44caliber | 365b5ff8ca48c1fc8199963f1ca5b8ba17cdaf509a70bdcf39a1f494939efbef

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d06aa1339eb228d1e1cadafaafa6642.exe
Size

1.2MB
MD5

8d06aa1339eb228d1e1cadafaafa6642
SHA1

10ee0eeae5ea05c4b129396e7698e080d1dd6b82
SHA256

365b5ff8ca48c1fc8199963f1ca5b8ba17cdaf509a70bdcf39a1f494939efbef
SHA512

c0db2d5c75d2b7fbaf5749979c98c7aa2b97ae89447b091b624f0c8b9c3339c5de26a174f477da6f9b4c04e1580d5bc2bdbc27ce8a295483cf6103c8ea825d70
SSDEEP

24576:SE6n68i0m4emAe0yup0fqRJXaFGAVD+jz4EhCjV2hvbS:z6n68NA3yupo+8VD+rG2B

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/856136644549672990/QUNtw2qTusIFDmzy-UzjpJMUoOb_iEuhuGYNbubQrYAP-N--gudEwK04jXD4FjY9AbgU

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid process

2212 8d06aa1339eb228d1e1cadafaafa6642.exe
2212 8d06aa1339eb228d1e1cadafaafa6642.exe

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8d06aa1339eb228d1e1cadafaafa6642.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8d06aa1339eb228d1e1cadafaafa6642.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid	process
2212	8d06aa1339eb228d1e1cadafaafa6642.exe
2212	8d06aa1339eb228d1e1cadafaafa6642.exe
2212	8d06aa1339eb228d1e1cadafaafa6642.exe
2212	8d06aa1339eb228d1e1cadafaafa6642.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

description pid process

Token: SeDebugPrivilege 2212 8d06aa1339eb228d1e1cadafaafa6642.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid process

2212 8d06aa1339eb228d1e1cadafaafa6642.exe

description	pid	process
Token: SeDebugPrivilege	2212	8d06aa1339eb228d1e1cadafaafa6642.exe

C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe
"C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
257B

MD5
df27f79d821632be1ec7067198672b4d

SHA1
b241f64158d3d7048fdf481e423b0a6b2dadd54a

SHA256
99206f959b2a42dc2c6508fc82c424eb835a89ae690792f73a045689abb07a18

SHA512
e1cf9074b98be94a314dd97d10e10cce9360c946331cfefdce3408c3d229f1ddf759afb8778f630055160553feae6bac3b24de2f48083fa18a60ca1d003119ae

Download Submit
memory/2212-0-0x00000000013E0000-0x0000000001790000-memory.dmp

Filesize
3.7MB

Download
memory/2212-1-0x00000000013E0000-0x0000000001790000-memory.dmp

Filesize
3.7MB

Download
memory/2212-2-0x00000000013E0000-0x0000000001790000-memory.dmp

Filesize
3.7MB

Download
memory/2212-3-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-4-0x0000000005620000-0x0000000005660000-memory.dmp

Filesize
256KB

Download
memory/2212-54-0x00000000013E0000-0x0000000001790000-memory.dmp

Filesize
3.7MB

Download
memory/2212-55-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download