba02243334e6331e6d5831c32b08dbd54bc290bbf02dc213f9d6677a365
SSDEEP

49152:cuYkCr6/VlG1D3bGTHcQHl3Ll3HoCgn/Pa9MdYxGtbR:QVr6/21yR3h3IC8iKdd9

Score

10^/10

44caliber blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1835956767:AAHk1asCy0CiwJAclHm32rLK9Ng48TPYeeA/sendMessage?chat_id=1329554755

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 freegeoip.app
19 freegeoip.app

flow	ioc
18	freegeoip.app
19	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

58c1a37139dc07fd0d4d800032cc65d0.exe

pid	process
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58c1a37139dc07fd0d4d800032cc65d0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	58c1a37139dc07fd0d4d800032cc65d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	58c1a37139dc07fd0d4d800032cc65d0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

58c1a37139dc07fd0d4d800032cc65d0.exe

pid	process
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe
1696	58c1a37139dc07fd0d4d800032cc65d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

58c1a37139dc07fd0d4d800032cc65d0.exe

description pid process

Token: SeDebugPrivilege 1696 58c1a37139dc07fd0d4d800032cc65d0.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

58c1a37139dc07fd0d4d800032cc65d0.exe

pid process

1696 58c1a37139dc07fd0d4d800032cc65d0.exe

description	pid	process
Token: SeDebugPrivilege	1696	58c1a37139dc07fd0d4d800032cc65d0.exe

C:\Users\Admin\AppData\Local\Temp\58c1a37139dc07fd0d4d800032cc65d0.exe
"C:\Users\Admin\AppData\Local\Temp\58c1a37139dc07fd0d4d800032cc65d0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt
Filesize
308B

MD5
54bcdc281eb135732ca57ff89c1b50ed

SHA1
630237161d5daffe51b348ce3ec10fa834239fcf

SHA256
6cda41f444ec739a4e1cbaf8ffd40e485974a571a4871dd2624c575d082fe082

SHA512
afd946087de3076506ab3a659ee3e6ed80e2532ee4a5fae9ca72e864408f9d3f69b5a61b331cd6810176ae64887bac94966cc418aadd38dca9da9a24df0c1682

Download Submit
C:\ProgramData\44\Process.txt
Filesize
984B

MD5
ada8466c13b2bc67b0d175c7b01217f9

SHA1
fb2bfd8dc249017774893cffc4cb1f0ab82e3ad5

SHA256
f9c38815f6b5a3b0b6b14b33114eeff844a78ae263a8a2fb83473ee75178264a

SHA512
ecd30566d0e441f73c785f581f38dab89e80e7298c0bd54443ed6eec5b43b15c703a02feb7ba37fdcef486b515df69f3144921d67cb372b3172794be7ad4b674

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
f9c937830f8adcf9e63a5c5ef74dba4d

SHA1
9c9166ca1afedc0ef20042c4f113b18f2ed16de2

SHA256
b0bedc9dab2be3acf033455827a9b050112fb3a0b9c46010ad0769530e6d225d

SHA512
0393e195df0887ebe6fcc30bb447eb0aa3aa863c921f22d3454e7b6ea5afdd29ccf5d77729b2e4687e519e3da91f91aeed40e6fed75bc9e3022866ba150ca594

Download Submit
memory/1696-131-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/1696-156-0x0000000003EF0000-0x0000000003EF8000-memory.dmp

Filesize
32KB

Download
memory/1696-40-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/1696-3-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/1696-0-0x0000000000A70000-0x0000000000F4E000-memory.dmp

Filesize
4.9MB

Download
memory/1696-1-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/1696-2-0x0000000000A70000-0x0000000000F4E000-memory.dmp

Filesize
4.9MB

Download
memory/1696-41-0x0000000007740000-0x0000000007CE4000-memory.dmp

Filesize
5.6MB

Download
memory/1696-155-0x0000000003EE0000-0x0000000003EEA000-memory.dmp

Filesize
40KB

Download
memory/1696-157-0x0000000006A60000-0x0000000006A82000-memory.dmp

Filesize
136KB

Download
memory/1696-158-0x0000000007FC0000-0x0000000008314000-memory.dmp

Filesize
3.3MB

Download
memory/1696-161-0x0000000000A70000-0x0000000000F4E000-memory.dmp

Filesize
4.9MB

Download
memory/1696-162-0x0000000073C80000-0x0000000074430000-memory.dmp

Filesize
7.7MB

Download
memory/1696-163-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads