44caliber | 88342eaaa9f71b1d909281db1be19a41fd725f530781068066a031d869610e7e

Analysis

max time kernel
117s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc187c21e71c149771bc29482b28d4c7.exe
Size

5.8MB
MD5

bc187c21e71c149771bc29482b28d4c7
SHA1

04643be0d64c5cbca9f0f9deae0e22cf59a34119
SHA256

88342eaaa9f71b1d909281db1be19a41fd725f530781068066a031d869610e7e
SHA512

7737a477bce706ec231865c3d3ccae044c25948038a8ba9f93b4e50231221cbfa6e0d757908d6d3fc1cfb490a9a51fceab26bacb37321f11666efade61d7319e
SSDEEP

6144:1OsE5m1O1B0Ln62oeD+ceV3DZgCtCFOzmoziZ+1p24u4Z3bF:YsZA0Nf+rxDCcnzmoziZ+1p24u4j

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bc187c21e71c149771bc29482b28d4c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	bc187c21e71c149771bc29482b28d4c7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1780	bc187c21e71c149771bc29482b28d4c7.exe
1780	bc187c21e71c149771bc29482b28d4c7.exe
1780	bc187c21e71c149771bc29482b28d4c7.exe
1780	bc187c21e71c149771bc29482b28d4c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	bc187c21e71c149771bc29482b28d4c7.exe

C:\Users\Admin\AppData\Local\Temp\bc187c21e71c149771bc29482b28d4c7.exe
"C:\Users\Admin\AppData\Local\Temp\bc187c21e71c149771bc29482b28d4c7.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
412B

MD5
a719319757749992c3eb5475c5af31d3

SHA1
fde6d3528d43174a3fef5f67415932783adb6cdc

SHA256
8b2fd2a5e57a59b4684df2588448cfae7a389c14b513f55bc512d2c3ef36d9ee

SHA512
43694ad58f195ba5ea95688ea7b78f2dce565e5c5f55dc582fc448967186eac21b306520d64333789aa2e44d15ad3e6ac180c679de442b3b916c44f09dbf2b18

Download Submit
memory/1780-0-0x0000000000BF0000-0x0000000000C3E000-memory.dmp

Filesize
312KB

Download
memory/1780-1-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download
memory/1780-2-0x000000001A850000-0x000000001A8D0000-memory.dmp

Filesize
512KB

Download
memory/1780-49-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmp

Filesize
9.9MB

Download