44caliber | 6723c608be16ce8a8e79c52dfae90c4fefa55b386411ac977d9565e4308c727d

General

Target

b6a21ab39a7778dc807009a9cd23d82c.exe
Size

943KB
MD5

b6a21ab39a7778dc807009a9cd23d82c
SHA1

817268a507ce95db80028c0b0b095a3b3ed1cbc3
SHA256

6723c608be16ce8a8e79c52dfae90c4fefa55b386411ac977d9565e4308c727d
SHA512

7587c25beb4853fe58cfd8c2cce0f0de0dd4e976824e580e4c2d71271f542ec6f9fbc0d7958e6da483dfe5e2a317e5dc6091c12319d2d94bfbfa973fbcd5a869
SSDEEP

24576:iiSvJKfOVWGK+PvpWuiWIpOEYWtR167N:kKfIG+PvpWI4ti7

Score

10^/10

44caliber evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s"	b6a21ab39a7778dc807009a9cd23d82c.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6a21ab39a7778dc807009a9cd23d82c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b6a21ab39a7778dc807009a9cd23d82c.exe

Executes dropped EXE 1 IoCs

pid	Process
3744	Q4efoe5ztW.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1768-0-0x0000000000400000-0x00000000006C2000-memory.dmp	upx
behavioral2/memory/1768-43-0x0000000000400000-0x00000000006C2000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	freegeoip.app
20	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Q4efoe5ztW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Q4efoe5ztW.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3744	Q4efoe5ztW.exe
3744	Q4efoe5ztW.exe
3744	Q4efoe5ztW.exe
3744	Q4efoe5ztW.exe
3744	Q4efoe5ztW.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	Q4efoe5ztW.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3744	1768	b6a21ab39a7778dc807009a9cd23d82c.exe	95
PID 1768 wrote to memory of 3744	1768	b6a21ab39a7778dc807009a9cd23d82c.exe	95

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6a21ab39a7778dc807009a9cd23d82c.exe

C:\Users\Admin\AppData\Local\Temp\b6a21ab39a7778dc807009a9cd23d82c.exe
"C:\Users\Admin\AppData\Local\Temp\b6a21ab39a7778dc807009a9cd23d82c.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1768
- C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe
  "C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
8f013a31f35e43382f73c65d6ea49ae0

SHA1
4f6c30a6483522c2ff3e5789fc396f285b876c55

SHA256
04cb3846e0d11ad5d0450f797fb935d6d97f0267b7f713054b885e50c8bdb4ae

SHA512
90501fc8b5a7cca89dfbe2bbb3e257e36d3bb9d0a9bf67e8c80c04e9519aeac1f868d679ccdfbb37d4faa4a404c2cbf4842430009d6d85c81e48e8d73225d3a8

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
235B

MD5
8ed73b92f216a4e3c36187b732ec65cc

SHA1
8a2c43e5f12e2f8ea338113de88fbdab16ed5acb

SHA256
bd3bc72250bf29868c972ba29561f68196c2cd2eb4e62f262ef8233a172df7ad

SHA512
8608ec0f4ffbd5e5e16a16dd46cbfe4999aa2d042f363d0dff9e6f71b7f55485297cfcdab07ec4ecc041c8cb7d8d997d1cc6ff37600a1c772a55e6aa7a8fd576

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
572B

MD5
f3990e1f69c42b53f52f6ff14e1eda7a

SHA1
d081d86d00b710f6c47dce0fe4e6e80a8f234cc2

SHA256
b5e5aefb9bb5b395283037bb5890fbb97fdb48117a1db1d49ac93d3d67fd51ab

SHA512
893df12dbd61dbe9b0c8691f87d3f5e51e3ca0f12790e5907049d7dbf763a3c1889245d1f2215209c8e69864e591b4f0c6198810eb25d8a6b5d4d138bc68e761

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
902B

MD5
3b6b68f35c44b93f3d7b457ec3f65fbc

SHA1
06d542fe2496bcd3a7d32eef969ad9301fff1600

SHA256
51c38ee9b6d0f7952b2a1d25758ade44a8b08c7f4f4207f2eb5bd6b48c8bb13e

SHA512
3a8160907234befdafe9eb0425c221361d1709ddc192d3cad012b5a809093005fa70cd58575828d43de281dc1075e74bf36e13c46f3e3731a3697a29767384b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe

Filesize
274KB

MD5
78fe81b560fe19e1a42a017a667f3f06

SHA1
4a75705ce154ef06374f1c48e7dcc321b8342d5a

SHA256
122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

SHA512
f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

Download Submit
memory/1768-0-0x0000000000400000-0x00000000006C2000-memory.dmp

Filesize
2.8MB

Download
memory/1768-43-0x0000000000400000-0x00000000006C2000-memory.dmp

Filesize
2.8MB

Download
memory/3744-14-0x00000000007D0000-0x000000000081A000-memory.dmp

Filesize
296KB

Download
memory/3744-27-0x00007FFAE2B30000-0x00007FFAE35F1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-34-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/3744-143-0x000000001C0B0000-0x000000001C259000-memory.dmp

Filesize
1.7MB

Download
memory/3744-144-0x00007FFAE2B30000-0x00007FFAE35F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads