44caliber | f5d4d00585bc3ce90b52da8ab326bfbf9d56a0d1b6db730d64fdd57a57eeb26d

Analysis

max time kernel
85s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8370cd58844abd13fc7a113aabcec32c.exe
Size

869KB
MD5

8370cd58844abd13fc7a113aabcec32c
SHA1

4378b1039b722723ebe0832da64b7f1885b8c367
SHA256

f5d4d00585bc3ce90b52da8ab326bfbf9d56a0d1b6db730d64fdd57a57eeb26d
SHA512

84dd5b8f7082e6f72e94b1e850d3b44d47cbc10a8a1048a1239708b1775e444191f830fd9536cf54c06854d4407e06b9fa652bb7b54eb48bfe499cf2d4afb0be
SSDEEP

12288:RoxMjZnX1gzrgPFcE0Mt0aiKyedOmfkz/XUkIBlrNfmzKIod1Iiq4DB1huOI7GZ/:RNlq6902zX9dOmfkz/HIQ0

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
7 freegeoip.app

flow	ioc
8	freegeoip.app
7	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8370cd58844abd13fc7a113aabcec32c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8370cd58844abd13fc7a113aabcec32c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8370cd58844abd13fc7a113aabcec32c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8370cd58844abd13fc7a113aabcec32c.exe

pid	process
4136	8370cd58844abd13fc7a113aabcec32c.exe
4136	8370cd58844abd13fc7a113aabcec32c.exe
4136	8370cd58844abd13fc7a113aabcec32c.exe
4136	8370cd58844abd13fc7a113aabcec32c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8370cd58844abd13fc7a113aabcec32c.exe

description pid process

Token: SeDebugPrivilege 4136 8370cd58844abd13fc7a113aabcec32c.exe

description	pid	process
Token: SeDebugPrivilege	4136	8370cd58844abd13fc7a113aabcec32c.exe

C:\Users\Admin\AppData\Local\Temp\8370cd58844abd13fc7a113aabcec32c.exe
"C:\Users\Admin\AppData\Local\Temp\8370cd58844abd13fc7a113aabcec32c.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
6e8b99553c5aafb4273449e17546ef50

SHA1
023fc203d5fb437bf84c9c236014a168719caf73

SHA256
58462569cbbd065ea6af4a11902a3712441f237874ca21d1fa464c3c0b836641

SHA512
e60d02acc0f047deec703b842d45ff8e2a8efeb4593b7b8d05b961ccef2aa7e134d048fefbb39a1d14d57633c1fb7ee804fedb5ba295de6186f8fbc367fc4590

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
262B

MD5
b1e50105462896876d0806a0dce2b9e8

SHA1
311a65a7735ac30d2fb651b54a6bae8e00153046

SHA256
6e96138bc7d07ef4355ec67ec8827f40cb10e67beb72318b8584e726129dd6af

SHA512
bc7f6b0fddce0d36bf44786d057cfcbab9a14ec4f306a1c924c31cf8433237df9c4ea9e299d0f647f0281f36f588bb3191e142bb597dd28f169fb259bb2b3892

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
63ebae1cd3a199307de0fadf64b12175

SHA1
bce3484ed2640e350c20f5fb5d06b38b11b69b38

SHA256
6ff932b898609a166771e077621d91db77e92529b62ad312af49b02a07ee7fb7

SHA512
1909cf95e658371a63a7cdc88f42bb8b4b6bebaa558456b2d0851600525db1a7b7ecea91ee6be2c93b9955ccc1e21231f11396abc9497adc52b10e6c350a3c59

Download Submit
memory/4136-0-0x000001D76D5B0000-0x000001D76D692000-memory.dmp

Filesize
904KB

Download
memory/4136-1-0x000001D76DA30000-0x000001D76DA36000-memory.dmp

Filesize
24KB

Download
memory/4136-2-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-3-0x000001D76FCD0000-0x000001D76FCE0000-memory.dmp

Filesize
64KB

Download
memory/4136-126-0x00007FFBBDD30000-0x00007FFBBE7F1000-memory.dmp

Filesize
10.8MB

Download