44caliber | 98d5142945eee6b8913defa708a7a4d128c179d1dd5924b154a47cd90ed89244

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de069850c1f3a9781055a89106a171eb.exe
Size

841KB
MD5

de069850c1f3a9781055a89106a171eb
SHA1

e5ca37468e8000e2f2608459c35ebba2af038a03
SHA256

98d5142945eee6b8913defa708a7a4d128c179d1dd5924b154a47cd90ed89244
SHA512

07493910df95551c800250e54c570dc3d105688be9d8c8f40a61192e74da6e46ba3fad4163f6fee15e0c48c566a9a619b9d6ae2da36716baf08e62a630953bc7
SSDEEP

12288:ofaU66HJrHH2+p5r8mUrdM8COTpbR1eamQpHonbvlF9omcNLcklRI2wQuES3ov5b:qAYllr8lTXpHgPNJBq

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
7 freegeoip.app

flow	ioc
3	freegeoip.app
7	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de069850c1f3a9781055a89106a171eb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	de069850c1f3a9781055a89106a171eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	de069850c1f3a9781055a89106a171eb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

de069850c1f3a9781055a89106a171eb.exe

pid	process
3288	de069850c1f3a9781055a89106a171eb.exe
3288	de069850c1f3a9781055a89106a171eb.exe
3288	de069850c1f3a9781055a89106a171eb.exe
3288	de069850c1f3a9781055a89106a171eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

de069850c1f3a9781055a89106a171eb.exe

description pid process

Token: SeDebugPrivilege 3288 de069850c1f3a9781055a89106a171eb.exe

description	pid	process
Token: SeDebugPrivilege	3288	de069850c1f3a9781055a89106a171eb.exe

C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe
"C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
f11e0268857086998f962fbaa9b24d84

SHA1
516d40cd6cd577e247bb025f5289be7dd59740f5

SHA256
44b901f2027c2e78c9b23c1a631d97c87ce013db9ea27207aaba7d2c25d9ac54

SHA512
d43b0b164890ac9ff0e1b16409a8a896ef7561958defe9037f3f9fcf8c5b45b8c7b12f0d93c5f2d600e1443d4b9349aa40dd808122a2c72e4bd48317dd06c12c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
187B

MD5
0cfc0f71ad946c2236a414e0adba7a38

SHA1
f9ef745ab88c7d7e7c552eb656940f90072e246b

SHA256
a1833b49b1cbbb673eb71acb924f71458e0d85b4da2f0ba1aa280f3263ea7994

SHA512
bdfb53fe14b9fea49cde9802cde997b3aa016c38cc68744043b4ea292fa01efcc57ecb3afd97fd80df47f9f35ec679c67ee665d0e3befcebaeaecdfbc487cc97

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
738B

MD5
73fedd0e684e9455863bd55495a57927

SHA1
a1ee2758e451c473a5e2bdfbf30c0d67fdcc0d80

SHA256
324e105f0553f051a82babff89077a431adc629f36c319fd882988056e661d3e

SHA512
8d6237bc1fe20f7318f080af9c767c9a0974e81d750f716ae27ed39c54d0ab2433d868d656df0a607b20354038c2a4755ecd62e5b5bdaf2fb2aed9b384447d0a

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
32124443a0330546e211cc2399c2cb59

SHA1
59b6a4d7a00a3524a506bc2d4d46abd1f86cdce3

SHA256
04d3e42b643bf81416d6c449af108eb3f2078206315a5625427bcf345b9d8378

SHA512
a74148e557be0ae48fb8278237d5aff2f956d6cc1d969455bd11fe27866b8857bb0876e44a293627b04bb925abeeb92852bf19a2b8db25bea9ca12f6b5a8efc8

Download Submit
memory/3288-0-0x00000000009E0000-0x0000000000ABA000-memory.dmp

Filesize
872KB

Download
memory/3288-1-0x0000000001360000-0x0000000001366000-memory.dmp

Filesize
24KB

Download
memory/3288-2-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

Filesize
10.8MB

Download
memory/3288-3-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/3288-127-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

Filesize
10.8MB

Download