44caliber | 8a513917248c59b0b1f2b4789443ea0b0fedaec8b095045eced81dc85c83e53b

General

Target

7785a72cf5de9918ebd92440ee3713e2.exe
Size

1001KB
MD5

7785a72cf5de9918ebd92440ee3713e2
SHA1

51d6a04a1ae80abd4c121980cf13827d70a8bbff
SHA256

8a513917248c59b0b1f2b4789443ea0b0fedaec8b095045eced81dc85c83e53b
SHA512

a4dfc424876a741aa5764d45a3b1152edb3dbeb9fad12640ade0b3188ecde6cdf53df7c150454738f7e277072cfbc7fc8da40883bb3ecfc0d6c9e457b1d44e3e
SSDEEP

24576:diSvJKfOVWGK+PvpWuiWIp5V63X3EN8TPmqv:dKfIG+PvpWy3dTPmq

Score

10^/10

44caliber evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s"	7785a72cf5de9918ebd92440ee3713e2.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7785a72cf5de9918ebd92440ee3713e2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	7785a72cf5de9918ebd92440ee3713e2.exe

Executes dropped EXE 1 IoCs

pid	Process
2228	2qcRwyDJnY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3880-0-0x0000000000400000-0x00000000006E0000-memory.dmp	upx
behavioral2/memory/3880-139-0x0000000000400000-0x00000000006E0000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
8	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2qcRwyDJnY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2qcRwyDJnY.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2228	2qcRwyDJnY.exe
2228	2qcRwyDJnY.exe
2228	2qcRwyDJnY.exe
2228	2qcRwyDJnY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	2qcRwyDJnY.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2228	3880	7785a72cf5de9918ebd92440ee3713e2.exe	54
PID 3880 wrote to memory of 2228	3880	7785a72cf5de9918ebd92440ee3713e2.exe	54

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7785a72cf5de9918ebd92440ee3713e2.exe

C:\Users\Admin\AppData\Local\Temp\7785a72cf5de9918ebd92440ee3713e2.exe
"C:\Users\Admin\AppData\Local\Temp\7785a72cf5de9918ebd92440ee3713e2.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3880
- C:\Users\Admin\AppData\Local\Temp\2qcRwyDJnY.exe
  "C:\Users\Admin\AppData\Local\Temp\2qcRwyDJnY.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
ba18b8c32ba37d36518e292eb7e5c6f3

SHA1
47a2208988b4be8800fd0ffc241130b40853e799

SHA256
419813483907fefc80fd79a896de0755217c1142688acea18f7a67d4dd20dbbb

SHA512
34930954c4f2b3001481d6b59918e3f3b6e852609dcae83974f829b06413c5361eaefe7ee559f277b8af1bb6cfab97aa14598319afb91b6a1abc45ca7292d6e6

Download Submit
C:\ProgramData\44\Process.txt

Filesize
920B

MD5
386173ea35dd17469b776afecd776206

SHA1
10033ac64678d712412c6e1a1a23a69e9e8cfb0d

SHA256
7ccbc2727e2363430bbd181f571c56e00bd8a2d8b976bf36b89bab1c33f98974

SHA512
1d20f7ce52a480612517dce2c83cab2c2ef10eb516919e6a513062c66d7ddcda3012bba2bfd58918d6bf0b82a3589c75d01e5a5b8c78c35a392a8e916aba91f2

Download Submit
C:\ProgramData\44\Process.txt

Filesize
935B

MD5
ed9ee1a2e731049d499ea7eb15ea47cb

SHA1
70752656f2953dee309a44e3b3b815e7befdf73b

SHA256
e1f7941c8b02f35c2a3d5b4bec90b5ce00e8b16f97b38e5cf9cf2549ecea5b3b

SHA512
fcf20e010858d117fbe2981937ec7ca00a88e797e2bdc4f2f5a23a9c5bf64e69b1f3fc094116c8eef2bc97b32911eca9a81dd6601e9df087c468eb31654a477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qcRwyDJnY.exe

Filesize
274KB

MD5
78fe81b560fe19e1a42a017a667f3f06

SHA1
4a75705ce154ef06374f1c48e7dcc321b8342d5a

SHA256
122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

SHA512
f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

Download Submit
memory/2228-14-0x0000000000980000-0x00000000009CA000-memory.dmp

Filesize
296KB

Download
memory/2228-45-0x00007FFAEE340000-0x00007FFAEEE01000-memory.dmp

Filesize
10.8MB

Download
memory/2228-46-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/2228-138-0x00007FFAEE340000-0x00007FFAEEE01000-memory.dmp

Filesize
10.8MB

Download
memory/3880-0-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/3880-139-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads