44caliber | 0ffc4a30a0719e18e81d17c1aa2a0880ccde91f27a69ddc5682405037f41467b

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-01-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a73b2e83b8267fc1b40cd1c42f59116.exe
Size

121KB
MD5

6a73b2e83b8267fc1b40cd1c42f59116
SHA1

bf63ed29fdeae42260eccbef0c511ee77f8f0339
SHA256

0ffc4a30a0719e18e81d17c1aa2a0880ccde91f27a69ddc5682405037f41467b
SHA512

8f3614e4d9a9baf4185cb2d2bdc19a937cdec9260a5dc9dbcdc5db2797d376dc093f2c2ebd55a427475644c2780655d1895a0f610133ce57d969ea46df9ec37a
SSDEEP

1536:eNwXyLxpNnonJsrZ8/l+LguMSxPBuVWDaAruae9/gTlSmE8eLU534GwvfAeB+R0U:2hxp8JgZ29ubBOWwx9YD8jhvoo+RANG

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/857773959478116362/1HjPquy4G_ltau-JO_b28kVAgNjquEwJ8dvlwS9dY_P5TQ_PcQA7UEAQc80CznKxgRVd

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 1 IoCs

pid	Process
2368	HELL Client (Beta).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	HELL Client (Beta).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	HELL Client (Beta).exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2368	HELL Client (Beta).exe
2368	HELL Client (Beta).exe
2368	HELL Client (Beta).exe
2368	HELL Client (Beta).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	HELL Client (Beta).exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2368	2628	6a73b2e83b8267fc1b40cd1c42f59116.exe	28
PID 2628 wrote to memory of 2368	2628	6a73b2e83b8267fc1b40cd1c42f59116.exe	28
PID 2628 wrote to memory of 2368	2628	6a73b2e83b8267fc1b40cd1c42f59116.exe	28

C:\Users\Admin\AppData\Local\Temp\6a73b2e83b8267fc1b40cd1c42f59116.exe
"C:\Users\Admin\AppData\Local\Temp\6a73b2e83b8267fc1b40cd1c42f59116.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\Documents\HELL Client (Beta).exe
  "C:\Users\Admin\Documents\HELL Client (Beta).exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
383B

MD5
2e76f75bc1433d1f80ee1923e75f8b0c

SHA1
0ecbffb68c0d15603b5f4ad3d6c4dedc82525d21

SHA256
bc1a95f683b175bf594e350009b008db146e2f69f9d31fd95007275e90f20248

SHA512
0afb96ca323ecd905ea5216bc21a1b840aa2791e4e2daaa60ed51d5d26b3eaec0d5330960a9d516b4925a2b68a1f888f01b0aad2dc5adc7b71b8c91a4fb3bcd2

Download Submit
C:\Users\Admin\Documents\HELL Client (Beta).exe

Filesize
274KB

MD5
d8e815c8a5a3b8faf325f65e61456613

SHA1
465f915d9601df9da4f518c4717bba9e7c425870

SHA256
1590226cbdb796bfb1638bd2295a7b169a6f1168cdcb2c0d17a6c7dc2ae5dfb4

SHA512
28bfe46c5d16b432d2ac623157a80f9ecf40d81eb8e49249ce329611ef65145cd65c85ac63cc57a46489d43a27cc633aa6e63bcbf5f0f485adc7a3537b4ef310

Download Submit
memory/2368-9-0x0000000000A20000-0x0000000000A6A000-memory.dmp

Filesize
296KB

Download
memory/2368-11-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-12-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2368-58-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-0-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/2628-1-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2628-10-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download