44caliber | daba765d0976cef05ea981ca8d722a047138a24f31fe318e8a3d550251dd703f

General

Target

ba91e2cefca6e39537c09b39a52c0804.exe
Size

3.1MB
MD5

ba91e2cefca6e39537c09b39a52c0804
SHA1

d7d5321eb7715a0333f8dba7b9525e6545832626
SHA256

daba765d0976cef05ea981ca8d722a047138a24f31fe318e8a3d550251dd703f
SHA512

25d859aff4bf32090eb10caf608e5cb46af5238a2183700b132e977e231f9195ac084db0cdf7508a923b32be817c73847817deec512eb01182277ac9ffcc39c8
SSDEEP

49152:+cSg4AV+b5KxOKezg2J0UxzklXUVYrvW9KbI9NBeqIX226txvAL66+U73:+/GV+IWlyUxdoIKONwqIX22ExhQ3

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

release.exegg.exe

pid process

2104 release.exe
2604 gg.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exerelease.exe

pid process

2400 cmd.exe
2104 release.exe
2104 release.exe
2104 release.exe
2104 release.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

gg.exe

pid process

2604 gg.exe
2604 gg.exe
2604 gg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2104	release.exe
2604	gg.exe

pid	process
2400	cmd.exe
2104	release.exe
2104	release.exe
2104	release.exe
2104	release.exe

flow	ioc
2	freegeoip.app
3	freegeoip.app

pid	process
2604	gg.exe
2604	gg.exe
2604	gg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	gg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

gg.exe

pid process

2604 gg.exe
2604 gg.exe
2604 gg.exe
2604 gg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gg.exe

description pid process

Token: SeDebugPrivilege 2604 gg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gg.exe

pid process

2604 gg.exe

pid	process
2604	gg.exe
2604	gg.exe
2604	gg.exe
2604	gg.exe

description	pid	process
Token: SeDebugPrivilege	2604	gg.exe

pid	process
2604	gg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba91e2cefca6e39537c09b39a52c0804.execmd.exerelease.exe

description	pid	process	target process
PID 2272 wrote to memory of 2400	2272	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 2272 wrote to memory of 2400	2272	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 2272 wrote to memory of 2400	2272	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 2272 wrote to memory of 2400	2272	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 2400 wrote to memory of 2104	2400	cmd.exe	release.exe
PID 2400 wrote to memory of 2104	2400	cmd.exe	release.exe
PID 2400 wrote to memory of 2104	2400	cmd.exe	release.exe
PID 2400 wrote to memory of 2104	2400	cmd.exe	release.exe
PID 2104 wrote to memory of 2604	2104	release.exe	gg.exe
PID 2104 wrote to memory of 2604	2104	release.exe	gg.exe
PID 2104 wrote to memory of 2604	2104	release.exe	gg.exe
PID 2104 wrote to memory of 2604	2104	release.exe	gg.exe

C:\Users\Admin\AppData\Local\Temp\ba91e2cefca6e39537c09b39a52c0804.exe
"C:\Users\Admin\AppData\Local\Temp\ba91e2cefca6e39537c09b39a52c0804.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggg.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\release.exe
release.exe -p245234436546345433645332454536545335465344654234532345547852389547315806973489705239046894752308956
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggg.bat
Filesize
130B

MD5
49e54759168fb4e6b4f3e246b5e55a97

SHA1
3f39ba0a62772b0103dbb281336fbd1f789be2b6

SHA256
ba587add159e65bceb36b3471b17325cb2698950e84856a36bcb0ee4ea22f489

SHA512
4caffad6c4266f8973af47365d521c76fa2ee8065de07634bc290995ceeffe4071fdf1bcec0de4ff1085857a2cf7cdc5ceac0aebc03f452c71f742b285ab3719

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\release.exe
Filesize
2.9MB

MD5
89c4b4680bad73c52aa1ffc8c857712f

SHA1
e0cf85b6f27bd3b79147ed827c656df98da0f9cf

SHA256
53031b91cd770308063cc46a2401988e9499cbee89717beb967448937c5bde1d

SHA512
8f9bc4eee537cac5f32f965a0853af79df8502b0ea92db18a69033844edc34c6135fb25bbf369d83183ead1ab97708358b5d0b9f0bc94d209c0431bdff15f35c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
382B

MD5
16e7d5de3fe9f770934dfef582ec7a01

SHA1
641a6f128f761a9987a489c7553d5f39f68f266f

SHA256
85435d9906e72c9c55c53a26e3fe7fe3e615d1f6b179e5e5a47a824e1201c823

SHA512
20c272e8b0eaaba07591b11ee9d84ff294b6e20d4ff9cace229a65819d23ad98e171dac6585fcde507e0ba0702478add63856048ab7ee37d2d21b97190bad315

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe
Filesize
1.2MB

MD5
117b28e18c3cdee58cee6f5b4c6b708b

SHA1
bf3f7cf88712b01a8123d3836bf19f25b17a70ec

SHA256
b356d0dfecf39874a2bbbe4cae33f580d91a8991860df23314f35950f574485c

SHA512
3a2331e1f7266a262e308eab726ee43127631c7348e7931186d13f54577abb1a18a92d6a6664dc69a9cbe9098914bd0e6173d1adc634a545b9c87b3bedd600ea

Download Submit
memory/2104-37-0x0000000003830000-0x0000000003BDE000-memory.dmp

Filesize
3.7MB

Download
memory/2104-38-0x0000000003830000-0x0000000003BDE000-memory.dmp

Filesize
3.7MB

Download
memory/2604-42-0x0000000001070000-0x000000000141E000-memory.dmp

Filesize
3.7MB

Download
memory/2604-43-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-44-0x0000000003160000-0x00000000031A0000-memory.dmp

Filesize
256KB

Download
memory/2604-40-0x0000000001070000-0x000000000141E000-memory.dmp

Filesize
3.7MB

Download
memory/2604-97-0x0000000001070000-0x000000000141E000-memory.dmp

Filesize
3.7MB

Download
memory/2604-98-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing