44caliber | 5ac29f18472f943f2eb3c256fdbfe251b04ca66afc22fcba65183b0509feb529

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a0000000122c9-5.exe
Size

534KB
MD5

0ce3051b867d50aa172d1b332f156e3e
SHA1

f87defe312cb3a5efea3f845d187762e153bddab
SHA256

5ac29f18472f943f2eb3c256fdbfe251b04ca66afc22fcba65183b0509feb529
SHA512

5169a3acd3c79cc4d22bf3a1f4d9770797d2c31503bab1022a153ad56c382e495de2ce06a8a04b3bb4b2fb2c666575dcdefa26533ff5affc4b6ce126e2166193
SSDEEP

6144:ef+BLtABPDLgj1xw1eO5rbMMzhgUsYqTXGG/5zJRb2IXe05f4VGWWxjdq:d161eO5rbHHsYqTXGOXXe+4k8

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1199323175729758268/CBdP8e3cXbL0ED8xKBhMw0ikKHmITu-6CI4WjfttZm2aWGZGjp43Msrjwp8AVeEBf6T1

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
1 freegeoip.app

flow	ioc
2	freegeoip.app
1	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x000a0000000122c9-5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	0x000a0000000122c9-5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0x000a0000000122c9-5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0x000a0000000122c9-5.exe

pid process

5088 0x000a0000000122c9-5.exe
5088 0x000a0000000122c9-5.exe
5088 0x000a0000000122c9-5.exe
5088 0x000a0000000122c9-5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0x000a0000000122c9-5.exe

description pid process

Token: SeDebugPrivilege 5088 0x000a0000000122c9-5.exe

pid	process
5088	0x000a0000000122c9-5.exe
5088	0x000a0000000122c9-5.exe
5088	0x000a0000000122c9-5.exe
5088	0x000a0000000122c9-5.exe

description	pid	process
Token: SeDebugPrivilege	5088	0x000a0000000122c9-5.exe

C:\Users\Admin\AppData\Local\Temp\0x000a0000000122c9-5.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122c9-5.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
407B

MD5
07e1146ac23766d00607594d42cb24a7

SHA1
a65e358e6b7013fe4c296b0aea419ff6509ffeee

SHA256
6e0ac302985f3adc6ff4d1d41b1a6a0ef1a1f986c7c999cdfb01606ed11e6e19

SHA512
e8702b8df12190be50e2041a848add1d3b7b474be005bade3f27cae5688efe546de6e60dfea33ea9558c36b6bcde7c38884f852b5b1b0a696e73e9f969d8bd0b

Download Submit
C:\ProgramData\44\Process.txt
Filesize
668B

MD5
37310e87b763364c0360a9d943b59780

SHA1
978f520a02e4f2cd10a75c156836085c93b5ec14

SHA256
177a8d3d79cdee94e3b565daf0bac24fad60a2ffdb9763cc994e63adc570be71

SHA512
f05cb399721b727117ba91119431a4e7f01bddad6ac4336d755fdef979031b41500c385c9cb56350adfb7b5ecd8e9cea57717f1902306c758ca29223139df959

Download Submit
C:\ProgramData\44\Process.txt
Filesize
878B

MD5
4da4999146cb9d3eb2922b0b76830ed8

SHA1
93575920042d57bc6ac9b0037cbba2e70b85d378

SHA256
3a969684f8ae32df06917895389243e70c4ce5ac8cbb4a8e0969c9e2c7915e77

SHA512
42f3a7256f773931ac7925c8e3e489ce99332f584d185bb339adf81507a814d395cbf9c52234d15d349b6e3b079e6d1b8a9a64347aa1d5d6192f8da8b05e70da

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
b7c98116cd2d3790b8eaa35d8daf126a

SHA1
2a7686fd637cb0c910c739939c9c82e7a0c5221d

SHA256
0fa67520c75b03984bcb241ed919cb7f73231f7b263cc31feee1999393b81ad9

SHA512
8a464332e37715500a97a9a7f1eeb79b35a57fe4da9d6bb76a399daab856e9a61d8e50890191649276bdaf3d2a77e587e11d92e1ede797e290bf07245ebc1add

Download Submit
memory/5088-0-0x0000028D36350000-0x0000028D363DA000-memory.dmp

Filesize
552KB

Download
memory/5088-31-0x00007FF923190000-0x00007FF923C51000-memory.dmp

Filesize
10.8MB

Download
memory/5088-32-0x0000028D508A0000-0x0000028D508B0000-memory.dmp

Filesize
64KB

Download
memory/5088-120-0x00007FF923190000-0x00007FF923C51000-memory.dmp

Filesize
10.8MB

Download