44caliber | 6310eba3d8e127a4d8616818f9d192dca4bf62ad0a8758928f6df9c86adc9f75

Analysis

max time kernel
171s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc448a7aef3086598e21c2d8ddccc3e.exe
Size

3.1MB
MD5

ccc448a7aef3086598e21c2d8ddccc3e
SHA1

58a348eb1e6ef37d4839d5d94d1bd6aaba94d901
SHA256

6310eba3d8e127a4d8616818f9d192dca4bf62ad0a8758928f6df9c86adc9f75
SHA512

7a4dae4fd52847a3a79f606bd350e994545a927508c18284d15eca17d5774efd5425b60149354517f7aca50e14f71a36ab3a7f45828bca9fd0dcaa2d2bb82b82
SSDEEP

49152:+VSg4AV+KV5JkngmTzfEOcL5O9qw0ghgxZWxqcENUVv+zyeCtt6rGyb60T:+wGV+ykg+DEfVwX0m9bENYv+vaEb

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

5.exe1.exe

pid process

2460 5.exe
2376 1.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exe5.exe

pid process

2508 cmd.exe
2460 5.exe
2460 5.exe
2460 5.exe
2460 5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1.exe

pid process

2376 1.exe
2376 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2460	5.exe
2376	1.exe

pid	process
2508	cmd.exe
2460	5.exe
2460	5.exe
2460	5.exe
2460	5.exe

flow	ioc
2	freegeoip.app
3	freegeoip.app

pid	process
2376	1.exe
2376	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2116 vlc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1.exe

pid process

2376 1.exe
2376 1.exe
2376 1.exe
2376 1.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2116 vlc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1.exevlc.exe

description pid process

Token: SeDebugPrivilege 2376 1.exe
Token: 33 2116 vlc.exe
Token: SeIncBasePriorityPrivilege 2116 vlc.exe

pid	process
2376	1.exe
2376	1.exe
2376	1.exe
2376	1.exe

description	pid	process
Token: SeDebugPrivilege	2376	1.exe
Token: 33	2116	vlc.exe
Token: SeIncBasePriorityPrivilege	2116	vlc.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

vlc.exe

pid	process
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
2116 vlc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1.exevlc.exe

pid process

2376 1.exe
2116 vlc.exe

pid	process
2376	1.exe
2116	vlc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ccc448a7aef3086598e21c2d8ddccc3e.execmd.exe5.exe

description	pid	process	target process
PID 2512 wrote to memory of 2508	2512	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 2512 wrote to memory of 2508	2512	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 2508 wrote to memory of 2460	2508	cmd.exe	5.exe
PID 2508 wrote to memory of 2460	2508	cmd.exe	5.exe
PID 2508 wrote to memory of 2460	2508	cmd.exe	5.exe
PID 2508 wrote to memory of 2460	2508	cmd.exe	5.exe
PID 2460 wrote to memory of 2376	2460	5.exe	1.exe
PID 2460 wrote to memory of 2376	2460	5.exe	1.exe
PID 2460 wrote to memory of 2376	2460	5.exe	1.exe
PID 2460 wrote to memory of 2376	2460	5.exe	1.exe
PID 2460 wrote to memory of 2116	2460	5.exe	vlc.exe
PID 2460 wrote to memory of 2116	2460	5.exe	vlc.exe
PID 2460 wrote to memory of 2116	2460	5.exe	vlc.exe
PID 2460 wrote to memory of 2116	2460	5.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\ccc448a7aef3086598e21c2d8ddccc3e.exe
"C:\Users\Admin\AppData\Local\Temp\ccc448a7aef3086598e21c2d8ddccc3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe
    5.exe -p24562336354
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2376
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RarSFX1\2.mp4"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
3b8782bab1f45c13d00f6b3734dd3c91

SHA1
08c83cb4276b52d961958151b18086d74b6599e3

SHA256
b7ba3eb8375f438ab9a98983a384de240f71b82b5a2d9b3de7b667351f63d1a1

SHA512
20b4d1548d2c06fe57aacdd350ed58729d9efcb473ca56a386e3119bfffcd3e72b7387e241660b7a521ece361b38e9a776fd67dd2a901c20b945a2087c723c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
1.2MB

MD5
05e5e8bbd594e3878e2e08196f7813ca

SHA1
5efa561b2d3482d0aa8c1faee86a8e0eda2de91f

SHA256
8cf51c1fd50ac3cd524a06c2e32f408b98c48c71c4e4c431321a983e9c0325d2

SHA512
48c8898e8b353fbcb903150fe7d41a14adc59cd349470508e12319f313dc7423084762fd8a025db5de282f3836b77fbf7b19203baec17d19b3810b943c4dbdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
1.2MB

MD5
06155e9f907c10e0fce1110499d174bd

SHA1
f37b306c7bfc2d94f37a58e12160d9115690a5b0

SHA256
9f1261ac7c07454c18660d001196500f991c41e71bc59eba797e386338b34e9c

SHA512
d64edb9c2d3a51eab27ed167214b9f8824b2354e8ef8fbed8557dbd31517af2dedb1c09b2ea5490a3433875b3f155cda61eb6f16f7f3d4a27c11d0f5cf338b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\2.mp4

Filesize
1.5MB

MD5
202b1a7c8c361d0b1b752a8399590f39

SHA1
6a4b3254211077173c0d93bc29456547b3b17a1a

SHA256
72680c74112674d1d0a5b0bff468deaa2ea9c587ccf733515ca55dcd2c4dca6a

SHA512
1433e3a253ceb193e39c1ef66bb7fa9e54e60cde2604aff44de87011e2c0f7c70affeda66766fe0f43e0d211945d31a1ddfc56267f9f512a0c4d8db405d4a355

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
446B

MD5
c6b2b2a8c1b41fc00ec950d425e0943c

SHA1
de8066168fadb086b68314bc6dc226c3e0e72e96

SHA256
35deb8d062ba9c12aa81a356c26ac25969e347da9ed22fc35ddab266f967c245

SHA512
3a3dc5e64455ec1598a18cf2fc8d78fbb3b35430d2d10956d5be95711724ce5264e0419eff8747854411bf9baea15f72ae7a3421fb1e647b77e3d8ea4ffb7b74

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
1.5MB

MD5
4ea219d54ee5ecdd55b6b7d158ae587c

SHA1
d881c16acee9a86beb0b954080493f6915e4b225

SHA256
851e4b4822dc3432032c97c3d2ee577256f8ad9e477637c88e9eda0e683297d0

SHA512
90f421cfe3f7440f2a99dd5f4e045f5529c3725c7dc9ee23096a50e1de200d5e77318916dc45f88ab4127e56b1b221aabdb5e3036b26229e3a34f582a78d6ac4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe

Filesize
1.2MB

MD5
dda9fdfc7cce385b13c96a10d8634417

SHA1
45ac86dfe9f66937d06229840ae40543bb917a47

SHA256
876e5e9bbaf937b3dbcdaf019eee4e2b492ed2cfa47c3e264467ac9c97c052f1

SHA512
3a1fb982a79fe34cf0fedc2600ebe7f796fd0606596e45ebf80d14e2890b06f306969acb69a4374e5ac883e92d58953fe16828d8a00ddfa756eb518b42eece20

Download Submit
memory/2116-132-0x000007FEF46E0000-0x000007FEF4736000-memory.dmp

Filesize
344KB

Download
memory/2116-141-0x000007FEF3EF0000-0x000007FEF413B000-memory.dmp

Filesize
2.3MB

Download
memory/2116-168-0x000007FEF1DB0000-0x000007FEF1DC3000-memory.dmp

Filesize
76KB

Download
memory/2116-137-0x000007FEF4360000-0x000007FEF43A2000-memory.dmp

Filesize
264KB

Download
memory/2116-170-0x000007FEF1D70000-0x000007FEF1D82000-memory.dmp

Filesize
72KB

Download
memory/2116-135-0x000007FEF43D0000-0x000007FEF4540000-memory.dmp

Filesize
1.4MB

Download
memory/2116-167-0x000007FEF1DD0000-0x000007FEF1DE5000-memory.dmp

Filesize
84KB

Download
memory/2116-108-0x000007FEF6BE0000-0x000007FEF6C14000-memory.dmp

Filesize
208KB

Download
memory/2116-107-0x000000013F600000-0x000000013F6F8000-memory.dmp

Filesize
992KB

Download
memory/2116-109-0x000007FEF5C20000-0x000007FEF5ED4000-memory.dmp

Filesize
2.7MB

Download
memory/2116-110-0x000007FEF6BC0000-0x000007FEF6BD8000-memory.dmp

Filesize
96KB

Download
memory/2116-111-0x000007FEF6BA0000-0x000007FEF6BB7000-memory.dmp

Filesize
92KB

Download
memory/2116-114-0x000007FEF6B40000-0x000007FEF6B51000-memory.dmp

Filesize
68KB

Download
memory/2116-115-0x000007FEF6B20000-0x000007FEF6B3D000-memory.dmp

Filesize
116KB

Download
memory/2116-113-0x000007FEF6B60000-0x000007FEF6B77000-memory.dmp

Filesize
92KB

Download
memory/2116-112-0x000007FEF6B80000-0x000007FEF6B91000-memory.dmp

Filesize
68KB

Download
memory/2116-116-0x000007FEF58F0000-0x000007FEF5AF0000-memory.dmp

Filesize
2.0MB

Download
memory/2116-118-0x000007FEF6AC0000-0x000007FEF6AFF000-memory.dmp

Filesize
252KB

Download
memory/2116-119-0x000007FEF6530000-0x000007FEF6551000-memory.dmp

Filesize
132KB

Download
memory/2116-120-0x000007FEF6880000-0x000007FEF6898000-memory.dmp

Filesize
96KB

Download
memory/2116-117-0x000007FEF6B00000-0x000007FEF6B11000-memory.dmp

Filesize
68KB

Download
memory/2116-122-0x000007FEF65D0000-0x000007FEF65E1000-memory.dmp

Filesize
68KB

Download
memory/2116-124-0x000007FEF64F0000-0x000007FEF6501000-memory.dmp

Filesize
68KB

Download
memory/2116-125-0x000007FEF64D0000-0x000007FEF64EB000-memory.dmp

Filesize
108KB

Download
memory/2116-127-0x000007FEF6490000-0x000007FEF64A8000-memory.dmp

Filesize
96KB

Download
memory/2116-126-0x000007FEF64B0000-0x000007FEF64C1000-memory.dmp

Filesize
68KB

Download
memory/2116-128-0x000007FEF6460000-0x000007FEF6490000-memory.dmp

Filesize
192KB

Download
memory/2116-123-0x000007FEF6510000-0x000007FEF6521000-memory.dmp

Filesize
68KB

Download
memory/2116-121-0x000007FEF4840000-0x000007FEF58EB000-memory.dmp

Filesize
16.7MB

Download
memory/2116-130-0x000007FEF4760000-0x000007FEF47CF000-memory.dmp

Filesize
444KB

Download
memory/2116-129-0x000007FEF47D0000-0x000007FEF4837000-memory.dmp

Filesize
412KB

Download
memory/2116-131-0x000007FEF4740000-0x000007FEF4751000-memory.dmp

Filesize
68KB

Download
memory/2116-166-0x000007FEF1DF0000-0x000007FEF1E02000-memory.dmp

Filesize
72KB

Download
memory/2116-133-0x000007FEF4560000-0x000007FEF46D8000-memory.dmp

Filesize
1.5MB

Download
memory/2116-134-0x000007FEF4540000-0x000007FEF4557000-memory.dmp

Filesize
92KB

Download
memory/2116-136-0x000007FEF43B0000-0x000007FEF43C2000-memory.dmp

Filesize
72KB

Download
memory/2116-165-0x000007FEF1E10000-0x000007FEF1E2B000-memory.dmp

Filesize
108KB

Download
memory/2116-169-0x000007FEF1D90000-0x000007FEF1DA4000-memory.dmp

Filesize
80KB

Download
memory/2116-164-0x000007FEF1E30000-0x000007FEF1E43000-memory.dmp

Filesize
76KB

Download
memory/2116-139-0x000007FEF41A0000-0x000007FEF430B000-memory.dmp

Filesize
1.4MB

Download
memory/2116-140-0x000007FEF4140000-0x000007FEF4197000-memory.dmp

Filesize
348KB

Download
memory/2116-138-0x000007FEF4310000-0x000007FEF435C000-memory.dmp

Filesize
304KB

Download
memory/2116-142-0x000007FEF2740000-0x000007FEF3EF0000-memory.dmp

Filesize
23.7MB

Download
memory/2116-143-0x000007FEF7650000-0x000007FEF7660000-memory.dmp

Filesize
64KB

Download
memory/2116-146-0x000007FEF26D0000-0x000007FEF26E6000-memory.dmp

Filesize
88KB

Download
memory/2116-145-0x000007FEF26F0000-0x000007FEF2701000-memory.dmp

Filesize
68KB

Download
memory/2116-147-0x000007FEF2600000-0x000007FEF26C5000-memory.dmp

Filesize
788KB

Download
memory/2116-148-0x000007FEF2580000-0x000007FEF25F5000-memory.dmp

Filesize
468KB

Download
memory/2116-144-0x000007FEF2710000-0x000007FEF273F000-memory.dmp

Filesize
188KB

Download
memory/2116-149-0x000007FEF2510000-0x000007FEF2572000-memory.dmp

Filesize
392KB

Download
memory/2116-150-0x000007FEF24A0000-0x000007FEF250D000-memory.dmp

Filesize
436KB

Download
memory/2116-151-0x000007FEF2480000-0x000007FEF2493000-memory.dmp

Filesize
76KB

Download
memory/2116-152-0x000007FEF2460000-0x000007FEF2474000-memory.dmp

Filesize
80KB

Download
memory/2116-153-0x000007FEF2410000-0x000007FEF2460000-memory.dmp

Filesize
320KB

Download
memory/2116-154-0x000007FEF23F0000-0x000007FEF2405000-memory.dmp

Filesize
84KB

Download
memory/2116-155-0x000007FEF21D0000-0x000007FEF23ED000-memory.dmp

Filesize
2.1MB

Download
memory/2116-157-0x000007FEF2170000-0x000007FEF2185000-memory.dmp

Filesize
84KB

Download
memory/2116-158-0x000007FEF2150000-0x000007FEF2162000-memory.dmp

Filesize
72KB

Download
memory/2116-159-0x000007FEF2120000-0x000007FEF2143000-memory.dmp

Filesize
140KB

Download
memory/2116-156-0x000007FEF21B0000-0x000007FEF21C1000-memory.dmp

Filesize
68KB

Download
memory/2116-160-0x000007FEF1FA0000-0x000007FEF211A000-memory.dmp

Filesize
1.5MB

Download
memory/2116-161-0x000007FEF1F80000-0x000007FEF1F93000-memory.dmp

Filesize
76KB

Download
memory/2116-162-0x000007FEF1E80000-0x000007FEF1F74000-memory.dmp

Filesize
976KB

Download
memory/2116-163-0x000007FEF1E50000-0x000007FEF1E7A000-memory.dmp

Filesize
168KB

Download
memory/2376-43-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/2376-100-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/2376-40-0x00000000012C0000-0x0000000001670000-memory.dmp

Filesize
3.7MB

Download
memory/2376-42-0x00000000012C0000-0x0000000001670000-memory.dmp

Filesize
3.7MB

Download
memory/2376-99-0x00000000012C0000-0x0000000001670000-memory.dmp

Filesize
3.7MB

Download
memory/2376-45-0x00000000057D0000-0x0000000005810000-memory.dmp

Filesize
256KB

Download
memory/2376-44-0x00000000012C0000-0x0000000001670000-memory.dmp

Filesize
3.7MB

Download
memory/2460-37-0x00000000038E0000-0x0000000003C90000-memory.dmp

Filesize
3.7MB

Download
memory/2460-38-0x00000000038E0000-0x0000000003C90000-memory.dmp

Filesize
3.7MB

Download