44caliber | f1a5c8f4f3ab1e52cb2b85da2c0a0a1196600d77864b2a08f10994df7ca19e47

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d88b6afcfdf51afa91d7fbdbda3123f.exe
Size

3.7MB
MD5

8d88b6afcfdf51afa91d7fbdbda3123f
SHA1

8992be4a6ad43f41f4098f5f6e16c52ce1a15128
SHA256

f1a5c8f4f3ab1e52cb2b85da2c0a0a1196600d77864b2a08f10994df7ca19e47
SHA512

1df17fbc715acee1c6a8067372c08e6566b50a92840af6d3369d00cf6f0cad9256f5d16f22f57055db89a9fb10520506f51f97eabf5177201f31fe9119df1527
SSDEEP

98304:ebvEDT/eSXK4YubNjNS/AAjz0h+9I/E9rep:eE/LYuFNp4++hSp

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/867414880008142858/TD_59PPDbRxUvtxfYmpmvXB-AISV68npXT3nWVWmC5qoDjluGk0XKjmzmpP1jyAwpfZk

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 2 IoCs

pid	Process
2284	cryptTROJAN.sfx.exe
2768	cryptTROJAN.exe

Loads dropped DLL 7 IoCs

pid	Process
2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe
2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe
2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe
2284	cryptTROJAN.sfx.exe
2284	cryptTROJAN.sfx.exe
2284	cryptTROJAN.sfx.exe
2284	cryptTROJAN.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2768	cryptTROJAN.exe
2768	cryptTROJAN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cryptTROJAN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cryptTROJAN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2768	cryptTROJAN.exe
2768	cryptTROJAN.exe
2768	cryptTROJAN.exe
2768	cryptTROJAN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	cryptTROJAN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	cryptTROJAN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2284	2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe	28
PID 2228 wrote to memory of 2284	2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe	28
PID 2228 wrote to memory of 2284	2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe	28
PID 2228 wrote to memory of 2284	2228	8d88b6afcfdf51afa91d7fbdbda3123f.exe	28
PID 2284 wrote to memory of 2768	2284	cryptTROJAN.sfx.exe	29
PID 2284 wrote to memory of 2768	2284	cryptTROJAN.sfx.exe	29
PID 2284 wrote to memory of 2768	2284	cryptTROJAN.sfx.exe	29
PID 2284 wrote to memory of 2768	2284	cryptTROJAN.sfx.exe	29

C:\Users\Admin\AppData\Local\Temp\8d88b6afcfdf51afa91d7fbdbda3123f.exe
"C:\Users\Admin\AppData\Local\Temp\8d88b6afcfdf51afa91d7fbdbda3123f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe
    "C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
187B

MD5
059c2d490fd92f6bccf599af91292ca7

SHA1
5326629260f34df439817ceecc81ffaa31b0a116

SHA256
b0d7f45441d24e8c832977cfee269ec308170fe2cd51ac3c39c68f3c3986a29b

SHA512
99f4e70abe2145d419c3d28a4f2f450e0e81a1e32959c0a423ec427f2a5e86544fda9cc12a87f178a147a0de2a14a50ec6f511c79a66071aed4ff81c0844349b

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
391B

MD5
7a293ca948cb4c7d56988cb4eafdb367

SHA1
a660e7942fcc97fd418f641885ab9a046784955f

SHA256
0bee68a346ac53f0fbbcabe91120948aded6e254a09f274addfee1eaecae01d0

SHA512
aa9111b43d2bf63ca3a589fc1c5445663dd0c610cd570270cb172e60100e0fab63b711616abc5f114a23d036daed2580b1b6d3cc6e9bf85056001dfe1af7ca2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
559KB

MD5
b29b4e017b29da24a965c15faac3122c

SHA1
ff9a87706279ae570cff30000cdfd19c565c0373

SHA256
3d3ed8797a86ad71bf1ef3ab0c4f2c666ee85b199a09f8af51e1ab5f98b50bbd

SHA512
5a3e6842bf189362a75b885a9c69ab19c24f7b25f8a87fe84187b07ebccb4f7a9f3ae6a092d9739557442bbfeff1b748147cc9c48b277264f77807a99b30815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
331KB

MD5
cbe290ef7cd9a6d2f7e1e4b53c2e567a

SHA1
32767e51db74d2c7a5af440bd8f472fcb1a3dae5

SHA256
bea2035ebebebf6cb13bdef31906e1c717e7a9ff5c7adca2d9f1748acedc6495

SHA512
bc89196044c4f8daca2fc3ac14cbf1e61893607ccaf1d71b63581322f860d5cef330c0b40dfc16fc33fb578ba65f2025e36b572da1acb19f8b3a3179d4adacfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
565KB

MD5
74b46b07efa5ddbb5ac38e94a9de40de

SHA1
dfd8c1c5bb16dc09b00703b98df79ed9cc04984d

SHA256
a3ea81e0d6bdb2a2345ee933faa4b81ff146c1b294bca91c0f6b178cd4dc9f4e

SHA512
e6257ac686a5563e96ddddc715e81810d5a75a43b450eb36759d3795713bdfdf3a6fe474e8f1eade090739520f169131d4fef2886a1230dbc83c72d3d069473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
410KB

MD5
72947bcbb91145caaed3c97d90891fa3

SHA1
227a505eb320995bae3a8b8fe9bd0e13f31dd86b

SHA256
065d3ba3b42d1c0f9c71973598aaeef662e5dc1cbf842b089387ac7698bf7cf1

SHA512
53aff39abd698cce0fc912d075971e7f97f992e86541778e29b3e1fbbed0d8a2925fa68c122677850f0761ed5743d3c9153b193a1827ddb3ab05c476a7c35615

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
459KB

MD5
0870e789b55b3543a12d0e8bb3e82af5

SHA1
7e80109e731072c8e13702a84e44c4947cf90e8c

SHA256
c6f570e010d4139e7ff6c74b64c7f3dc4352f7da7f646de4e90652c6ed927105

SHA512
dcd3ab47006d5fd0a7a0a594e4418f1f14e01a1d7f0a80b5827a94847c1c3917650e878b0a6f8f7d9a8979d5446d536a3c9c32e8d3f78224ca7930bad786f9cb

Download Submit
\??\c:\users\admin\appdata\local\temp\crypttrojan.exe

Filesize
445KB

MD5
63d9a3e1e49dc8bdf16378b56c331be4

SHA1
fde8183e79938d4f008fd0322775025b695d04e9

SHA256
d379f9d0f65509c863fd9fcd0c37a2082e82046082089f7b9d3a60512a600d97

SHA512
754ec59627c52f48b6648ec032edd3ef3ef467c509aa4982e75180ba1d7aabac61376273e7211ee754f2ca5b4365930c820de764b273f148c733f7a058d9af16

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
685KB

MD5
ed12e52f984de5c0496e83d5a5253cc5

SHA1
42a6b482faee185a5b817adb08d9e8448af8c265

SHA256
834c749d35ac90fe9f9daac0d9de0fa28488e665a3edb20a62815a1d188d4ce4

SHA512
b095c4a4a1a5505d1e363fc1ae6b2dff86ef1aa2129443fcd10df414d2e51f0ee68d709e8537c166df971b787151726ec75383b6993e2dc40f3311cd9709565a

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
438KB

MD5
b8a1d6914f7856fd324aecc44fd46420

SHA1
272899b3348f75fa8183a1e218bf992043ca01d0

SHA256
e2b56dadd45119b27e2d83b3799d407280d0ada12c9cb24a7f08be6add9624e2

SHA512
9e1cda7870ad04355d477b1b5b6680c1bf4373550e9c96b06542913f47db894d58011f8e13c599c1585d4f0082b383391b96472f3a5c7f16073bb87aaefa5efe

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
434KB

MD5
364ba5c96b31db68f93732ea20b0c367

SHA1
cee7207e8d7de82e068c3564765c51cde2c33b72

SHA256
4c0b498f4695eac1a65786557e3bc467bbcfc30c50f087a4ffb385b6b7fcd395

SHA512
2011c93bb20efbde074ffb8bc239cb5d0aea6b7a2f6645a48fcb26d5c45086a0cd459602f5334c136415b8ce217c424ee4134b6398dcc049b2c8f6162fe2c149

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe

Filesize
782KB

MD5
2220ba938d94d3b0fe6ee3a603e8ebe9

SHA1
835cd009e2f8a26ff2932a3c7ab40f2157ec2d0c

SHA256
9f18be12378c33b16baddd974453375fc66345ddc0fb6c624fbcb99b89a7a639

SHA512
a019f2240acc5a3de1a7502fb4ea1c04c7a116b6656b0c75d3f4c9e410c86e6c3e57e1798b1539c900172838998cb5bc9b040804f82e1860dca55b7b6a6c3b59

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
643KB

MD5
5a72d6766fae427e4a8a737cd4baff50

SHA1
11e963d1226932c41f1d12a51abd93e3f8a9ed75

SHA256
ac239a1521e53b77efa285952a44225060a4531b41ff2fbb37a0c0ad96ee8f6c

SHA512
5fac582832ddd7bf2d41c66c87eec7b5f0af57bf6f72119b2f8980a230bb66d7afeae53107fb5ab8298f30ab653f309b8027068c3828570b5522e2988ef2e7b5

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
1.5MB

MD5
3f5d5939fc0c515ddbc9e9894e34ae04

SHA1
8e77baff4342245a4fe90ddfc42297c778580c07

SHA256
c2667527dd33a4d633aafc8a8fe44a50b0745693c427363251ac1d28ed1a330c

SHA512
6606009775077c7756d00cf3dcb9840f33de5c823ac36e11a1de226c1ca468d026bb709e2bbcfb5b416bdf804e064067bbb455d609d418dc6ff5bd2197eeec75

Download Submit
\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe

Filesize
463KB

MD5
2e9e48bb3e7ca57b96f8b0646361f232

SHA1
90a1ea12998bfa08e10bac744a00f635c9601b3f

SHA256
f4f177f150f08db19306e5704f5775f101b34bb3f79e6f1d7dabc687be6c8857

SHA512
5d72167b1d03a3b7cb93050311dd61a63bcb227dd5fea9c9d5663dae810e056fd1c94f271ad88165a697ebe4471389ba8c67edfaa7264caa0ebcafdf305108ed

Download Submit
memory/2284-31-0x0000000004000000-0x00000000043AC000-memory.dmp

Filesize
3.7MB

Download
memory/2768-33-0x0000000000200000-0x00000000005AC000-memory.dmp

Filesize
3.7MB

Download
memory/2768-35-0x0000000000200000-0x00000000005AC000-memory.dmp

Filesize
3.7MB

Download
memory/2768-34-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-36-0x0000000000200000-0x00000000005AC000-memory.dmp

Filesize
3.7MB

Download
memory/2768-37-0x00000000059A0000-0x00000000059E0000-memory.dmp

Filesize
256KB

Download
memory/2768-89-0x0000000000200000-0x00000000005AC000-memory.dmp

Filesize
3.7MB

Download
memory/2768-90-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download