44caliber | eed68707e59dc98bd1ad070c221886f3f8bcf896e58a9b942db269131430aa19

General

Target

ae0f9194e7fd070c3a47b9d550a6d289.exe
Size

575KB
MD5

ae0f9194e7fd070c3a47b9d550a6d289
SHA1

4ea77099b19a2bc97179728762af1d84ee8dec19
SHA256

eed68707e59dc98bd1ad070c221886f3f8bcf896e58a9b942db269131430aa19
SHA512

ec84a5f6c6effc7b05771f5ca3699e410ab28471fc213e36071634b6b98cd18571ae100cf6f4829e0b358d1ecb3677eedd64d4585bd80e10bd00930e2bc0789d
SSDEEP

12288:SNpszYhvXWSVJdMae2T+tGSJLrjLBo2LGR91HJij4iNI:OhvJVJdMKIPm2aR9Wj4V

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/874260465914630166/YmSMYTAh4JvQzJsgRc2EmVUT8hghw4iK_JJ5OFAo3bh4-shVmgB_0JNr7QRHglK5jDG2

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ae0f9194e7fd070c3a47b9d550a6d289.exeMod.online.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	ae0f9194e7fd070c3a47b9d550a6d289.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Mod.online.exe

Executes dropped EXE 2 IoCs

Processes:

Mod.online.exescript.exe

pid process

5012 Mod.online.exe
2452 script.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 freegeoip.app
10 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5012	Mod.online.exe
2452	script.exe

flow	ioc
9	freegeoip.app
10	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

script.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	script.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	script.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

script.exe

pid process

2452 script.exe
2452 script.exe
2452 script.exe
2452 script.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

script.exe

description pid process

Token: SeDebugPrivilege 2452 script.exe

pid	process
2452	script.exe
2452	script.exe
2452	script.exe
2452	script.exe

description	pid	process
Token: SeDebugPrivilege	2452	script.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ae0f9194e7fd070c3a47b9d550a6d289.execmd.exeMod.online.exe

description	pid	process	target process
PID 1916 wrote to memory of 4796	1916	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 1916 wrote to memory of 4796	1916	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 1916 wrote to memory of 4796	1916	ae0f9194e7fd070c3a47b9d550a6d289.exe	cmd.exe
PID 4796 wrote to memory of 5012	4796	cmd.exe	Mod.online.exe
PID 4796 wrote to memory of 5012	4796	cmd.exe	Mod.online.exe
PID 4796 wrote to memory of 5012	4796	cmd.exe	Mod.online.exe
PID 5012 wrote to memory of 2452	5012	Mod.online.exe	script.exe
PID 5012 wrote to memory of 2452	5012	Mod.online.exe	script.exe

C:\Users\Admin\AppData\Local\Temp\ae0f9194e7fd070c3a47b9d550a6d289.exe
"C:\Users\Admin\AppData\Local\Temp\ae0f9194e7fd070c3a47b9d550a6d289.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start mod.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mod.online.exe
Mod.online.exe -p12375182538712372132185dusjbfis
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mod.online.exe
Filesize
412KB

MD5
53bc88dea99cd3d2d6d33d9ac8edb566

SHA1
fea905b854cad7be84b44de30656e403c96cfa01

SHA256
cb38fa13226341a4afb7d1c325d012db3c51ba66ffc12fde0c263a1076e36843

SHA512
b36247e0fe3d05921b53cce6873ae5a4e8d434c78bf74b870ddf8aa9e3a7064c3cee60d6ffc86896214b3ca623f350374dc8b08c0828bb3620fdf498683f9926

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start mod.bat
Filesize
65B

MD5
5b451b3712dacb00dceae7378fa0777d

SHA1
9db56576d53d45ee2e86f1dbf4f3e9eaa6356316

SHA256
2b3b6c86e07322c8e1c56379b3e35e93ceb2383c407a101ab581352ae9e079ec

SHA512
342dd1dbc126caccabc00daf3b4385430157f64cc467d922ef5911b1ce89a165ced227e50203fe8d668ed9d4e7f6c35b18e0423a1d8d04910a24eeff0df26730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\script.exe
Filesize
274KB

MD5
c392b5d558f9606404d5eb258e40dbef

SHA1
75fb512c3dea3a013b0d2db00d39b8e74efe7bd8

SHA256
a91968b4925751ff1802dc072df6c88a18886f79f43222332c12fde47db67376

SHA512
b516e1af7a9426ba523e1cbd04c1d1b158c273ad53db0023e4e0fdc112d91b64e0148a9e4589810c9129c8083fd621b26efcaab8ea9b5d3c57d2e563edc6a94d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
797eafc225555e06c114e90b4668dc4a

SHA1
4bad2f2843bedd4b5a51c88e9dcfbb0b671a4342

SHA256
60a47d206ce6b42bdef66d635b7bc21be38c1faa483b938c469026ef9321a9d4

SHA512
279a450c6cf2660b26ae73970e9c2ad3e14edaf4082afee6fa6913c382058989e857d4f034b2af80bef2179b8811e1f1c01411be3fefa7f59d9703c40dcc6adb

Download Submit
memory/2452-22-0x0000000000F30000-0x0000000000F7A000-memory.dmp

Filesize
296KB

Download
memory/2452-33-0x00007FFAE9DE0000-0x00007FFAEA8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-50-0x000000001BBF0000-0x000000001BC00000-memory.dmp

Filesize
64KB

Download
memory/2452-150-0x00007FFAE9DE0000-0x00007FFAEA8A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads