44caliber | 699f85530a90e3aa36ff9e89dd99eb80c9c183e5b4051f05563519207a6f43f1

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e4b2af9613621fcf93169e9e675a83d.exe
Size

1.2MB
MD5

6e4b2af9613621fcf93169e9e675a83d
SHA1

c73f05cc03da6fae9d02dae5c27a39ad27e614f8
SHA256

699f85530a90e3aa36ff9e89dd99eb80c9c183e5b4051f05563519207a6f43f1
SHA512

35a8322abfa612c2e26f1ba182ac9ec329d52f64d0e65957ab75e6e9e8c4b91f12dc7b654e63bcb635ed76cbae4a99c9cc3474ef68c447cb8b53a3f530e1130b
SSDEEP

24576:BxvZEnWSE8QUvZE7ip4eTIFKEEHpded5mdKv1rVewecDM:BxvZEWeQuE7Mbpd4mqrJDM

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://ptb.discord.com/api/webhooks/860353023338086430/2Qd4HlzQHur0rzkKBP2Vm6f3rps1M95uCLN9BFhgxoNcoNZaddzQ1WGM0rfQd1x1RjdF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6e4b2af9613621fcf93169e9e675a83d.exe

pid process

3044 6e4b2af9613621fcf93169e9e675a83d.exe

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e4b2af9613621fcf93169e9e675a83d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	6e4b2af9613621fcf93169e9e675a83d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6e4b2af9613621fcf93169e9e675a83d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6e4b2af9613621fcf93169e9e675a83d.exe

pid	process
3044	6e4b2af9613621fcf93169e9e675a83d.exe
3044	6e4b2af9613621fcf93169e9e675a83d.exe
3044	6e4b2af9613621fcf93169e9e675a83d.exe
3044	6e4b2af9613621fcf93169e9e675a83d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6e4b2af9613621fcf93169e9e675a83d.exe

description pid process

Token: SeDebugPrivilege 3044 6e4b2af9613621fcf93169e9e675a83d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6e4b2af9613621fcf93169e9e675a83d.exe

pid process

3044 6e4b2af9613621fcf93169e9e675a83d.exe

description	pid	process
Token: SeDebugPrivilege	3044	6e4b2af9613621fcf93169e9e675a83d.exe

C:\Users\Admin\AppData\Local\Temp\6e4b2af9613621fcf93169e9e675a83d.exe
"C:\Users\Admin\AppData\Local\Temp\6e4b2af9613621fcf93169e9e675a83d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
397B

MD5
1bc2939fc398e4de799f39f69c579e88

SHA1
7168277ea15299f57dd45e3853743b689111416a

SHA256
4995a0e6b02816829dc741c5642609f0e14a1c0b4a2f20696db0da91d9a7c88b

SHA512
e56783a97402b72868208d60195528002daae7d648b788fc3b6f1623b3180de0d290eb8a279273ca837c643e544dbcbdfc704ee3bac23e017a13ad3fefda3ea5

Download Submit
memory/3044-0-0x0000000001040000-0x00000000013EC000-memory.dmp

Filesize
3.7MB

Download
memory/3044-1-0x0000000001040000-0x00000000013EC000-memory.dmp

Filesize
3.7MB

Download
memory/3044-2-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-3-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/3044-53-0x0000000001040000-0x00000000013EC000-memory.dmp

Filesize
3.7MB

Download
memory/3044-54-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download