44caliber | 232c76d65ab1d36fd73d1c8977bbd63a415a98fc2a7a65648003810584d05ecb

General

Target

6fd43f137db0c8472dc0d64be1190bc6.exe
Size

6.0MB
MD5

6fd43f137db0c8472dc0d64be1190bc6
SHA1

d1feb73da26dcc12198088dacc6dd9caf6417a36
SHA256

232c76d65ab1d36fd73d1c8977bbd63a415a98fc2a7a65648003810584d05ecb
SHA512

f2abf2c3996cd78d35a495ba1b8b951067e9f679ffafb994c53e6cdec8a49034313f4158f6596fd8178ada20b569fa671109381a69b3a4e43c447271152b68ef
SSDEEP

98304:tT1v0Sc5LEgwytj2KJHZpz+v2zU0XWbbr5vMjl2iQu9ntFEPZ8YGpnN6p:l18S6ZyKJz+ezUHQtBEp

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/871356915303710720/aJQeq8OY3wwqIiXWkN97pUlIjJQhxawbR5zbwOuO96jrzWKG4INekUUjRxLOjy9VbIsi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fd43f137db0c8472dc0d64be1190bc6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	6fd43f137db0c8472dc0d64be1190bc6.exe

Executes dropped EXE 3 IoCs

Processes:

Fatality Loader.exeCFG.exeFatality.win.exe

pid process

4528 Fatality Loader.exe
4224 CFG.exe
5004 Fatality.win.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1744 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4528	Fatality Loader.exe
4224	CFG.exe
5004	Fatality.win.exe

pid	process
1744	icacls.exe

flow	ioc
5	freegeoip.app
6	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fatality Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Fatality Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Fatality Loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Fatality Loader.exe

pid process

4528 Fatality Loader.exe
4528 Fatality Loader.exe
4528 Fatality Loader.exe
4528 Fatality Loader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Fatality Loader.exe

description pid process

Token: SeDebugPrivilege 4528 Fatality Loader.exe

pid	process
4528	Fatality Loader.exe
4528	Fatality Loader.exe
4528	Fatality Loader.exe
4528	Fatality Loader.exe

description	pid	process
Token: SeDebugPrivilege	4528	Fatality Loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6fd43f137db0c8472dc0d64be1190bc6.exeFatality.win.exejavaw.exe

description	pid	process	target process
PID 512 wrote to memory of 4528	512	6fd43f137db0c8472dc0d64be1190bc6.exe	Fatality Loader.exe
PID 512 wrote to memory of 4528	512	6fd43f137db0c8472dc0d64be1190bc6.exe	Fatality Loader.exe
PID 512 wrote to memory of 4224	512	6fd43f137db0c8472dc0d64be1190bc6.exe	CFG.exe
PID 512 wrote to memory of 4224	512	6fd43f137db0c8472dc0d64be1190bc6.exe	CFG.exe
PID 512 wrote to memory of 4224	512	6fd43f137db0c8472dc0d64be1190bc6.exe	CFG.exe
PID 512 wrote to memory of 5004	512	6fd43f137db0c8472dc0d64be1190bc6.exe	Fatality.win.exe
PID 512 wrote to memory of 5004	512	6fd43f137db0c8472dc0d64be1190bc6.exe	Fatality.win.exe
PID 512 wrote to memory of 5004	512	6fd43f137db0c8472dc0d64be1190bc6.exe	Fatality.win.exe
PID 5004 wrote to memory of 2316	5004	Fatality.win.exe	javaw.exe
PID 5004 wrote to memory of 2316	5004	Fatality.win.exe	javaw.exe
PID 2316 wrote to memory of 1744	2316	javaw.exe	icacls.exe
PID 2316 wrote to memory of 1744	2316	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\6fd43f137db0c8472dc0d64be1190bc6.exe
"C:\Users\Admin\AppData\Local\Temp\6fd43f137db0c8472dc0d64be1190bc6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\CFG.exe
"C:\Users\Admin\AppData\Local\Temp\CFG.exe"
2⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe" org.develnext.jphp.ext.javafx.FXLauncher
1⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
857f7dfcd3ec3e80df8a050f2a94e917

SHA1
a5b850246ed6e31815f9e2e63f48795fc1e16549

SHA256
dcf454f2577f98f48124b5b71e68dc7f26e18e4d4a5302fd9bcb2d1fa415d804

SHA512
983ff84b12f554b4c09b38bf5199535129868910584d6edd2da92baba6eac8d932d52f926317ed9574ab08ea615d567bc0f48597257b1ebf4191ed5cc16681dd

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
0aa47563f2a72ca43844d53b923ecd60

SHA1
9c79bf7aeaa441302879de854802fc2c3efdb8b2

SHA256
20d1df33e132b28e0dbb400a55214801272c411d30cb2825cbbe71955032402c

SHA512
65559bd9e36ae2bb98fd2c1bfd8457b89ee3d7d524f333ad5967ff93579fcfa123814567ad54dcc5ec5527aa33d49578540a5b093b375d90b9ed6e9b5b9589fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG.exe
Filesize
296KB

MD5
6249238b5d6ce6217998b97d544a2d60

SHA1
2c68d31bd2084cc722a34ee64fa4a5b638d524f5

SHA256
8fc1c3bbcf19c0b4f789967fa495ca817c3b1d3918cc572cd2c9405c556404e9

SHA512
ac6c35472cb0234d64bd5eb8b025e169f617c2ce81cb2efc2f2ce8a6ac84ee2198f3c0ed126284abf387bf47d0ebaac2a96722a5122dd6ee69c1a46cc8a83ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe
Filesize
299KB

MD5
c62e8659a538d545f07e0c9f9d4e7473

SHA1
feaa24f501803d8f179732d4920561deb8b4c08f

SHA256
5895294f317b1cf6c4598d293501249917f8177adea6c0f4241517ee2596365e

SHA512
d0c46943279825cebf4de80d50b53fea409d2ecfae9922af97c93f199b62fdf572a278bdee04fe2a13cf7be8a2ac1fa92a081a8b614a0a89348d894600b1d5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
1.3MB

MD5
25d693259d745557f355da3904a6e667

SHA1
637bcdd3d4d91431979b283e95ada208fe59a0bd

SHA256
9a46cdadead3559c288895214d79c6eab6db4782f8b583329f19a9097cbc417f

SHA512
5270013d88bf479649ec417b08d27a0c7fbeba759ee7f08da8d475462497a1c53f0c369b890008983606861022a1c72d261ed1c782d3d0e7e57135b46ea171ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
1.0MB

MD5
1d5b5fa9e2a7ee4cdc7ed2d6fc49af11

SHA1
8a5af050e9c8429af0c7571ac7ab8e1bc2e7c38b

SHA256
78313c43ec939a98465fb029122830cec41c2882eba2cc9b1af3904018d7a679

SHA512
338ade84ddfa53fb27f8b7531d7f57faf09345aede0795244b3cd3c34e6d57844e50977ebc65350885bdbf4fee167eb9dfb3c0054bbf5d1c90f38dadb58a7235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
638KB

MD5
ce2f423a69a7a19e13dd57734a608e23

SHA1
6ec1f3afe972c73b43e9a2aea71ee094f75df9c3

SHA256
b2afbc53f0037294834f81dab6203498afe695bb09e691b9eb382c4768e608df

SHA512
492c9319f16fc763693e1bc2af88579f09f1bb90f96f9d0ad647b7b79b30e77cccf10fcc5d79eaa447b1fe507fb6b2709172b9b35c07adcc0de0b98fbae182ad

Download Submit
memory/512-69-0x00007FFC6A920000-0x00007FFC6B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/512-1-0x00007FFC6A920000-0x00007FFC6B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/512-2-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/512-0-0x0000000000110000-0x0000000000714000-memory.dmp

Filesize
6.0MB

Download
memory/2316-284-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-244-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-78-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-379-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-375-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-174-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-177-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-185-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-195-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-338-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-201-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-207-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-210-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-211-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-241-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-332-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-260-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-261-0x000001C0F1780000-0x000001C0F1781000-memory.dmp

Filesize
4KB

Download
memory/2316-280-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-329-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-286-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-307-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-312-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-317-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-321-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/2316-328-0x000001C080000000-0x000001C081000000-memory.dmp

Filesize
16.0MB

Download
memory/4528-19-0x00000000007F0000-0x0000000000840000-memory.dmp

Filesize
320KB

Download
memory/4528-202-0x00007FFC6A920000-0x00007FFC6B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-24-0x00007FFC6A920000-0x00007FFC6B3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-52-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/5004-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads