44caliber | 98d5142945eee6b8913defa708a7a4d128c179d1dd5924b154a47cd90ed89244

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de069850c1f3a9781055a89106a171eb.exe
Size

841KB
MD5

de069850c1f3a9781055a89106a171eb
SHA1

e5ca37468e8000e2f2608459c35ebba2af038a03
SHA256

98d5142945eee6b8913defa708a7a4d128c179d1dd5924b154a47cd90ed89244
SHA512

07493910df95551c800250e54c570dc3d105688be9d8c8f40a61192e74da6e46ba3fad4163f6fee15e0c48c566a9a619b9d6ae2da36716baf08e62a630953bc7
SSDEEP

12288:ofaU66HJrHH2+p5r8mUrdM8COTpbR1eamQpHonbvlF9omcNLcklRI2wQuES3ov5b:qAYllr8lTXpHgPNJBq

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	de069850c1f3a9781055a89106a171eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	de069850c1f3a9781055a89106a171eb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2884	de069850c1f3a9781055a89106a171eb.exe
2884	de069850c1f3a9781055a89106a171eb.exe
2884	de069850c1f3a9781055a89106a171eb.exe
2884	de069850c1f3a9781055a89106a171eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	de069850c1f3a9781055a89106a171eb.exe

C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe
"C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
188B

MD5
a33c71892417d78f54585ce9753b2e06

SHA1
d19b2fc77343499817461a36388124f8fa66f59d

SHA256
39310134685aadf725857c226e3b2b4067e2a6b2b1350ac0dad739fe48d2425a

SHA512
790805a1e1e91428b9e922d3a4335a12fb369b7787b6aa3e5aaae84d125d0f10007f75a666c95a3e5fbd11c3b12f7bb1bb0d857c56063b4c1a42039fe0141be0

Download Submit
C:\ProgramData\44\Process.txt

Filesize
397B

MD5
9fb8385cd8c836c02c5b32f7ac2b52d4

SHA1
c175e9dca57aacdf622a77d1dc7ef620b1d6162e

SHA256
fb290bd92d0c62396dbf9ab1f7fb83ec1ba373a26a9c7b5fcdc3a2cdb7f40c09

SHA512
fde6681b5ab337f84fbc93791670c6e938d6c506fd02921909fd0a6368f1cc15f6a5bc849954dc2b008978bb4c6e9398a997c4c4889a72ec5169f2307a99c29f

Download Submit
memory/2884-0-0x0000000001210000-0x00000000012EA000-memory.dmp

Filesize
872KB

Download
memory/2884-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-2-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2884-3-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2884-49-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download