44caliber | b6d903a6675cad3991fc497696dd68fd108d835f577c2f97142593c2871461c7

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

icode.exe
Size

274KB
MD5

7fefc276f2e1ae851bef2b3be49ffa83
SHA1

083df00bb408f94805ec1e9cfa70c95cccf1b4c7
SHA256

b6d903a6675cad3991fc497696dd68fd108d835f577c2f97142593c2871461c7
SHA512

4dd1b172b78b444a8a6ca6b3d5987dba30b85600eb97feb6e2ad90288e1d8fc7c1e49be0b9565bbf23ef4f8236e16407f6f671351f4ebc4604ae00bf3f592d7b
SSDEEP

6144:5f+BLtABPDMtBBfn1Y0gIoHOQpafTyclI1D03e7:+tVvgIoHOOR1DF7

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1177318846365978644/WqRVEpWYXkvEShUxMDfFChXP4hGQTeq-WCw7kZXxlaQ3h4sSnNIoFPbGdna5FGYOsBPj

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	icode.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	icode.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1740	icode.exe
1740	icode.exe
1740	icode.exe
1740	icode.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	icode.exe

C:\Users\Admin\AppData\Local\Temp\icode.exe
"C:\Users\Admin\AppData\Local\Temp\icode.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
142B

MD5
709a2ee5ba172eca63775e30efdc21ac

SHA1
82738ce7a04f60750a990896998318ddcdd7e2c2

SHA256
a9e557b9dc4444e01417107028e6f51ed41a8c3a1ac2cc17649f20f7133e0989

SHA512
42d6224d472879b32faf26556018d260cd67cc7b2f61dac78c0418f5b4ccd73f2d12563ab7a09bbf94e079c0fa3ef1658df2ddac0d10a991635e2c1d4fa0007a

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
359B

MD5
3c1087ae8a2223af67b473263e4dd087

SHA1
789c8bb3f1eff42869b7c2529b2b3e6079ce936f

SHA256
4e2242811c232c654bc81e7dbfbd1973af808d9945d74369a4d01771444248f3

SHA512
dc813905f909b83d05348f7356d5770cd072f274bd927a535eb86259d1aa80360309c1b2b1f3ac2bc456b69e22a4ac6d9e961e7cb89de7e1eeca8ef8a61e3615

Download Submit
memory/1740-0-0x0000000001350000-0x000000000139A000-memory.dmp

Filesize
296KB

Download
memory/1740-1-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-2-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/1740-50-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download