44caliber | 6310eba3d8e127a4d8616818f9d192dca4bf62ad0a8758928f6df9c86adc9f75

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc448a7aef3086598e21c2d8ddccc3e.exe
Size

3.1MB
MD5

ccc448a7aef3086598e21c2d8ddccc3e
SHA1

58a348eb1e6ef37d4839d5d94d1bd6aaba94d901
SHA256

6310eba3d8e127a4d8616818f9d192dca4bf62ad0a8758928f6df9c86adc9f75
SHA512

7a4dae4fd52847a3a79f606bd350e994545a927508c18284d15eca17d5774efd5425b60149354517f7aca50e14f71a36ab3a7f45828bca9fd0dcaa2d2bb82b82
SSDEEP

49152:+VSg4AV+KV5JkngmTzfEOcL5O9qw0ghgxZWxqcENUVv+zyeCtt6rGyb60T:+wGV+ykg+DEfVwX0m9bENYv+vaEb

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccc448a7aef3086598e21c2d8ddccc3e.exe5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ccc448a7aef3086598e21c2d8ddccc3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	5.exe

Executes dropped EXE 2 IoCs

Processes:

5.exe1.exe

pid process

756 5.exe
3044 1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 freegeoip.app
10 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1.exe

pid process

3044 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
756	5.exe
3044	1.exe

flow	ioc
11	freegeoip.app
10	freegeoip.app

pid	process
3044	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Modifies registry class 1 IoCs

Processes:

5.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings 5.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2704 vlc.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

1.exe

pid process

3044 1.exe
3044 1.exe
3044 1.exe
3044 1.exe
3044 1.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2704 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	5.exe

pid	process
3044	1.exe
3044	1.exe
3044	1.exe
3044	1.exe
3044	1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1.exeAUDIODG.EXEvlc.exe

description	pid	process
Token: SeDebugPrivilege	3044	1.exe
Token: 33	2764	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2764	AUDIODG.EXE
Token: 33	2704	vlc.exe
Token: SeIncBasePriorityPrivilege	2704	vlc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

vlc.exe

pid	process
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1.exevlc.exe

pid process

3044 1.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe
2704 vlc.exe

pid	process
3044	1.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe
2704	vlc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ccc448a7aef3086598e21c2d8ddccc3e.execmd.exe5.exe

description	pid	process	target process
PID 3720 wrote to memory of 3108	3720	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 3720 wrote to memory of 3108	3720	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 3720 wrote to memory of 3108	3720	ccc448a7aef3086598e21c2d8ddccc3e.exe	cmd.exe
PID 3108 wrote to memory of 756	3108	cmd.exe	5.exe
PID 3108 wrote to memory of 756	3108	cmd.exe	5.exe
PID 3108 wrote to memory of 756	3108	cmd.exe	5.exe
PID 756 wrote to memory of 3044	756	5.exe	1.exe
PID 756 wrote to memory of 3044	756	5.exe	1.exe
PID 756 wrote to memory of 3044	756	5.exe	1.exe
PID 756 wrote to memory of 2704	756	5.exe	vlc.exe
PID 756 wrote to memory of 2704	756	5.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\ccc448a7aef3086598e21c2d8ddccc3e.exe
"C:\Users\Admin\AppData\Local\Temp\ccc448a7aef3086598e21c2d8ddccc3e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe
5.exe -p24562336354
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RarSFX1\2.mp4"
4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
36B

MD5
3b8782bab1f45c13d00f6b3734dd3c91

SHA1
08c83cb4276b52d961958151b18086d74b6599e3

SHA256
b7ba3eb8375f438ab9a98983a384de240f71b82b5a2d9b3de7b667351f63d1a1

SHA512
20b4d1548d2c06fe57aacdd350ed58729d9efcb473ca56a386e3119bfffcd3e72b7387e241660b7a521ece361b38e9a776fd67dd2a901c20b945a2087c723c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe
Filesize
2.9MB

MD5
6145bd342eca2850d18ac098e2bb2f8b

SHA1
d7f1ed83deee28c2098c35c99f0faa2092c4cb90

SHA256
cb9448921585d32002e5d7853f9762c90159e6d48be4294f1a74361b9d15108d

SHA512
87de7974ff83da1a71f55185a27253878e306e4fcf1f399a6db38782dc1cbe60fbb87b67c81e8b5476649735436ac4803196364312b403348be3776e11cb0f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe
Filesize
1.2MB

MD5
dda9fdfc7cce385b13c96a10d8634417

SHA1
45ac86dfe9f66937d06229840ae40543bb917a47

SHA256
876e5e9bbaf937b3dbcdaf019eee4e2b492ed2cfa47c3e264467ac9c97c052f1

SHA512
3a1fb982a79fe34cf0fedc2600ebe7f796fd0606596e45ebf80d14e2890b06f306969acb69a4374e5ac883e92d58953fe16828d8a00ddfa756eb518b42eece20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\2.mp4
Filesize
1.5MB

MD5
202b1a7c8c361d0b1b752a8399590f39

SHA1
6a4b3254211077173c0d93bc29456547b3b17a1a

SHA256
72680c74112674d1d0a5b0bff468deaa2ea9c587ccf733515ca55dcd2c4dca6a

SHA512
1433e3a253ceb193e39c1ef66bb7fa9e54e60cde2604aff44de87011e2c0f7c70affeda66766fe0f43e0d211945d31a1ddfc56267f9f512a0c4d8db405d4a355

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
6bb9e28c11a77c46b64d0a03a41fd1e2

SHA1
9621ede6ab71de3fbf2237dff9a3144f7686231c

SHA256
7e58a705ffc67bd1193a86133e5ffefc5c5de95478556134cf847683af18b96c

SHA512
68b66b5300a249beaef176ffca06b19cf8f74aeb9b116570eb35768fefc742540bbaec36daf5130913d54d37a03c5732ef17a8272fc5e63b94c39d7dc2119cb9

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
a7efd5f87e63ff7286db4de65eb5adde

SHA1
e040f3df9a63f28facba16412ab10c7e0ff0a224

SHA256
179fd429ce027632f2cf8c94830917b01e001a27e401892f50c56262f45de847

SHA512
69fa767af39afe5a6e24fccf0e3884ce63e50ce9e693e12ece6d1749ea4c89dab949ff415e7e4c45b96aeb694123d5dddc7914989484b1d90aae1a49aa0d0913

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
8500705f5f59c2b460976bc9832f3a8b

SHA1
2ae14917637844487a9f4aab95e869a14783b6f3

SHA256
6ee6e22db7d8289ccc594a490ce6ebe0c7ad3dd12196c7a91f54f169f48ce10a

SHA512
2bd3e133b910ee22192264d7ae62bafc9e7e9481c877611bd834e641c5aa945626b1f22d285c35304eea4dbbe4f2bd03b28c299c2f7f05b964529e5becf442de

Download Submit
memory/2704-197-0x00007FFA269A0000-0x00007FFA269B1000-memory.dmp

Filesize
68KB

Download
memory/2704-221-0x000001E473B50000-0x000001E473BBD000-memory.dmp

Filesize
436KB

Download
memory/2704-216-0x00007FFA21820000-0x00007FFA21831000-memory.dmp

Filesize
68KB

Download
memory/2704-219-0x00007FFA216B0000-0x00007FFA21725000-memory.dmp

Filesize
468KB

Download
memory/2704-211-0x00007FFA23270000-0x00007FFA232C7000-memory.dmp

Filesize
348KB

Download
memory/2704-222-0x00007FFA215B0000-0x00007FFA215C3000-memory.dmp

Filesize
76KB

Download
memory/2704-223-0x00007FFA21590000-0x00007FFA215A4000-memory.dmp

Filesize
80KB

Download
memory/2704-228-0x00007FFA20D90000-0x00007FFA20DB3000-memory.dmp

Filesize
140KB

Download
memory/2704-230-0x00007FFA20C70000-0x00007FFA20D64000-memory.dmp

Filesize
976KB

Download
memory/2704-178-0x00007FF68B530000-0x00007FF68B628000-memory.dmp

Filesize
992KB

Download
memory/2704-179-0x00007FFA32D50000-0x00007FFA32D84000-memory.dmp

Filesize
208KB

Download
memory/2704-180-0x00007FFA26CA0000-0x00007FFA26F54000-memory.dmp

Filesize
2.7MB

Download
memory/2704-182-0x00007FFA31800000-0x00007FFA31817000-memory.dmp

Filesize
92KB

Download
memory/2704-183-0x00007FFA317C0000-0x00007FFA317D1000-memory.dmp

Filesize
68KB

Download
memory/2704-184-0x00007FFA30C00000-0x00007FFA30C17000-memory.dmp

Filesize
92KB

Download
memory/2704-181-0x00007FFA31820000-0x00007FFA31838000-memory.dmp

Filesize
96KB

Download
memory/2704-187-0x00007FFA2C640000-0x00007FFA2C651000-memory.dmp

Filesize
68KB

Download
memory/2704-186-0x00007FFA2C660000-0x00007FFA2C67D000-memory.dmp

Filesize
116KB

Download
memory/2704-185-0x00007FFA2CCD0000-0x00007FFA2CCE1000-memory.dmp

Filesize
68KB

Download
memory/2704-188-0x00007FFA26AA0000-0x00007FFA26CA0000-memory.dmp

Filesize
2.0MB

Download
memory/2704-189-0x00007FFA26A60000-0x00007FFA26A9F000-memory.dmp

Filesize
252KB

Download
memory/2704-190-0x00007FFA244E0000-0x00007FFA2558B000-memory.dmp

Filesize
16.7MB

Download
memory/2704-192-0x00007FFA26A40000-0x00007FFA26A58000-memory.dmp

Filesize
96KB

Download
memory/2704-199-0x00007FFA262C0000-0x00007FFA262F0000-memory.dmp

Filesize
192KB

Download
memory/2704-198-0x00007FFA26570000-0x00007FFA26588000-memory.dmp

Filesize
96KB

Download
memory/2704-200-0x00007FFA24470000-0x00007FFA244D7000-memory.dmp

Filesize
412KB

Download
memory/2704-201-0x00007FFA24400000-0x00007FFA2446F000-memory.dmp

Filesize
444KB

Download
memory/2704-203-0x00007FFA243A0000-0x00007FFA243F6000-memory.dmp

Filesize
344KB

Download
memory/2704-202-0x00007FFA262A0000-0x00007FFA262B1000-memory.dmp

Filesize
68KB

Download
memory/2704-204-0x00007FFA24220000-0x00007FFA24398000-memory.dmp

Filesize
1.5MB

Download
memory/2704-205-0x00007FFA24200000-0x00007FFA24217000-memory.dmp

Filesize
92KB

Download
memory/2704-206-0x00007FFA23500000-0x00007FFA23670000-memory.dmp

Filesize
1.4MB

Download
memory/2704-231-0x00007FFA20C40000-0x00007FFA20C6A000-memory.dmp

Filesize
168KB

Download
memory/2704-207-0x00007FFA234E0000-0x00007FFA234F2000-memory.dmp

Filesize
72KB

Download
memory/2704-209-0x00007FFA23440000-0x00007FFA2348C000-memory.dmp

Filesize
304KB

Download
memory/2704-208-0x00007FFA23490000-0x00007FFA234D2000-memory.dmp

Filesize
264KB

Download
memory/2704-210-0x00007FFA232D0000-0x00007FFA2343B000-memory.dmp

Filesize
1.4MB

Download
memory/2704-233-0x00007FFA20B90000-0x00007FFA20BAB000-memory.dmp

Filesize
108KB

Download
memory/2704-229-0x00007FFA20D70000-0x00007FFA20D83000-memory.dmp

Filesize
76KB

Download
memory/2704-195-0x00007FFA269E0000-0x00007FFA269F1000-memory.dmp

Filesize
68KB

Download
memory/2704-212-0x00007FFA23020000-0x00007FFA2326B000-memory.dmp

Filesize
2.3MB

Download
memory/2704-194-0x00007FFA26A00000-0x00007FFA26A11000-memory.dmp

Filesize
68KB

Download
memory/2704-193-0x00007FFA26A20000-0x00007FFA26A31000-memory.dmp

Filesize
68KB

Download
memory/2704-191-0x00007FFA2C610000-0x00007FFA2C631000-memory.dmp

Filesize
132KB

Download
memory/2704-213-0x00007FFA21870000-0x00007FFA23020000-memory.dmp

Filesize
23.7MB

Download
memory/2704-214-0x00007FFA3F240000-0x00007FFA3F250000-memory.dmp

Filesize
64KB

Download
memory/2704-215-0x00007FFA21840000-0x00007FFA2186F000-memory.dmp

Filesize
188KB

Download
memory/2704-217-0x00007FFA21800000-0x00007FFA21816000-memory.dmp

Filesize
88KB

Download
memory/2704-218-0x00007FFA21730000-0x00007FFA217F5000-memory.dmp

Filesize
788KB

Download
memory/2704-220-0x000001E473AE0000-0x000001E473B42000-memory.dmp

Filesize
392KB

Download
memory/2704-224-0x00007FFA21540000-0x00007FFA21590000-memory.dmp

Filesize
320KB

Download
memory/2704-226-0x00007FFA21300000-0x00007FFA2151D000-memory.dmp

Filesize
2.1MB

Download
memory/2704-225-0x00007FFA21520000-0x00007FFA21535000-memory.dmp

Filesize
84KB

Download
memory/2704-227-0x00007FFA20DC0000-0x00007FFA20DD5000-memory.dmp

Filesize
84KB

Download
memory/2704-196-0x00007FFA269C0000-0x00007FFA269DB000-memory.dmp

Filesize
108KB

Download
memory/2704-232-0x00007FFA20BB0000-0x00007FFA20BC3000-memory.dmp

Filesize
76KB

Download
memory/2704-241-0x00007FFA20A90000-0x00007FFA20AA1000-memory.dmp

Filesize
68KB

Download
memory/2704-240-0x00007FFA20AB0000-0x00007FFA20AC5000-memory.dmp

Filesize
84KB

Download
memory/2704-239-0x00007FFA20AD0000-0x00007FFA20AE5000-memory.dmp

Filesize
84KB

Download
memory/2704-238-0x00007FFA20AF0000-0x00007FFA20B02000-memory.dmp

Filesize
72KB

Download
memory/2704-237-0x00007FFA20B10000-0x00007FFA20B24000-memory.dmp

Filesize
80KB

Download
memory/2704-236-0x00007FFA20B30000-0x00007FFA20B43000-memory.dmp

Filesize
76KB

Download
memory/2704-235-0x00007FFA20B50000-0x00007FFA20B65000-memory.dmp

Filesize
84KB

Download
memory/2704-234-0x00007FFA20B70000-0x00007FFA20B82000-memory.dmp

Filesize
72KB

Download
memory/3044-25-0x0000000000D90000-0x0000000001140000-memory.dmp

Filesize
3.7MB

Download
memory/3044-24-0x0000000000D90000-0x0000000001140000-memory.dmp

Filesize
3.7MB

Download
memory/3044-166-0x0000000000D90000-0x0000000001140000-memory.dmp

Filesize
3.7MB

Download
memory/3044-162-0x0000000007390000-0x00000000073F6000-memory.dmp

Filesize
408KB

Download
memory/3044-62-0x0000000007500000-0x0000000007AA4000-memory.dmp

Filesize
5.6MB

Download
memory/3044-29-0x0000000006AF0000-0x0000000006B82000-memory.dmp

Filesize
584KB

Download
memory/3044-28-0x0000000006100000-0x0000000006110000-memory.dmp

Filesize
64KB

Download
memory/3044-27-0x0000000000D90000-0x0000000001140000-memory.dmp

Filesize
3.7MB

Download
memory/3044-26-0x00000000725F0000-0x0000000072DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3044-167-0x00000000725F0000-0x0000000072DA0000-memory.dmp

Filesize
7.7MB

Download