44caliber | 365b5ff8ca48c1fc8199963f1ca5b8ba17cdaf509a70bdcf39a1f494939efbef

Analysis

max time kernel
139s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d06aa1339eb228d1e1cadafaafa6642.exe
Size

1.2MB
MD5

8d06aa1339eb228d1e1cadafaafa6642
SHA1

10ee0eeae5ea05c4b129396e7698e080d1dd6b82
SHA256

365b5ff8ca48c1fc8199963f1ca5b8ba17cdaf509a70bdcf39a1f494939efbef
SHA512

c0db2d5c75d2b7fbaf5749979c98c7aa2b97ae89447b091b624f0c8b9c3339c5de26a174f477da6f9b4c04e1580d5bc2bdbc27ce8a295483cf6103c8ea825d70
SSDEEP

24576:SE6n68i0m4emAe0yup0fqRJXaFGAVD+jz4EhCjV2hvbS:z6n68NA3yupo+8VD+rG2B

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/856136644549672990/QUNtw2qTusIFDmzy-UzjpJMUoOb_iEuhuGYNbubQrYAP-N--gudEwK04jXD4FjY9AbgU

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid process

216 8d06aa1339eb228d1e1cadafaafa6642.exe
216 8d06aa1339eb228d1e1cadafaafa6642.exe

flow	ioc
3	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8d06aa1339eb228d1e1cadafaafa6642.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8d06aa1339eb228d1e1cadafaafa6642.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid	process
216	8d06aa1339eb228d1e1cadafaafa6642.exe
216	8d06aa1339eb228d1e1cadafaafa6642.exe
216	8d06aa1339eb228d1e1cadafaafa6642.exe
216	8d06aa1339eb228d1e1cadafaafa6642.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

description pid process

Token: SeDebugPrivilege 216 8d06aa1339eb228d1e1cadafaafa6642.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8d06aa1339eb228d1e1cadafaafa6642.exe

pid process

216 8d06aa1339eb228d1e1cadafaafa6642.exe

description	pid	process
Token: SeDebugPrivilege	216	8d06aa1339eb228d1e1cadafaafa6642.exe

C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe
"C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
731B

MD5
1814b93406e419ef386534e083bc2d89

SHA1
3f7902d66bab45556b4571563746bf33b4f2c96b

SHA256
a160736e6bea0060baefaae9612458c9205258b04244076403e4ebdabf527641

SHA512
58f3fdcb70a3159459359a9c4b9f9d84dde443e48d0484f302572e4d4f6f847f671aab65f0e16ed62ce7ab3d57791840d44f32dc6fd8ae1417cc07f10ba38afe

Download Submit
C:\ProgramData\44\Process.txt
Filesize
781B

MD5
aca70cadabef819055b7046e85268fa5

SHA1
c8bc5a9a459f549500489f54e12812827556b4c6

SHA256
e8c7140628ab56600621ab10b65415a66eeb3b2b00836aad2ced219debbd9657

SHA512
2d88d1a1fbb5eac24998d5ec223db5151fb2c2c19e580fc2b557a9caab20a62dc24ca7596199f04b5565d299073765e2694ca4bf76db39db60228fc13fc9f60e

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
216e99df48b82d9fafe5d409a7cbc77c

SHA1
20b200ff68fc3aa9b5d003e5be7360b06e9a926d

SHA256
196553a25a9b18e05e41b87b0e307ce558c04cc2e1fb943d40f8ab24854eb026

SHA512
aca17a750ed630b5d49b4a3235102504daaf8f310c896195178c9b632b6f66c02b997dc0a962d5e2fa64a2fd3d333a9a1b97c17685b29848afcc3d89fd02a8b4

Download Submit
memory/216-0-0x00000000006E0000-0x0000000000A90000-memory.dmp

Filesize
3.7MB

Download
memory/216-1-0x0000000073DA0000-0x0000000074550000-memory.dmp

Filesize
7.7MB

Download
memory/216-2-0x00000000006E0000-0x0000000000A90000-memory.dmp

Filesize
3.7MB

Download
memory/216-3-0x00000000037D0000-0x00000000037E0000-memory.dmp

Filesize
64KB

Download
memory/216-29-0x0000000005F70000-0x0000000006002000-memory.dmp

Filesize
584KB

Download
memory/216-37-0x0000000006EE0000-0x0000000007484000-memory.dmp

Filesize
5.6MB

Download
memory/216-122-0x0000000007F40000-0x0000000007FA6000-memory.dmp

Filesize
408KB

Download
memory/216-127-0x00000000006E0000-0x0000000000A90000-memory.dmp

Filesize
3.7MB

Download
memory/216-128-0x0000000073DA0000-0x0000000074550000-memory.dmp

Filesize
7.7MB

Download