44caliber | 4494dc4430392f023d605a11d231d8ce99de3c3f15002eb0d19cf8e68bb91d51

General

Target

c9c32665baa415f2483ef94eda102b67.exe
Size

6.0MB
MD5

c9c32665baa415f2483ef94eda102b67
SHA1

284e136d67aad1a7bea390cd9b5e37f3f67dc5d4
SHA256

4494dc4430392f023d605a11d231d8ce99de3c3f15002eb0d19cf8e68bb91d51
SHA512

125f56b799cf9e3573aace4f030bdfc7ad148b822613f5f6fe17664267381f080aa174f99658c06a9639068595304f2efadf854ecc8e8a05fb74d2e77502dae2
SSDEEP

98304:lT1v0Sc5LEgwytj2KJHZpz+v2zU0XWbbr5vMjl2iQu9ntFEPZ8YGpnNg:d18S6ZyKJz+ezUHQtBy

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/871356915303710720/aJQeq8OY3wwqIiXWkN97pUlIjJQhxawbR5zbwOuO96jrzWKG4INekUUjRxLOjy9VbIsi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c9c32665baa415f2483ef94eda102b67.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	c9c32665baa415f2483ef94eda102b67.exe

Executes dropped EXE 3 IoCs

Processes:

Fatality Loader.exeCFG.exeFatality.win.exe

pid process

900 Fatality Loader.exe
1712 CFG.exe
4508 Fatality.win.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2152 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app

pid	process
900	Fatality Loader.exe
1712	CFG.exe
4508	Fatality.win.exe

pid	process
2152	icacls.exe

flow	ioc
5	freegeoip.app
6	freegeoip.app

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fatality Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Fatality Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Fatality Loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Fatality Loader.exe

pid process

900 Fatality Loader.exe
900 Fatality Loader.exe
900 Fatality Loader.exe
900 Fatality Loader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Fatality Loader.exe

description pid process

Token: SeDebugPrivilege 900 Fatality Loader.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

452 javaw.exe

pid	process
900	Fatality Loader.exe
900	Fatality Loader.exe
900	Fatality Loader.exe
900	Fatality Loader.exe

description	pid	process
Token: SeDebugPrivilege	900	Fatality Loader.exe

pid	process
452	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c9c32665baa415f2483ef94eda102b67.exeFatality.win.exejavaw.exe

description	pid	process	target process
PID 4084 wrote to memory of 900	4084	c9c32665baa415f2483ef94eda102b67.exe	Fatality Loader.exe
PID 4084 wrote to memory of 900	4084	c9c32665baa415f2483ef94eda102b67.exe	Fatality Loader.exe
PID 4084 wrote to memory of 1712	4084	c9c32665baa415f2483ef94eda102b67.exe	CFG.exe
PID 4084 wrote to memory of 1712	4084	c9c32665baa415f2483ef94eda102b67.exe	CFG.exe
PID 4084 wrote to memory of 1712	4084	c9c32665baa415f2483ef94eda102b67.exe	CFG.exe
PID 4084 wrote to memory of 4508	4084	c9c32665baa415f2483ef94eda102b67.exe	Fatality.win.exe
PID 4084 wrote to memory of 4508	4084	c9c32665baa415f2483ef94eda102b67.exe	Fatality.win.exe
PID 4084 wrote to memory of 4508	4084	c9c32665baa415f2483ef94eda102b67.exe	Fatality.win.exe
PID 4508 wrote to memory of 452	4508	Fatality.win.exe	javaw.exe
PID 4508 wrote to memory of 452	4508	Fatality.win.exe	javaw.exe
PID 452 wrote to memory of 2152	452	javaw.exe	icacls.exe
PID 452 wrote to memory of 2152	452	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c9c32665baa415f2483ef94eda102b67.exe
"C:\Users\Admin\AppData\Local\Temp\c9c32665baa415f2483ef94eda102b67.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\CFG.exe
"C:\Users\Admin\AppData\Local\Temp\CFG.exe"
2⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe" org.develnext.jphp.ext.javafx.FXLauncher
3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
5262b1b7e0516a3c97fe60d4ad47ec73

SHA1
2621722b1fb945e29c3164effea549ea1eca1ded

SHA256
4e0036bd9925a04c1d1f44c60255401e79ea6f61b2a3f5fb44159b6c034aa08a

SHA512
b5e857ac3dfdb54cbe9784e50323aa1cb8f21e609a508f57120ec116a17cac3206824b0b7bb207e6251cbf5aff67c44121b0a401566c3de854748247445f598c

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
4eb7213d3748205e63d5c5edd30a0ab7

SHA1
f69807ac921d10a01db666f0618559ac12cb167e

SHA256
7d3f6093a583cdc9df52b253e2e39390867861c5e48c2e5c7e3197d9e56fbb8f

SHA512
b0197118a8886149a16170445189b602d62c74666a10fd02a61854fdddda02f83d345eb62fc11e0a17c413fb6a42aa964cec873d86c5385094b5b6e89d418848

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG.exe
Filesize
296KB

MD5
6249238b5d6ce6217998b97d544a2d60

SHA1
2c68d31bd2084cc722a34ee64fa4a5b638d524f5

SHA256
8fc1c3bbcf19c0b4f789967fa495ca817c3b1d3918cc572cd2c9405c556404e9

SHA512
ac6c35472cb0234d64bd5eb8b025e169f617c2ce81cb2efc2f2ce8a6ac84ee2198f3c0ed126284abf387bf47d0ebaac2a96722a5122dd6ee69c1a46cc8a83ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe
Filesize
299KB

MD5
c62e8659a538d545f07e0c9f9d4e7473

SHA1
feaa24f501803d8f179732d4920561deb8b4c08f

SHA256
5895294f317b1cf6c4598d293501249917f8177adea6c0f4241517ee2596365e

SHA512
d0c46943279825cebf4de80d50b53fea409d2ecfae9922af97c93f199b62fdf572a278bdee04fe2a13cf7be8a2ac1fa92a081a8b614a0a89348d894600b1d5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
1.7MB

MD5
d96bdd861e13eab91a1affe7af5b5222

SHA1
6c0ae951ac335f1edcdb77e49547e5c222592b90

SHA256
1afc76dde206a7457d97c89d6988cafd5081a5a8d51382d556fb8efa50241a54

SHA512
7944a4832f8a8f90f50a26aefb78fb2e0e9b5b1785d9d9ebc0c6fd715f5098019040b0051bdef1b09b2a4b92683879c75e2c6b39e537420bb4b42fdadd387beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
1.3MB

MD5
abe5029fda84a223066136164bf1d4ec

SHA1
3a80006de9c898f0732136eabf9ba240a88f2727

SHA256
217e76068769b69e0e409b3481fd8246d78a569ec13d72ef4f8581ae63631811

SHA512
d17330190c3216c5ae896206f91ca3509f71aa61734bccd3253e30bb058f34aec06d3703cbe90547709ed166b300245694aae9ba61f3068d627fe17647e91cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
Filesize
1.6MB

MD5
11af4370effc82bcd4d0801dcbe712ed

SHA1
22b0f1f1a9e9b85e53553ae1b6d3b9818c86962d

SHA256
72783d7859cc9fc6b4d22ccea9422ed758e68711ed3a5088c01c78c4eccc8a56

SHA512
063a75135a61f44754a75f4c67cf74cd34da4dcf091e2ebc6308f38b18f9bc555dfdf02afb3c368e82f722201bf24983319d8705612c01821585eb99ff0a34ae

Download Submit
memory/452-194-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-274-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-318-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-314-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-308-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-302-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-72-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-296-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-173-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-290-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-177-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-284-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-187-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-282-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-200-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-203-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-211-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-219-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-238-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-239-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-243-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-246-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-258-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-260-0x00000222A00F0000-0x00000222A00F1000-memory.dmp

Filesize
4KB

Download
memory/452-271-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-279-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/452-278-0x00000222A0110000-0x00000222A1110000-memory.dmp

Filesize
16.0MB

Download
memory/900-25-0x000000001B3C0000-0x000000001B3D0000-memory.dmp

Filesize
64KB

Download
memory/900-186-0x00007FF970F20000-0x00007FF9719E1000-memory.dmp

Filesize
10.8MB

Download
memory/900-23-0x0000000000620000-0x0000000000670000-memory.dmp

Filesize
320KB

Download
memory/900-24-0x00007FF970F20000-0x00007FF9719E1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-0-0x0000000000F60000-0x0000000001566000-memory.dmp

Filesize
6.0MB

Download
memory/4084-1-0x00007FF970F20000-0x00007FF9719E1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-4-0x000000001C2C0000-0x000000001C2D0000-memory.dmp

Filesize
64KB

Download
memory/4084-68-0x00007FF970F20000-0x00007FF9719E1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads