44caliber | c13b27db146974839ceeb088132e55627944f9a230392e4f8661749586a3626a

Resubmissions

10-03-2024 12:51

240310-p3s1esda29 10

10-03-2024 12:46

240310-pz2hdsch63 10

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial.exe
Size

273KB
MD5

7ca6a26751bd7ad90ffc2843f040117c
SHA1

5c2be81194456480f952d674c0513959eab0ceda
SHA256

c13b27db146974839ceeb088132e55627944f9a230392e4f8661749586a3626a
SHA512

0f16bbf19913c4c09a13ea48325a3751311941b2d6b11a70a97737628c53bd58b8009fa9439e3b0ce66ef0e46dc420a6535b2d8803cbf6669d024c3c4ea3b896
SSDEEP

6144:Of+BLtABPD7sBi/0QNE44FCpHoafTy/lI1D0NiJ:essK44FCpO61DzJ

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 freegeoip.app
27 freegeoip.app

flow	ioc
26	freegeoip.app
27	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Celestial.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Celestial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Celestial.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Celestial.exe

pid process

116 Celestial.exe
116 Celestial.exe
116 Celestial.exe
116 Celestial.exe
116 Celestial.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Celestial.exe

description pid process

Token: SeDebugPrivilege 116 Celestial.exe

pid	process
116	Celestial.exe
116	Celestial.exe
116	Celestial.exe
116	Celestial.exe
116	Celestial.exe

description	pid	process
Token: SeDebugPrivilege	116	Celestial.exe

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
4731cc7123bb0eaebf2be5970f0c326b

SHA1
5250310dcba6e3d6b7f3b4d43c8ca45b91b8bd52

SHA256
eaa4e2b8bb76881289b0e709091e7e50a3bb7634467990b04b87dd339bb1aa32

SHA512
ec2ec20795b416e37abb4201393a21061fe4f5a58fc6233ac012cba42a6caa6c87fbafacb84e47795cefecf6462b8f774b594e1b8da2cd9f8fe74d14c7ad9439

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
298B

MD5
34c1236edcbb4687a9e13fa3086cec67

SHA1
dbfce9408d3eb820bb11d045cd9de20590d57fc5

SHA256
76da453c3da27043f79cf1ed74de5cdd6f41f66fecda7698dbb2cfedd6bd2d49

SHA512
0b144dfa78f358cb4ea87383bd917f9bacd30cfc2d4528b38631f893ab21c8216c7d1849dd2aeedcef20be4b443c034752ba91d00cbb009598819cfdc9f8262e

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
8ebc34427157f6a6a57d2809caa0a5a9

SHA1
247c8094d5743e610e86cc0216865de17d2c79ec

SHA256
5d65f9a76c1a9cd04be4e3d82ddfc89d64243c1b226d16ebcc1de8ff84e4b6e4

SHA512
3a1b8cedbf9be616a544032f61575a0dd1b5edaa3f86764a2435dc28e047542d0cf7c005bc070928a74c5b5be62f43587441631db220f61a4f69860f57d88143

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
1b637dfc170702964230e902d6c50cc2

SHA1
f4a16542ec47e2adead252e127ba229d039c3ba8

SHA256
9bed39c63d7899c4f3884f2784f31e6b41751d97ce1263f245b71375a39e1680

SHA512
9fd090b96da64cbdef1056f142f043f49436d5d3bb43e7b46f98eca572c91d060b581fb9b799d01ac6fed3cd629a17dbc15afb960ef94d5dd0d7ba151aa9d667

Download Submit
memory/116-0-0x000001F3D2630000-0x000001F3D267A000-memory.dmp

Filesize
296KB

Download
memory/116-5-0x00007FFFD6310000-0x00007FFFD6DD1000-memory.dmp

Filesize
10.8MB

Download
memory/116-6-0x000001F3ECBF0000-0x000001F3ECC00000-memory.dmp

Filesize
64KB

Download
memory/116-126-0x00007FFFD6310000-0x00007FFFD6DD1000-memory.dmp

Filesize
10.8MB

Download
memory/116-127-0x000001F3ECBF0000-0x000001F3ECC00000-memory.dmp

Filesize
64KB

Download
memory/116-130-0x00007FFFD6310000-0x00007FFFD6DD1000-memory.dmp

Filesize
10.8MB

Download