44caliber | addc15bc47d8feee37c20659259b5c1c17fb63608b42bf358ab1248a6c660156

General

Target

bd1b3b496b17b6ebbc19483dc8fd2b38.exe
Size

1.7MB
MD5

bd1b3b496b17b6ebbc19483dc8fd2b38
SHA1

e9baac0c912cf6092a7cf87c171b044efa6b0d4c
SHA256

addc15bc47d8feee37c20659259b5c1c17fb63608b42bf358ab1248a6c660156
SHA512

18fe41b9f9d9994a8bb1797ef7592d77f7b835a7174e6faa2f0676cfdf8a856bb86ae7add02d89579968c46ff2b8be531116e8a294d1b362e391ba51669a986f
SSDEEP

49152:ug0jh8JRTIGVVK+3BhD6kWp2i2V7nYpldF5F8wsuHHHf:uPSjcGVUupWp2r1n8ZDnH

Score

10^/10

44caliber blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1905575949:AAHIC9TAEKCrluRDzCgUYzxgdIdES2ldfbA/sendMessage?chat_id=1010861848

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	freegeoip.app
35	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	bd1b3b496b17b6ebbc19483dc8fd2b38.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	bd1b3b496b17b6ebbc19483dc8fd2b38.exe

C:\Users\Admin\AppData\Local\Temp\bd1b3b496b17b6ebbc19483dc8fd2b38.exe
"C:\Users\Admin\AppData\Local\Temp\bd1b3b496b17b6ebbc19483dc8fd2b38.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4468 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
3ce50ce089b0627888a4e23ac6aaa4ed

SHA1
b491dfe939085f49b93b9eed9e0c5af8d2b2ddd3

SHA256
2fef86c64574b1371df3e7ee53324f30aa1e37e44524b65a7e0d2f059dc944f1

SHA512
31d5d4cfc76b21d559497a7f92ffa19adbff3b29d278c5e6d56a6a567b38baaf5288a77d247abda2e5734db71a361e265fa9518d8bed14a57d914beabaf4a012

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
98ceb2efcb01078d90953fbc244a108e

SHA1
9fbafd8d62214294552eda0ed28872059ad88eb1

SHA256
e0cc79a72545c55f9737824431097b106d03dc44f65ddd6f800bd13d8e90a7a8

SHA512
bd60c1fb7b8cbe3185981089571646acabeb7caf61637024c36c9cef0a28f6970bf6a358d6ddc11dfd86e71f6c92c8b0a37b276aba48573b97e050f10eff3dba

Download Submit
memory/4260-151-0x0000000006190000-0x000000000619A000-memory.dmp

Filesize
40KB

Download
memory/4260-134-0x0000000006D30000-0x0000000006D96000-memory.dmp

Filesize
408KB

Download
memory/4260-34-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/4260-35-0x0000000006DB0000-0x0000000007354000-memory.dmp

Filesize
5.6MB

Download
memory/4260-3-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/4260-0-0x0000000000890000-0x0000000000D72000-memory.dmp

Filesize
4.9MB

Download
memory/4260-2-0x0000000000890000-0x0000000000D72000-memory.dmp

Filesize
4.9MB

Download
memory/4260-136-0x0000000000890000-0x0000000000D72000-memory.dmp

Filesize
4.9MB

Download
memory/4260-1-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/4260-152-0x00000000061A0000-0x00000000061A8000-memory.dmp

Filesize
32KB

Download
memory/4260-153-0x0000000006200000-0x0000000006222000-memory.dmp

Filesize
136KB

Download
memory/4260-154-0x0000000007360000-0x00000000076B4000-memory.dmp

Filesize
3.3MB

Download
memory/4260-155-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/4260-157-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/4260-161-0x0000000000890000-0x0000000000D72000-memory.dmp

Filesize
4.9MB

Download
memory/4260-162-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing