44caliber | b5a965edeb39450f6a9e30cf9d736d4393a8d162fa4ee8872607187f22876e65

Analysis

max time kernel
93s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2d7e6834fe7510524bb96023fe12f81.exe
Size

599KB
MD5

a2d7e6834fe7510524bb96023fe12f81
SHA1

4a8bc0cb53af1f339591602e5a0532fbb91e7da3
SHA256

b5a965edeb39450f6a9e30cf9d736d4393a8d162fa4ee8872607187f22876e65
SHA512

28b61e06bb2cb2802cfa6cefd8af5db2e1fb22d575ba0cd13a0940ce50134af61fe3c8d6f8a244e3764ce0d1ed3255ebdf02ad34346560684b9e93a8b1b02cf4
SSDEEP

6144:puEqm9rW3B/Z1WaWgyf8SMhL6og81/eyrjZZZZZZrMZZFZZZMZKZZZZZZZZFZZZy:kEZwjdbyf7meyrbp

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app

flow	ioc
3	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2d7e6834fe7510524bb96023fe12f81.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a2d7e6834fe7510524bb96023fe12f81.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a2d7e6834fe7510524bb96023fe12f81.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a2d7e6834fe7510524bb96023fe12f81.exe

pid	process
4200	a2d7e6834fe7510524bb96023fe12f81.exe
4200	a2d7e6834fe7510524bb96023fe12f81.exe
4200	a2d7e6834fe7510524bb96023fe12f81.exe
4200	a2d7e6834fe7510524bb96023fe12f81.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2d7e6834fe7510524bb96023fe12f81.exe

description pid process

Token: SeDebugPrivilege 4200 a2d7e6834fe7510524bb96023fe12f81.exe

description	pid	process
Token: SeDebugPrivilege	4200	a2d7e6834fe7510524bb96023fe12f81.exe

C:\Users\Admin\AppData\Local\Temp\a2d7e6834fe7510524bb96023fe12f81.exe
"C:\Users\Admin\AppData\Local\Temp\a2d7e6834fe7510524bb96023fe12f81.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
224B

MD5
d516f7a94140098ad5570793b9b6ac75

SHA1
7de9b27328480136d2f20a032472ea3310f83b44

SHA256
dc2f5a5407fbd372deb83b79290713ef20a4a4cbade345c83986b94ac2bab677

SHA512
4f48af2acea324ad3cd502693397d6daee12f1456f0dcd8587a81754ff16eeaf5d72e1b63567a86de453523c9d5e091fe89af934443956532532060211b429b5

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
740B

MD5
1f25624da9ffc511e1f0ddd93bc1c2d5

SHA1
94888aa42a3ab9ec84b838749ef032065606cf4c

SHA256
30f58e98a028b818e80bd008526389a31f8e31c991f6629017d46b4fbacab58e

SHA512
a2cdbcdfa09432c821e7546e186717440ee9235dcee62e60f3dda38a0933197ef4d68128d38e9a41e5269e613c41de0f898d2e45dcc7c2b52f64cabdf66ebeea

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
1b1d6fb41fc0ce025a650dbe0d249938

SHA1
dd20cf3e4c97597b819a1fbb4b3834616906af7a

SHA256
0f8aaf82f9478c199ad1ffba740d6023b032321a199a2ab016b9daafdf634f49

SHA512
0c3f9fa18edca1ef9096efbe24b497b1f675becf108b13daeece9233dab7fcad7db63ff9359ab6bb6f046725517e9f0103c2249901e37c05310067c3fd42a04f

Download Submit
memory/4200-0-0x00000000004C0000-0x000000000055C000-memory.dmp

Filesize
624KB

Download
memory/4200-14-0x00007FFF85E00000-0x00007FFF868C1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-28-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/4200-126-0x00007FFF85E00000-0x00007FFF868C1000-memory.dmp

Filesize
10.8MB

Download