44caliber | 8a513917248c59b0b1f2b4789443ea0b0fedaec8b095045eced81dc85c83e53b

General

Target

7785a72cf5de9918ebd92440ee3713e2.exe
Size

1001KB
MD5

7785a72cf5de9918ebd92440ee3713e2
SHA1

51d6a04a1ae80abd4c121980cf13827d70a8bbff
SHA256

8a513917248c59b0b1f2b4789443ea0b0fedaec8b095045eced81dc85c83e53b
SHA512

a4dfc424876a741aa5764d45a3b1152edb3dbeb9fad12640ade0b3188ecde6cdf53df7c150454738f7e277072cfbc7fc8da40883bb3ecfc0d6c9e457b1d44e3e
SSDEEP

24576:diSvJKfOVWGK+PvpWuiWIp5V63X3EN8TPmqv:dKfIG+PvpWy3dTPmq

Score

10^/10

44caliber evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s"	7785a72cf5de9918ebd92440ee3713e2.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7785a72cf5de9918ebd92440ee3713e2.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	AwmPVXJGkr.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	7785a72cf5de9918ebd92440ee3713e2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x00000000006E0000-memory.dmp	upx
behavioral1/memory/2220-60-0x0000000000400000-0x00000000006E0000-memory.dmp	upx
behavioral1/memory/2220-62-0x0000000002A60000-0x0000000002A70000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AwmPVXJGkr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AwmPVXJGkr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	AwmPVXJGkr.exe
2984	AwmPVXJGkr.exe
2984	AwmPVXJGkr.exe
2984	AwmPVXJGkr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	AwmPVXJGkr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2984	2220	7785a72cf5de9918ebd92440ee3713e2.exe	28
PID 2220 wrote to memory of 2984	2220	7785a72cf5de9918ebd92440ee3713e2.exe	28
PID 2220 wrote to memory of 2984	2220	7785a72cf5de9918ebd92440ee3713e2.exe	28
PID 2220 wrote to memory of 2984	2220	7785a72cf5de9918ebd92440ee3713e2.exe	28

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7785a72cf5de9918ebd92440ee3713e2.exe

C:\Users\Admin\AppData\Local\Temp\7785a72cf5de9918ebd92440ee3713e2.exe
"C:\Users\Admin\AppData\Local\Temp\7785a72cf5de9918ebd92440ee3713e2.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
- C:\Users\Admin\AppData\Local\Temp\AwmPVXJGkr.exe
  "C:\Users\Admin\AppData\Local\Temp\AwmPVXJGkr.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AwmPVXJGkr.exe

Filesize
274KB

MD5
78fe81b560fe19e1a42a017a667f3f06

SHA1
4a75705ce154ef06374f1c48e7dcc321b8342d5a

SHA256
122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

SHA512
f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

Download Submit
memory/2220-0-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2220-3-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2220-60-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2220-62-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2984-10-0x0000000000CD0000-0x0000000000D1A000-memory.dmp

Filesize
296KB

Download
memory/2984-11-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2984-12-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2984-59-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads