44caliber | 1eea18b03dc4ffc0f1275b0f3f2937453b74705f08d35c2b397842ef6b4b7fa7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39616eddb775b3042422950ffd7513f.exe
Size

482KB
MD5

b39616eddb775b3042422950ffd7513f
SHA1

3131401a631ff036fc78b874e1092eb626cfa091
SHA256

1eea18b03dc4ffc0f1275b0f3f2937453b74705f08d35c2b397842ef6b4b7fa7
SHA512

0d98b26c6864fbf809bca54e517df971c7f5e1cf477d23148e0ffa3797cfe96f9d357c3e39ca0f5aa75a09d766d2f86878b352fa02d120b6e032f6f1c50d096c
SSDEEP

12288:+wdhWXp9ojnHiUKhl1sBh1Sq/+wjRe+tG0YR61wS6GK:+wdhWXDojnCUKf6Bhkq/fjXYbuwS6

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app

flow	ioc
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b39616eddb775b3042422950ffd7513f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b39616eddb775b3042422950ffd7513f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	b39616eddb775b3042422950ffd7513f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b39616eddb775b3042422950ffd7513f.exe

pid	process
3852	b39616eddb775b3042422950ffd7513f.exe
3852	b39616eddb775b3042422950ffd7513f.exe
3852	b39616eddb775b3042422950ffd7513f.exe
3852	b39616eddb775b3042422950ffd7513f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b39616eddb775b3042422950ffd7513f.exe

description pid process

Token: SeDebugPrivilege 3852 b39616eddb775b3042422950ffd7513f.exe

description	pid	process
Token: SeDebugPrivilege	3852	b39616eddb775b3042422950ffd7513f.exe

C:\Users\Admin\AppData\Local\Temp\b39616eddb775b3042422950ffd7513f.exe
"C:\Users\Admin\AppData\Local\Temp\b39616eddb775b3042422950ffd7513f.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
552B

MD5
9f030de7b47a0a1eacc28956acc24d75

SHA1
c93f58a83aa62f9e7954485814dfa6822ac10733

SHA256
b8e70fffac7c0f3ab2e5f8fe8cab27f54897196f6729104baa05dcf03623a1c0

SHA512
72913a25c161648f1c69525148f6250537cd5d904cde3767515f2cae1fb2b24a01c039dfab674c3bbdfefe2411bb70defccc5d1e52dd3285f3a92953ac349db3

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
729B

MD5
f94780ef395df208557bf39339430d18

SHA1
8bcd8b63d0999609a6f3f2336bb76fcc7ff4844a

SHA256
6adc18ec374f615b81a2c0fc74ef383bad066c45ede66b437f53f98ef04e5e45

SHA512
42d8692c3b369a0662fb454af57e02ca52c16d320c1a73db5359e62816684a49e81572dccfd503012de85192d9b997b92f65fa8031a080b84759204f1ae97cb2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
f709079fbc0f820b939d253ae8678771

SHA1
9a73efc32648856bf85cb9b28b2a6742f1e8906c

SHA256
1da31e7f1a823caae6d2060fbe25e9899d75d7aab1b7fe950f51d1a5eab5099a

SHA512
732e54518b8414e931962575fab96f22c5069f960847f2c9fef3f4fa2991eea2477553b94b7cb55c7e3d4312a6b099f38c61a05df92bf868122135ecec174771

Download Submit
memory/3852-0-0x0000000000A90000-0x0000000000B0E000-memory.dmp

Filesize
504KB

Download
memory/3852-1-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-2-0x000000001B830000-0x000000001B840000-memory.dmp

Filesize
64KB

Download
memory/3852-3-0x000000001BA40000-0x000000001BAF4000-memory.dmp

Filesize
720KB

Download
memory/3852-126-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

Filesize
10.8MB

Download