44caliber | 138d8ab76f76ab69c33c1606de29083ef561d98c08350af91849f1dd1bf16d10

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

606db2cb19ad7f8e3d20b633a8872330.exe
Size

7.1MB
MD5

606db2cb19ad7f8e3d20b633a8872330
SHA1

3228f2b1051fa71f33a3ffe6e6cf385b1617e175
SHA256

138d8ab76f76ab69c33c1606de29083ef561d98c08350af91849f1dd1bf16d10
SHA512

44438e9ef0cc1211a6be7c861b5a321f14993252030c6a25e981f2b500edb8eb4f083d32c009c5eaee808018958e8fd04cdc4675010c87bb3ef3ac654a1cd8ea
SSDEEP

6144:1OsE5m1O1B0Ln62oeD+ceV3DZgCtCFOzmoziZ+1p24u4Z3bF:YsZA0Nf+rxDCcnzmoziZ+1p24u4j

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
7 freegeoip.app

flow	ioc
6	freegeoip.app
7	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

606db2cb19ad7f8e3d20b633a8872330.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	606db2cb19ad7f8e3d20b633a8872330.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	606db2cb19ad7f8e3d20b633a8872330.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

606db2cb19ad7f8e3d20b633a8872330.exe

pid	process
2708	606db2cb19ad7f8e3d20b633a8872330.exe
2708	606db2cb19ad7f8e3d20b633a8872330.exe
2708	606db2cb19ad7f8e3d20b633a8872330.exe
2708	606db2cb19ad7f8e3d20b633a8872330.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

606db2cb19ad7f8e3d20b633a8872330.exe

description pid process

Token: SeDebugPrivilege 2708 606db2cb19ad7f8e3d20b633a8872330.exe

description	pid	process
Token: SeDebugPrivilege	2708	606db2cb19ad7f8e3d20b633a8872330.exe

C:\Users\Admin\AppData\Local\Temp\606db2cb19ad7f8e3d20b633a8872330.exe
"C:\Users\Admin\AppData\Local\Temp\606db2cb19ad7f8e3d20b633a8872330.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
415B

MD5
4683526c3bd10c0ef561561d17f1122e

SHA1
0d20dcbc447c91651f84fc4487636a98824895ad

SHA256
69f364a09d0962891c2e170280f23af88867668325a6ff93fca85abab8e02abe

SHA512
5e37f264f90e979f37cf608c3cc77ab324771a5a4c3f725555094b65fb6d79f3d1665facd1364acdb58cd3ab28e84de7b722427ccf258f2993966b160306783a

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
745B

MD5
784c7805ad2b672c37ed7c7f85a1ad4b

SHA1
767751348e5d06eb0022d3219198134ec41c9965

SHA256
400ac8e0f15ecd709c97a7c39c509fb6c48cf968a6a70a3f23d13ca923c0f513

SHA512
a1c087efd248f07cf17cf7d0d3e8154f0c0059a7ee795ae804abfa885f5898750f2bf516064ab8f1aa3d05023b0a74e4fbb176b2ae05ed57b2d8f8750333863d

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
acb50d42a03bb4a9055e433d0c05663b

SHA1
b96dfb2aaa4e3795490b9e2c1445d1826ba5ece5

SHA256
f53a6a9558ef9bf1bcce9a6fecb90acbd4ed79c24ac336ec935c7a4a075ff490

SHA512
427a00ccff692cfaf1c0d3a40ea3deda0c4ed0ee94d441f95b28b3bca869246c7075e62aa3f7e89fc51faa43d320e7bc1077d340a8204847b6c477575de9ac71

Download Submit
memory/2708-0-0x000001E448160000-0x000001E4481AE000-memory.dmp

Filesize
312KB

Download
memory/2708-16-0x00007FF8BCB10000-0x00007FF8BD5D1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-17-0x000001E4628B0000-0x000001E4628C0000-memory.dmp

Filesize
64KB

Download
memory/2708-121-0x00007FF8BCB10000-0x00007FF8BD5D1000-memory.dmp

Filesize
10.8MB

Download