44caliber | 81e5007b1563752afaded075c7d864a85da680f1a07f4f38cdb0326a31658401

General

Target

d008b5ac1b929144d485b6042baebe2b.exe
Size

14.7MB
MD5

d008b5ac1b929144d485b6042baebe2b
SHA1

d3f1da5864d24d0f1c86e24ab56322df55206100
SHA256

81e5007b1563752afaded075c7d864a85da680f1a07f4f38cdb0326a31658401
SHA512

6e1c2d1edd951856b4fedd2b8e2226124e80c4fee101597ec82f71197e24c1cef86034add6336d0f3d3a0cd95edeb4409a33e832a8dec3f29e790678328b5146
SSDEEP

393216:Xa664wtF3JuBnaO6Fje2fXVI/Hy3AYtDDD:v6j3U541e8VqS3AKDD

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/869968115126128690/9HuocC8P0OFpxwEHR7UGW0ZtseqV8b95oQ9ExN0rHkwTjipAQLrkOqPzDiDXxXky3kUL

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	d008b5ac1b929144d485b6042baebe2b.exe

Executes dropped EXE 3 IoCs

pid	Process
2504	Custom voopoo.exe
3608	voopoo.exe
4760	voopoo.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	freegeoip.app
15	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Custom voopoo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Custom voopoo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	Custom voopoo.exe
2504	Custom voopoo.exe
2504	Custom voopoo.exe
2504	Custom voopoo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	Custom voopoo.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2504	3904	d008b5ac1b929144d485b6042baebe2b.exe	91
PID 3904 wrote to memory of 2504	3904	d008b5ac1b929144d485b6042baebe2b.exe	91
PID 3904 wrote to memory of 3608	3904	d008b5ac1b929144d485b6042baebe2b.exe	99
PID 3904 wrote to memory of 3608	3904	d008b5ac1b929144d485b6042baebe2b.exe	99
PID 3904 wrote to memory of 3608	3904	d008b5ac1b929144d485b6042baebe2b.exe	99
PID 3608 wrote to memory of 4760	3608	voopoo.exe	101
PID 3608 wrote to memory of 4760	3608	voopoo.exe	101
PID 3608 wrote to memory of 4760	3608	voopoo.exe	101

C:\Users\Admin\AppData\Local\Temp\d008b5ac1b929144d485b6042baebe2b.exe
"C:\Users\Admin\AppData\Local\Temp\d008b5ac1b929144d485b6042baebe2b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\is-Q3N8B.tmp\voopoo.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q3N8B.tmp\voopoo.tmp" /SL5="$80220,14825652,721408,C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe"
    3⤵
    - Executes dropped EXE
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe

Filesize
275KB

MD5
ebc6d55a45996861c5a84937d2a990da

SHA1
db9e42e191c95168d03274cc4d0ab18e35d3f314

SHA256
42f1065841dc77643d3a3c33fb40de4c2931e3a4d15d9802fff0a194c821ea2b

SHA512
927560123afb2d46c4a57065402182bf5522bc3be9d4d9593ec79d72eb4fdd12edc85dbe77d24e2801550bf1c09ac950521b52a62c384de2aad2304edf8db477

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
2.4MB

MD5
9020f4eafebf1ec71d295267333cadc0

SHA1
b1a568eed9ea46fa4867defafba61525d4c59e14

SHA256
1c8367045643fd3966b4234f4e20b904bcd1655e5420f4ef1c7eaf09c92bbbea

SHA512
08f982a5ff042c3d72a83d7d18325ac34396a67e33e3fad00e6513172b4b4a0aabba4cc629cba6c067dafcc1c3cfe773ed651c97ae945598d3a502f486cc3887

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.1MB

MD5
b46166f2fbb8efdfa65347e99c01d146

SHA1
ff63b4b820d910288a59a3f4187b14bf8fa28cc6

SHA256
d105dd60fbe9c0e9d815cc1953e63860ef049f130644bc806e247c818958b01a

SHA512
5c63dc28483dc7dbf1d8e1ab1ae924ef59d43131c993b055271f1f34692996ddc01d185d89a47346b6b0e02a9ed3c0dbe4dba6a1c544ba8ba7eac8ed1de232c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
466KB

MD5
ef800c62bd580e9e39c59daa29ad1cc7

SHA1
17e2c12b91e9a979982a0fd0710ecc7100522184

SHA256
d814b06436672663e7001ac03b877f9bf7654bd31ff46e4713fdf3ab05a373aa

SHA512
0faa4e4d49b5e9cc2599ec2c02f3328751d8f4334d9b2665fc1caceaae92b033399d64dcd43c384d40e1ae3895ef939e0b1f5006d82e43f9ddc1c3b903f33651

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q3N8B.tmp\voopoo.tmp

Filesize
15KB

MD5
40cec54faf6296359bee573c212a2ac6

SHA1
ad6208c492058f6ba150051779f526f3a840aac4

SHA256
91d290629ea3bf1717a105056c58cbf5776775274e2552115389cdb08ecb2412

SHA512
d6f7899d0fa5b61e811227bedea7077b5dc2b34c9aa4f88b7a4d0fd97467082e3b7bd18347e1e9588d30ed9be361e97a0e4970669dc4b274d4ce377ef9c244a5

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1022B

MD5
813798618c1e73a93299a0e17346f9f6

SHA1
edd894faafc86d106bc569c2643edefd993d5c1a

SHA256
8a99f64fba052d4fdac759678089425ae2f025bc2bf916e7088b224b4175d316

SHA512
acb50ff9a20ca2dd532fb202f1e4f8ba0c5ad9b33938275ac2d82dd90f70a9fe5ff577dfc28701333603b816355853f0c99c19b59e3daa1f28ff095b4fd1fe9f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
8626a1acc0985d52618bbc9c103576d6

SHA1
a3abfbd18b35315cdbf4fc98899209c16f5fadcf

SHA256
c724c8a96b5e00f51fb3ae7d7104d7b7f3949af7e4e039c21671b1cd87ab9044

SHA512
57a8f707db3f56bfa0f22ba8a365a76a214b349f1bc286a6e069e713044e042f4d2602b9e3cf4f39de76cacf21f947ba971ec02418e89b33937224d95190ad1c

Download Submit
memory/2504-142-0x00007FFCCEDD0000-0x00007FFCCF891000-memory.dmp

Filesize
10.8MB

Download
memory/2504-46-0x000000001ACA0000-0x000000001ACB0000-memory.dmp

Filesize
64KB

Download
memory/2504-27-0x00007FFCCEDD0000-0x00007FFCCF891000-memory.dmp

Filesize
10.8MB

Download
memory/2504-14-0x00000000000E0000-0x000000000012C000-memory.dmp

Filesize
304KB

Download
memory/3608-152-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3608-155-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3608-161-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4760-159-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/4760-162-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/4760-165-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads