44caliber | 88342eaaa9f71b1d909281db1be19a41fd725f530781068066a031d869610e7e

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc187c21e71c149771bc29482b28d4c7.exe
Size

5.8MB
MD5

bc187c21e71c149771bc29482b28d4c7
SHA1

04643be0d64c5cbca9f0f9deae0e22cf59a34119
SHA256

88342eaaa9f71b1d909281db1be19a41fd725f530781068066a031d869610e7e
SHA512

7737a477bce706ec231865c3d3ccae044c25948038a8ba9f93b4e50231221cbfa6e0d757908d6d3fc1cfb490a9a51fceab26bacb37321f11666efade61d7319e
SSDEEP

6144:1OsE5m1O1B0Ln62oeD+ceV3DZgCtCFOzmoziZ+1p24u4Z3bF:YsZA0Nf+rxDCcnzmoziZ+1p24u4j

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	bc187c21e71c149771bc29482b28d4c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bc187c21e71c149771bc29482b28d4c7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2552	bc187c21e71c149771bc29482b28d4c7.exe
2552	bc187c21e71c149771bc29482b28d4c7.exe
2552	bc187c21e71c149771bc29482b28d4c7.exe
2552	bc187c21e71c149771bc29482b28d4c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	bc187c21e71c149771bc29482b28d4c7.exe

C:\Users\Admin\AppData\Local\Temp\bc187c21e71c149771bc29482b28d4c7.exe
"C:\Users\Admin\AppData\Local\Temp\bc187c21e71c149771bc29482b28d4c7.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
2ce229f8ac375d847ced916f7d155be5

SHA1
73cd6bec22e8f6a30aebeaf1781ef04f44d0b18b

SHA256
30a3c222589db9dc3ab1daf13407d93c585a22988c2a03677d44c662c522b867

SHA512
060b14cee7ea0d4062ee536cebedf258630847ed37d80437bda840ad8c730dfc5f03a3cc553f1c472b3eab70433595e3bff984791501bf7d3847347be88b8dac

Download Submit
memory/2552-0-0x00000269B2620000-0x00000269B266E000-memory.dmp

Filesize
312KB

Download
memory/2552-25-0x00007FFFA1C00000-0x00007FFFA26C1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-31-0x00000269CCDA0000-0x00000269CCDB0000-memory.dmp

Filesize
64KB

Download
memory/2552-124-0x00007FFFA1C00000-0x00007FFFA26C1000-memory.dmp

Filesize
10.8MB

Download