44caliber | daba765d0976cef05ea981ca8d722a047138a24f31fe318e8a3d550251dd703f

General

Target

ba91e2cefca6e39537c09b39a52c0804.exe
Size

3.1MB
MD5

ba91e2cefca6e39537c09b39a52c0804
SHA1

d7d5321eb7715a0333f8dba7b9525e6545832626
SHA256

daba765d0976cef05ea981ca8d722a047138a24f31fe318e8a3d550251dd703f
SHA512

25d859aff4bf32090eb10caf608e5cb46af5238a2183700b132e977e231f9195ac084db0cdf7508a923b32be817c73847817deec512eb01182277ac9ffcc39c8
SSDEEP

49152:+cSg4AV+b5KxOKezg2J0UxzklXUVYrvW9KbI9NBeqIX226txvAL66+U73:+/GV+IWlyUxdoIKONwqIX22ExhQ3

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba91e2cefca6e39537c09b39a52c0804.exerelease.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ba91e2cefca6e39537c09b39a52c0804.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	release.exe

Executes dropped EXE 2 IoCs

Processes:

release.exegg.exe

pid process

4080 release.exe
4328 gg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 freegeoip.app
31 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

gg.exe

pid process

4328 gg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4080	release.exe
4328	gg.exe

flow	ioc
30	freegeoip.app
31	freegeoip.app

pid	process
4328	gg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	gg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gg.exe

Modifies registry class 1 IoCs

Processes:

release.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings release.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

gg.exe

pid process

4328 gg.exe
4328 gg.exe
4328 gg.exe
4328 gg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gg.exe

description pid process

Token: SeDebugPrivilege 4328 gg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gg.exe

pid process

4328 gg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	release.exe

pid	process
4328	gg.exe
4328	gg.exe
4328	gg.exe
4328	gg.exe

description	pid	process
Token: SeDebugPrivilege	4328	gg.exe

pid	process
4328	gg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ba91e2cefca6e39537c09b39a52c0804.execmd.exerelease.exe

description	pid	process	target process
PID 848 wrote to memory of 3936	848	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 848 wrote to memory of 3936	848	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 848 wrote to memory of 3936	848	ba91e2cefca6e39537c09b39a52c0804.exe	cmd.exe
PID 3936 wrote to memory of 4080	3936	cmd.exe	release.exe
PID 3936 wrote to memory of 4080	3936	cmd.exe	release.exe
PID 3936 wrote to memory of 4080	3936	cmd.exe	release.exe
PID 4080 wrote to memory of 4328	4080	release.exe	gg.exe
PID 4080 wrote to memory of 4328	4080	release.exe	gg.exe
PID 4080 wrote to memory of 4328	4080	release.exe	gg.exe

C:\Users\Admin\AppData\Local\Temp\ba91e2cefca6e39537c09b39a52c0804.exe
"C:\Users\Admin\AppData\Local\Temp\ba91e2cefca6e39537c09b39a52c0804.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggg.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\RarSFX0\release.exe
release.exe -p245234436546345433645332454536545335465344654234532345547852389547315806973489705239046894752308956
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
751968666a3e3106f48c69b443acb8b6

SHA1
c2557a660c9e817ffb14fc15717ce3726697ec97

SHA256
c8cbbaeb3929e11d8290ed271962d5f1babbc26123b51410a2a237f3abab9503

SHA512
4588c500b1443683ca4db566bedc0aebc9e8982bf8439ad055c008da1e23f5df9ca876a4ea40ff0b6adc9e54900fe4a4594c63da4f81762b324174b6ea9a53ec

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
b21db7e62190762802a8a748e1d1e122

SHA1
6324ab18fb0211a3d5614ba0e5ab31be44805186

SHA256
b99269db37cc5aaff515558a32f787fbc52ecdc8b25f33f27722212d671b5d3f

SHA512
d3039d359c24f491aceb45122808b282bc8dc58c7aa5082fb9a0a302fcd4ac3460ef513b044157da990f9fd920e342dd510cae1b22a91ce99133e3f83e61f16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggg.bat
Filesize
130B

MD5
49e54759168fb4e6b4f3e246b5e55a97

SHA1
3f39ba0a62772b0103dbb281336fbd1f789be2b6

SHA256
ba587add159e65bceb36b3471b17325cb2698950e84856a36bcb0ee4ea22f489

SHA512
4caffad6c4266f8973af47365d521c76fa2ee8065de07634bc290995ceeffe4071fdf1bcec0de4ff1085857a2cf7cdc5ceac0aebc03f452c71f742b285ab3719

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\release.exe
Filesize
2.9MB

MD5
89c4b4680bad73c52aa1ffc8c857712f

SHA1
e0cf85b6f27bd3b79147ed827c656df98da0f9cf

SHA256
53031b91cd770308063cc46a2401988e9499cbee89717beb967448937c5bde1d

SHA512
8f9bc4eee537cac5f32f965a0853af79df8502b0ea92db18a69033844edc34c6135fb25bbf369d83183ead1ab97708358b5d0b9f0bc94d209c0431bdff15f35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gg.exe
Filesize
1.2MB

MD5
117b28e18c3cdee58cee6f5b4c6b708b

SHA1
bf3f7cf88712b01a8123d3836bf19f25b17a70ec

SHA256
b356d0dfecf39874a2bbbe4cae33f580d91a8991860df23314f35950f574485c

SHA512
3a2331e1f7266a262e308eab726ee43127631c7348e7931186d13f54577abb1a18a92d6a6664dc69a9cbe9098914bd0e6173d1adc634a545b9c87b3bedd600ea

Download Submit
memory/4328-25-0x0000000000430000-0x00000000007DE000-memory.dmp

Filesize
3.7MB

Download
memory/4328-28-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4328-29-0x0000000006030000-0x00000000060C2000-memory.dmp

Filesize
584KB

Download
memory/4328-27-0x0000000000430000-0x00000000007DE000-memory.dmp

Filesize
3.7MB

Download
memory/4328-62-0x0000000006BC0000-0x0000000007164000-memory.dmp

Filesize
5.6MB

Download
memory/4328-26-0x00000000724B0000-0x0000000072C60000-memory.dmp

Filesize
7.7MB

Download
memory/4328-24-0x0000000000430000-0x00000000007DE000-memory.dmp

Filesize
3.7MB

Download
memory/4328-155-0x0000000007C20000-0x0000000007C86000-memory.dmp

Filesize
408KB

Download
memory/4328-159-0x0000000000430000-0x00000000007DE000-memory.dmp

Filesize
3.7MB

Download
memory/4328-160-0x00000000724B0000-0x0000000072C60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads