44caliber | f1a5c8f4f3ab1e52cb2b85da2c0a0a1196600d77864b2a08f10994df7ca19e47

General

Target

8d88b6afcfdf51afa91d7fbdbda3123f.exe
Size

3.7MB
MD5

8d88b6afcfdf51afa91d7fbdbda3123f
SHA1

8992be4a6ad43f41f4098f5f6e16c52ce1a15128
SHA256

f1a5c8f4f3ab1e52cb2b85da2c0a0a1196600d77864b2a08f10994df7ca19e47
SHA512

1df17fbc715acee1c6a8067372c08e6566b50a92840af6d3369d00cf6f0cad9256f5d16f22f57055db89a9fb10520506f51f97eabf5177201f31fe9119df1527
SSDEEP

98304:ebvEDT/eSXK4YubNjNS/AAjz0h+9I/E9rep:eE/LYuFNp4++hSp

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/867414880008142858/TD_59PPDbRxUvtxfYmpmvXB-AISV68npXT3nWVWmC5qoDjluGk0XKjmzmpP1jyAwpfZk

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d88b6afcfdf51afa91d7fbdbda3123f.execryptTROJAN.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	8d88b6afcfdf51afa91d7fbdbda3123f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	cryptTROJAN.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

cryptTROJAN.sfx.execryptTROJAN.exe

pid process

3580 cryptTROJAN.sfx.exe
3484 cryptTROJAN.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
7 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

cryptTROJAN.exe

pid process

3484 cryptTROJAN.exe
3484 cryptTROJAN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3580	cryptTROJAN.sfx.exe
3484	cryptTROJAN.exe

flow	ioc
6	freegeoip.app
7	freegeoip.app

pid	process
3484	cryptTROJAN.exe
3484	cryptTROJAN.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cryptTROJAN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cryptTROJAN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cryptTROJAN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cryptTROJAN.exe

pid process

3484 cryptTROJAN.exe
3484 cryptTROJAN.exe
3484 cryptTROJAN.exe
3484 cryptTROJAN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cryptTROJAN.exe

description pid process

Token: SeDebugPrivilege 3484 cryptTROJAN.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cryptTROJAN.exe

pid process

3484 cryptTROJAN.exe

pid	process
3484	cryptTROJAN.exe
3484	cryptTROJAN.exe
3484	cryptTROJAN.exe
3484	cryptTROJAN.exe

description	pid	process
Token: SeDebugPrivilege	3484	cryptTROJAN.exe

pid	process
3484	cryptTROJAN.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8d88b6afcfdf51afa91d7fbdbda3123f.execryptTROJAN.sfx.exe

description	pid	process	target process
PID 6068 wrote to memory of 3580	6068	8d88b6afcfdf51afa91d7fbdbda3123f.exe	cryptTROJAN.sfx.exe
PID 6068 wrote to memory of 3580	6068	8d88b6afcfdf51afa91d7fbdbda3123f.exe	cryptTROJAN.sfx.exe
PID 6068 wrote to memory of 3580	6068	8d88b6afcfdf51afa91d7fbdbda3123f.exe	cryptTROJAN.sfx.exe
PID 3580 wrote to memory of 3484	3580	cryptTROJAN.sfx.exe	cryptTROJAN.exe
PID 3580 wrote to memory of 3484	3580	cryptTROJAN.sfx.exe	cryptTROJAN.exe
PID 3580 wrote to memory of 3484	3580	cryptTROJAN.sfx.exe	cryptTROJAN.exe

C:\Users\Admin\AppData\Local\Temp\8d88b6afcfdf51afa91d7fbdbda3123f.exe
"C:\Users\Admin\AppData\Local\Temp\8d88b6afcfdf51afa91d7fbdbda3123f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6068

C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe
"C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
801e378f85c5b3318afde5d5fbce65c6

SHA1
2210eaf6d140f7803b568a74f00f2e538cd56eb1

SHA256
aa94021f388a3344468d22e4f61bc6fe65a9298293132629a92682e55aaa6888

SHA512
594b95c4a7f296130354dd1ddd234860540c28f411c6a48db7d6bf5aad5f7643e8cd152c368b53892de277e285f65e24924093f477017dba1fa96df90e415cd8

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
404B

MD5
40bf9f1012e282053a956614b3467911

SHA1
6f52067d12224e8b97f475ad524b5f6c8292072d

SHA256
38ae6dc1e3c84a1c1eadc589440dc3ef4bb3c33e2914eed6fe59b1dfc78d4241

SHA512
c7a9ed612c4e1ac547bc1f4282d8cea30010b1bb7e0778562105310803e6eeaec74aed814fc425296787f13bda0d0bd8445a92819e61c080428ec625f52b3fbb

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
740B

MD5
c586eb6cd6194f7075b3973dc61ac049

SHA1
409471e2df597717c99259b5f7278e5fab391d8b

SHA256
7f8c7bf38cca5645d520ba67a9f341247aac66adb562cf95f158c068711e930e

SHA512
afc5fda8f27f7fd43d7ec0fc1d7518ff725ec457dac8d14ea9b055d8a63fbc7a12c39f264f9dfa705eda1b33de3e1b44f4e9015eb65cdeb5107c6be01da2bb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe
Filesize
780KB

MD5
451055c310b0bdeed20908240ce6d63e

SHA1
c26024481d73c2ada258298c53545614c6c4327d

SHA256
dc404ff3bcf1671f826c05eb6c13c14825021c0ca3c4b6f1b4684bdd27af768d

SHA512
a3c903d6e6004d12808fbcab6476176060426045bab35ec3bec9c074fab291e38d3c347a492ed618d4b6b00715ad36592dfdb9ea633b9eee3bd928f808bc7f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe
Filesize
1.2MB

MD5
6bc1ac14fb765bc7aa33a62e6e7701d7

SHA1
4455de5129e69a432de89611ee791b1e2f40111f

SHA256
68f3e5266ef869124be9372c77b53a116d6ddc5e11f74fb920bd1d58bcfd4968

SHA512
6dffbecadc1e7784687960b807354abd85e7872435f033480c49ceedd08a3e40446343ffbf1f435be1779545d7b834eac5e346353c5b43e1cf0ab1df8e7e5fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.exe
Filesize
1.1MB

MD5
12ad539be2bc54a7cfdc973ee4cf1ee2

SHA1
f83c08a7bd5ade366376dc0ffe3b0afea00d78ea

SHA256
dfdb0bc24921512b3b4f6eb921b222fb2574dd8cd3e5214edea7c5b09e04d61d

SHA512
4e2185ef5f9a2f91427be1b5f01954d744fe7d3766a279cf93c1b9186a6fe9ec2ee61e45e9b900121ca68d0ca3ba0cc16269d26a3c964c4812ae23dd06f78255

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptTROJAN.sfx.exe
Filesize
1.5MB

MD5
3f5d5939fc0c515ddbc9e9894e34ae04

SHA1
8e77baff4342245a4fe90ddfc42297c778580c07

SHA256
c2667527dd33a4d633aafc8a8fe44a50b0745693c427363251ac1d28ed1a330c

SHA512
6606009775077c7756d00cf3dcb9840f33de5c823ac36e11a1de226c1ca468d026bb709e2bbcfb5b416bdf804e064067bbb455d609d418dc6ff5bd2197eeec75

Download Submit
memory/3484-27-0x00000000062E0000-0x00000000062F0000-memory.dmp

Filesize
64KB

Download
memory/3484-24-0x0000000000FB0000-0x000000000135C000-memory.dmp

Filesize
3.7MB

Download
memory/3484-33-0x0000000006C70000-0x0000000006D02000-memory.dmp

Filesize
584KB

Download
memory/3484-63-0x0000000007800000-0x0000000007DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3484-150-0x00000000076E0000-0x0000000007746000-memory.dmp

Filesize
408KB

Download
memory/3484-26-0x0000000000FB0000-0x000000000135C000-memory.dmp

Filesize
3.7MB

Download
memory/3484-25-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3484-23-0x0000000000FB0000-0x000000000135C000-memory.dmp

Filesize
3.7MB

Download
memory/3484-154-0x0000000000FB0000-0x000000000135C000-memory.dmp

Filesize
3.7MB

Download
memory/3484-155-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads