44caliber | 8298df16c667b88f524bf2cbb79c7f1122fe0f1c95502c5a4e37fa69999affcb

General

Target

6618325d64a870040b82fb73575ee669.exe
Size

1.5MB
MD5

6618325d64a870040b82fb73575ee669
SHA1

5a7a92a76a832d7a5fc37577af8ebb7078cff6e2
SHA256

8298df16c667b88f524bf2cbb79c7f1122fe0f1c95502c5a4e37fa69999affcb
SHA512

641e2c1b6b4c0d1efa590511ead2f46154367a6a9a0a7ac3b7791e2f285214bd8b7ed2309b5c5e59c66475931a2f5245268f99e44f820ecd2bedbb2f6bd233c9
SSDEEP

24576:JhvJVJdMJ7uLp3iEOwnBYnRIOzm3QHxumDWsWT+T6kcfTj4WEs4x8Ka23x:x3dXLp3iEOwnk8BmDCTdkcojxpx

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/866738169181372456/leUwW_rAYekiwOVhgk8WOe6mYy271-wPgyPdfdgGkW3LvRIrgaePX3yC-m_SGyjcPYeJ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6618325d64a870040b82fb73575ee669.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6618325d64a870040b82fb73575ee669.exe

Executes dropped EXE 1 IoCs

Processes:

ST.exe

pid process

232 ST.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
7 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ST.exe

pid process

232 ST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
232	ST.exe

flow	ioc
6	freegeoip.app
7	freegeoip.app

pid	process
232	ST.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ST.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ST.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ST.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ST.exe

pid process

232 ST.exe
232 ST.exe
232 ST.exe
232 ST.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ST.exe

description pid process

Token: SeDebugPrivilege 232 ST.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ST.exe

pid process

232 ST.exe

pid	process
232	ST.exe
232	ST.exe
232	ST.exe
232	ST.exe

description	pid	process
Token: SeDebugPrivilege	232	ST.exe

pid	process
232	ST.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6618325d64a870040b82fb73575ee669.exe

description	pid	process	target process
PID 3896 wrote to memory of 232	3896	6618325d64a870040b82fb73575ee669.exe	ST.exe
PID 3896 wrote to memory of 232	3896	6618325d64a870040b82fb73575ee669.exe	ST.exe
PID 3896 wrote to memory of 232	3896	6618325d64a870040b82fb73575ee669.exe	ST.exe

C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe
"C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\ST.exe
"C:\Users\Admin\AppData\Local\Temp\ST.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ST.exe

Filesize
475KB

MD5
ee5fa19b09857f3f3e718ebe5a18f376

SHA1
b583cd941e0479da53fea293249a6021273e3aac

SHA256
f2139428d11728d91c6cd680f70cd8aa4e34ec3ee0d3f10683db4b6aa883aa39

SHA512
4b709c154cabb18c33591cf3b09dbe67f3153f96f705c55676d99ac94877970d01ab45ae7877a4bb69ad4ed58955c35c464c812ead6342c367b4be33f28fa789

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST.exe

Filesize
442KB

MD5
166e858d6723c660d9c31d75fdde9030

SHA1
9dda1648b86157e9ed402c58bcf6dacf31209512

SHA256
1e214fcea82fe889f49ab1d5ecdf6ee9180d46a9c34a771c88c1c9c18c1b88b0

SHA512
d36a4d1885b1d71596d757bc955c3a564b635055ec3707f5560ce921ed51389128de8fbac9b50e45a215cd703eba4b332c6f7efaa0ab4518420ebfafef866c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST.exe

Filesize
648KB

MD5
87c6f0cab35d4fbd69452e8383c6a17e

SHA1
95e978cf9139021e33b02775cbc92ebe9e920bfd

SHA256
5632ee02c4d4aca594afc95695709e68f0d8e4ed0b3bf626001ce7d98e829775

SHA512
eb4b41348239ca1dd613573f591368e5efd77f97defd38f31941495c35975269655c7c5bb829f3a31159b86d85df0976bc17e317a3db03b2eb5cfa1e1a3e233a

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
72c5adcb8f3c20b0f509c00c8dcdc3e2

SHA1
1e366878db0df08f4072374360ba4bd435d48d37

SHA256
0bc491cf1fe48a870fae85dd0a0991f15dc473b7e6c41eb75bc2b08279dff19e

SHA512
ae750ff06ee0abd9a0fbb3d0ad1555f0bb36dd5baf94b91c003b328e8496fe6cd3906a7c2a1678baa581b247bf28c73b7c17263c8d3416c5a82bc490bc0883d7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
35e39f88f86148930e67b39be6c81ec9

SHA1
66b15c4d703f0930b22babff3fd06a91ae6fa42a

SHA256
e1a3ad27fd789fa006fa0231f422aa5bf020a8ae90c47207e8d8b11e57db089a

SHA512
000a3f1b7193bbbe73b6555737287363be3000c14352e3a6faf108e891d7b51408cbdb8b7aba0575b152b107e46d75ff1eb789957fe62be83ee989c4392ce4e7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
464B

MD5
f4a42ea290fe84249d001330efdb818b

SHA1
756d0549da5400ee79aec24d94b83ddc10b4bcb9

SHA256
90b9ca45e816e93a2b194f52b8e56fffef61b2f33b0b57da5cc8b50a4f815720

SHA512
5cb5e220e54a6dd0060d208acd043d50d3ca696a2c74992cc676c78151cbecdc3e5b2898e3b192cc33ea0b706b37ad448cbd3671bc930307dede79ccc838ab93

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
665B

MD5
edfba9ec34ceb7e2441399ddb2222ab1

SHA1
04382d5ec6b2a015d7a668d9bcaf1208544e0dce

SHA256
0cd6ab0e50720f9c787921aa353f8c7d19d9de414878b6d10929438598745952

SHA512
f3eae2834d36a75c93d833fc28aa312ab0d80284b15afa8f23181c0e900f1472379f82ee873198e953cf7cf11eae28f954f3d24f65fe406fbf2cb41226172832

Download Submit
memory/232-14-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/232-16-0x0000000005FF0000-0x0000000006082000-memory.dmp

Filesize
584KB

Download
memory/232-15-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/232-13-0x00000000008D0000-0x0000000000C7E000-memory.dmp

Filesize
3.7MB

Download
memory/232-49-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/232-141-0x0000000008400000-0x0000000008466000-memory.dmp

Filesize
408KB

Download
memory/232-12-0x00000000008D0000-0x0000000000C7E000-memory.dmp

Filesize
3.7MB

Download
memory/232-145-0x00000000008D0000-0x0000000000C7E000-memory.dmp

Filesize
3.7MB

Download
memory/232-146-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads