44caliber | 8298df16c667b88f524bf2cbb79c7f1122fe0f1c95502c5a4e37fa69999affcb

General

Target

6618325d64a870040b82fb73575ee669.exe
Size

1.5MB
MD5

6618325d64a870040b82fb73575ee669
SHA1

5a7a92a76a832d7a5fc37577af8ebb7078cff6e2
SHA256

8298df16c667b88f524bf2cbb79c7f1122fe0f1c95502c5a4e37fa69999affcb
SHA512

641e2c1b6b4c0d1efa590511ead2f46154367a6a9a0a7ac3b7791e2f285214bd8b7ed2309b5c5e59c66475931a2f5245268f99e44f820ecd2bedbb2f6bd233c9
SSDEEP

24576:JhvJVJdMJ7uLp3iEOwnBYnRIOzm3QHxumDWsWT+T6kcfTj4WEs4x8Ka23x:x3dXLp3iEOwnk8BmDCTdkcojxpx

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/866738169181372456/leUwW_rAYekiwOVhgk8WOe6mYy271-wPgyPdfdgGkW3LvRIrgaePX3yC-m_SGyjcPYeJ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6618325d64a870040b82fb73575ee669.exe

Executes dropped EXE 1 IoCs

pid	Process
4988	ST.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
10	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4988	ST.exe
4988	ST.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ST.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ST.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4988	ST.exe
4988	ST.exe
4988	ST.exe
4988	ST.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	ST.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	ST.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4988	3564	6618325d64a870040b82fb73575ee669.exe	89
PID 3564 wrote to memory of 4988	3564	6618325d64a870040b82fb73575ee669.exe	89
PID 3564 wrote to memory of 4988	3564	6618325d64a870040b82fb73575ee669.exe	89

C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe
"C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\ST.exe
  "C:\Users\Admin\AppData\Local\Temp\ST.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ST.exe

Filesize
1.2MB

MD5
0d1ce9ec311262c574e65633549c9c4a

SHA1
541ba677282a00d73a18fc06123cf7c61a1d1f57

SHA256
64f4e1cdebbb2d16e19e189aa15ac511039b998d837b04aa34fca073084af019

SHA512
daa70c786ac049a18132718ec3bb05480cc97ff92419f9bb78614e93de2dff9c8d034c823ecad7a2323c52a554d83ee826d9c46e3a1c4942e842a3597074e96d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
8e44af45921c597310c191d686a620de

SHA1
235ae0e84cbdff832f7b4a0af418dc20b00080a0

SHA256
f455db6ccfad6d65664bb931bc6435ef6b1d6a7e5529a8312e5e407b126711f5

SHA512
b722208f6c024604f173411661ecbdfe4aac644f6c00ec8abace0e45aabd312a16a92d534aab6cf817c8b4df31a2df8034034d19de4c293a3279eac7b3756905

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
744B

MD5
5f8805131069ab6d6a05835f2da3ea9a

SHA1
73e67293e21302116e9abe635743fb1d5b510f7f

SHA256
2513a6391d753cf748733d9aa992f360253056b10ec0f9602d8756f67d399491

SHA512
57fad711d86d3660355c5005f63936ab1bc8c11c72e167531bbd4c7ff10495825c348c367f1a4f2306b1dc4332d3bda6f9ebf3d94bd7f4f1c70fedd606581ebb

Download Submit
memory/4988-12-0x0000000000C00000-0x0000000000FAE000-memory.dmp

Filesize
3.7MB

Download
memory/4988-13-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-14-0x0000000000C00000-0x0000000000FAE000-memory.dmp

Filesize
3.7MB

Download
memory/4988-15-0x00000000061A0000-0x00000000061B0000-memory.dmp

Filesize
64KB

Download
memory/4988-16-0x00000000061B0000-0x0000000006242000-memory.dmp

Filesize
584KB

Download
memory/4988-50-0x00000000075C0000-0x0000000007B64000-memory.dmp

Filesize
5.6MB

Download
memory/4988-138-0x0000000007490000-0x00000000074F6000-memory.dmp

Filesize
408KB

Download
memory/4988-142-0x0000000000C00000-0x0000000000FAE000-memory.dmp

Filesize
3.7MB

Download
memory/4988-143-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads