44caliber | eed68707e59dc98bd1ad070c221886f3f8bcf896e58a9b942db269131430aa19

General

Target

ae0f9194e7fd070c3a47b9d550a6d289.exe
Size

575KB
MD5

ae0f9194e7fd070c3a47b9d550a6d289
SHA1

4ea77099b19a2bc97179728762af1d84ee8dec19
SHA256

eed68707e59dc98bd1ad070c221886f3f8bcf896e58a9b942db269131430aa19
SHA512

ec84a5f6c6effc7b05771f5ca3699e410ab28471fc213e36071634b6b98cd18571ae100cf6f4829e0b358d1ecb3677eedd64d4585bd80e10bd00930e2bc0789d
SSDEEP

12288:SNpszYhvXWSVJdMae2T+tGSJLrjLBo2LGR91HJij4iNI:OhvJVJdMKIPm2aR9Wj4V

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/874260465914630166/YmSMYTAh4JvQzJsgRc2EmVUT8hghw4iK_JJ5OFAo3bh4-shVmgB_0JNr7QRHglK5jDG2

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

Mod.online.exescript.exe

pid process

3020 Mod.online.exe
2640 script.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeMod.online.exe

pid process

2336 cmd.exe
3020 Mod.online.exe
3020 Mod.online.exe
3020 Mod.online.exe
3020 Mod.online.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3020	Mod.online.exe
2640	script.exe

pid	process
2336	cmd.exe
3020	Mod.online.exe
3020	Mod.online.exe
3020	Mod.online.exe
3020	Mod.online.exe

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

script.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	script.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	script.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

script.exe

pid process

2640 script.exe
2640 script.exe
2640 script.exe
2640 script.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

script.exe

description pid process

Token: SeDebugPrivilege 2640 script.exe

pid	process
2640	script.exe
2640	script.exe
2640	script.exe
2640	script.exe

description	pid	process
Token: SeDebugPrivilege	2640	script.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ae0f9194e7fd070c3a47b9d550a6d289.execmd.exeMod.online.exe

description	pid	process	target process
PID 2080 wrote to memory of 2336	2080	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 2080 wrote to memory of 2336	2080	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 2080 wrote to memory of 2336	2080	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 2080 wrote to memory of 2336	2080	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 2336 wrote to memory of 3020	2336	cmd.exe	Mod.online.exe
PID 2336 wrote to memory of 3020	2336	cmd.exe	Mod.online.exe
PID 2336 wrote to memory of 3020	2336	cmd.exe	Mod.online.exe
PID 2336 wrote to memory of 3020	2336	cmd.exe	Mod.online.exe
PID 3020 wrote to memory of 2640	3020	Mod.online.exe	script.exe
PID 3020 wrote to memory of 2640	3020	Mod.online.exe	script.exe
PID 3020 wrote to memory of 2640	3020	Mod.online.exe	script.exe
PID 3020 wrote to memory of 2640	3020	Mod.online.exe	script.exe

C:\Users\Admin\AppData\Local\Temp\ae0f9194e7fd070c3a47b9d550a6d289.exe
"C:\Users\Admin\AppData\Local\Temp\ae0f9194e7fd070c3a47b9d550a6d289.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start mod.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mod.online.exe
Mod.online.exe -p12375182538712372132185dusjbfis
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
444B

MD5
64bb9983eea2a0387ce50dacb2b09cf3

SHA1
f05a9ec9b12105940900baf86637515da8c0e489

SHA256
772f026600b0511e13a2c86787f2cd3c82d13acbc20eba885313a8b887ce6690

SHA512
657501c146b06a86a1d295ab29c7dfdfba4795dff41e80ceb0d7a19b7147432e74f0839232e0ad8d6e9421e3d2b06345a1c927a8d446eef3ae4b31898819ed27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mod.online.exe
Filesize
412KB

MD5
53bc88dea99cd3d2d6d33d9ac8edb566

SHA1
fea905b854cad7be84b44de30656e403c96cfa01

SHA256
cb38fa13226341a4afb7d1c325d012db3c51ba66ffc12fde0c263a1076e36843

SHA512
b36247e0fe3d05921b53cce6873ae5a4e8d434c78bf74b870ddf8aa9e3a7064c3cee60d6ffc86896214b3ca623f350374dc8b08c0828bb3620fdf498683f9926

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start mod.bat
Filesize
65B

MD5
5b451b3712dacb00dceae7378fa0777d

SHA1
9db56576d53d45ee2e86f1dbf4f3e9eaa6356316

SHA256
2b3b6c86e07322c8e1c56379b3e35e93ceb2383c407a101ab581352ae9e079ec

SHA512
342dd1dbc126caccabc00daf3b4385430157f64cc467d922ef5911b1ce89a165ced227e50203fe8d668ed9d4e7f6c35b18e0423a1d8d04910a24eeff0df26730

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe
Filesize
274KB

MD5
c392b5d558f9606404d5eb258e40dbef

SHA1
75fb512c3dea3a013b0d2db00d39b8e74efe7bd8

SHA256
a91968b4925751ff1802dc072df6c88a18886f79f43222332c12fde47db67376

SHA512
b516e1af7a9426ba523e1cbd04c1d1b158c273ad53db0023e4e0fdc112d91b64e0148a9e4589810c9129c8083fd621b26efcaab8ea9b5d3c57d2e563edc6a94d

Download Submit
memory/2640-36-0x00000000010D0000-0x000000000111A000-memory.dmp

Filesize
296KB

Download
memory/2640-37-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-38-0x000000001B570000-0x000000001B5F0000-memory.dmp

Filesize
512KB

Download
memory/2640-87-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing