44caliber | 6cdb5078947a11f914073a6496fc85049857307ed075cccd89d9f6479986a2d7

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
Size

9.8MB
MD5

ae0d1ea3ce642b5f73d4c2f4028d45eb
SHA1

f2d5fc31191f16c2c840cc8c5c1118c92a206459
SHA256

6cdb5078947a11f914073a6496fc85049857307ed075cccd89d9f6479986a2d7
SHA512

505dd29722b3d7d2975b0e4dcc8fe865b026535ca97ce249bf7feeb250938fc293943586a56b2ae317baa3768b68047990784c82c9855eed7fcd8d6d0edf2d7a
SSDEEP

6144:1OsE5m1O1B0Ln62oeD+ceV3DZgCtCFOzmoziZ+1p24u4Z3bF:YsZA0Nf+rxDCcnzmoziZ+1p24u4j

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
9	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
640	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
640	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
640	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
640	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	ae0d1ea3ce642b5f73d4c2f4028d45eb.exe

C:\Users\Admin\AppData\Local\Temp\ae0d1ea3ce642b5f73d4c2f4028d45eb.exe
"C:\Users\Admin\AppData\Local\Temp\ae0d1ea3ce642b5f73d4c2f4028d45eb.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
743B

MD5
24b6f76c45c0e87a1c95d1a555e33c7c

SHA1
eccd200eaad60cb10e80d3b6886b45f1396545cf

SHA256
79ace4370fbd2a60eb24d7a46116f0f3641e12b171f34151b3a80599724d221e

SHA512
1ad2510a9f49046c7e263d318389621887c1a5756d9a46808d9099bbb60283d444f891b2de18bac21129e033428ecbdce6b10a81acf874e0d10b0ac891d73dec

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
a866a8cd0f34ea48637af73e45d2126b

SHA1
229f219a504164c9893f03929e920c7b9b3f045b

SHA256
9ee031a1f7dec1319606944f576544106e5bae695811b5dd557f42c05da13510

SHA512
e07c7f35a7362a1692394cac91850677c5ffae805b71b9ec102f969cd763cdc7f1d8cf90f753d6a3882b10afbae9f7a5715e399cac8d87c113b3274294cd3708

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
581387b4c212d438f1205fb30d5afbe8

SHA1
ef82dee1f42aca2839cdd9685ae1a5056a926cb2

SHA256
21b9564c1a7a242ace3c75cbeb645f9c1df345b478e13f6ce01a24dbe05f0ab3

SHA512
b4d1331956dcbb6b4b396a1ddf0f825b2af1cbcf52401785bdb91b111040ab2cc02e250b9d6000a9ce2d7a093358ca7d149fb5f7c681bbe35b16a7d507383439

Download Submit
memory/640-0-0x000001FF48BD0000-0x000001FF48C1E000-memory.dmp

Filesize
312KB

Download
memory/640-30-0x00007FFB4F590000-0x00007FFB50051000-memory.dmp

Filesize
10.8MB

Download
memory/640-31-0x000001FF4A840000-0x000001FF4A850000-memory.dmp

Filesize
64KB

Download
memory/640-123-0x00007FFB4F590000-0x00007FFB50051000-memory.dmp

Filesize
10.8MB

Download