44caliber | 69ced06ad3bc263adc214a2c2a3c14169cc8f1ffd1d9878ce8cb6daa46124610

General

Target

736a9be813a4658c3175082adfac608e.exe
Size

1.1MB
MD5

736a9be813a4658c3175082adfac608e
SHA1

8f1cced332b2faa62f4574a81a44ba35e4493730
SHA256

69ced06ad3bc263adc214a2c2a3c14169cc8f1ffd1d9878ce8cb6daa46124610
SHA512

810434e369b4d6c01952ec80990c0548159c3637b9347b1578b08705fefa6a6dfde4f6d58cb2c337a322c962903b4e23ee64358704c2ee9cf5343ed91e9b59ca
SSDEEP

24576:BiSvJKfOVWGK+PvpWuiWIp28LjUbXm13aqejgcegXTlMf8Bxq:JKfIG+PvpWhiXm13aN5XZ

Score

10^/10

44caliber evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s"	736a9be813a4658c3175082adfac608e.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	736a9be813a4658c3175082adfac608e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	736a9be813a4658c3175082adfac608e.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	OPWlEI8bP5.exe
2236	f5qqqCN4vG.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2892-0-0x0000000000400000-0x00000000006DD000-memory.dmp	upx
behavioral2/memory/2892-150-0x0000000000400000-0x00000000006DD000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	OPWlEI8bP5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	OPWlEI8bP5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1808	OPWlEI8bP5.exe
1808	OPWlEI8bP5.exe
1808	OPWlEI8bP5.exe
1808	OPWlEI8bP5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	OPWlEI8bP5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1808	2892	736a9be813a4658c3175082adfac608e.exe	88
PID 2892 wrote to memory of 1808	2892	736a9be813a4658c3175082adfac608e.exe	88
PID 2892 wrote to memory of 2236	2892	736a9be813a4658c3175082adfac608e.exe	89
PID 2892 wrote to memory of 2236	2892	736a9be813a4658c3175082adfac608e.exe	89
PID 2236 wrote to memory of 220	2236	f5qqqCN4vG.exe	91
PID 2236 wrote to memory of 220	2236	f5qqqCN4vG.exe	91

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	736a9be813a4658c3175082adfac608e.exe

C:\Users\Admin\AppData\Local\Temp\736a9be813a4658c3175082adfac608e.exe
"C:\Users\Admin\AppData\Local\Temp\736a9be813a4658c3175082adfac608e.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892
- C:\Users\Admin\AppData\Local\Temp\OPWlEI8bP5.exe
  "C:\Users\Admin\AppData\Local\Temp\OPWlEI8bP5.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\f5qqqCN4vG.exe
  "C:\Users\Admin\AppData\Local\Temp\f5qqqCN4vG.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 0
    3⤵
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
4620b6a61232612c657d7900e3186520

SHA1
a622c28439e41d15a1786042a83aebc7b61293a0

SHA256
7800ea6c957a25bcdfa6bd341b155b50046ef0900c8990b7732e36623a1798e1

SHA512
8d9489e217ee55fbc4c4f951f92a7db94c5ebcb82b3c3a2c65f4d8bf786eface8d378b591e53ed99e9313e1362f3444130c4985e2407df23d885437fdefd6a20

Download Submit
C:\ProgramData\44\Process.txt

Filesize
742B

MD5
d11415f723289fe5a166d373d86f9d2e

SHA1
01c9f3e17e0a88328d459ffb95c808f7282e5d65

SHA256
a6437d6babf99bc3d6e42f3357cb778c7bfc09077a62fb6dd0013e5f5ef6f4de

SHA512
705d307c62b58ad9ec635eb269a2834b2b0ccf90391985682d71ce46f5f47e198a0702c55932ba7cb74a343c0e2763467bfef405dad78997c2f980769eeca9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPWlEI8bP5.exe

Filesize
274KB

MD5
78fe81b560fe19e1a42a017a667f3f06

SHA1
4a75705ce154ef06374f1c48e7dcc321b8342d5a

SHA256
122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

SHA512
f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5qqqCN4vG.exe

Filesize
396KB

MD5
45db94fb4d2b1b054d4d0ecd0dba8a34

SHA1
766f409fe00c34fb25bde9b3f9828490271c0e28

SHA256
b9d6db75e19a9313d62cb3734e904ba257d6832977bdfaf443f5e26c1d4c2bde

SHA512
a22ca1988beeedea72c6c5f1a778120b65519adecb159f073de7650cd1c2633955432a97f5cf9a5d07ca1fefa0d6a9fdbf36194d5879c69bfb7d390079079c11

Download Submit
memory/1808-13-0x0000000000140000-0x000000000018A000-memory.dmp

Filesize
296KB

Download
memory/1808-24-0x00007FFADD120000-0x00007FFADDBE1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-26-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1808-149-0x00007FFADD120000-0x00007FFADDBE1000-memory.dmp

Filesize
10.8MB

Download
memory/2892-0-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2892-150-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads