44caliber | 51cfc971849b6d809df4f567616db7f420874a754752490b981134f1d40ff47c

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1c3a1b70fc8f37ea642c4df3a2f66b.exe
Size

448KB
MD5

df1c3a1b70fc8f37ea642c4df3a2f66b
SHA1

87b9d4bacc776489efb68f762913b76ef86908bf
SHA256

51cfc971849b6d809df4f567616db7f420874a754752490b981134f1d40ff47c
SHA512

a5a3e83d48f6eb0bd1ccbd4f48567c04d66ec1ba11b4afaf55df5f120b186ad3c764dd78b9835f8b2fb37b0d76d3f77ec08657f355c6734960359017e00fb512
SSDEEP

6144:+efG+g1L+8z7eoRDemTD+uf9+GV6eauyGFyInlXYWbgqtS4zbvhdaDz/A7Ah5lL2:+3S8xTiG04nTbcAcDq

Score

10^/10

44caliber agilenet spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4440-0-0x00000000009F0000-0x0000000000A66000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	freegeoip.app
14	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe
4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	df1c3a1b70fc8f37ea642c4df3a2f66b.exe

C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe
"C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
716B

MD5
c0d0a9f5afc088956bb550f764f676a7

SHA1
70ad04b0c9e549dcc7ede1d1431be3d89e1bf986

SHA256
2fd1f0652da5617fb51966672f6ce1efcf69eb92d20310fe01e8124c64e59462

SHA512
07378311dd91819e4f83857c5972e290bec0a73f14afefe597b6948b64b38bb6e1aabd710ec69f2611a6f040ceb5d548446b04b3c1af2f655ba77b7b59d454d4

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
3e0ea6d2feab625e7415c9df81d63d9d

SHA1
be92a682d2cd7b2e58dcb946e78374497eeb17e1

SHA256
9cdace75f4847d231653543e552b039cb517a9537e5af0f4bcad1e8a40d8ecd6

SHA512
268ad3030511383f7e0b5db229c3e72a70f460fdc0bf2843f42cafbc84a547fe57588e4e2d8ddbbeaf53f51fb3ffbc7bb6dd910133344064ef173f53d9f58432

Download Submit
memory/4440-0-0x00000000009F0000-0x0000000000A66000-memory.dmp

Filesize
472KB

Download
memory/4440-1-0x00007FFE933F0000-0x00007FFE93EB1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-2-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4440-127-0x000000001C520000-0x000000001C6C9000-memory.dmp

Filesize
1.7MB

Download
memory/4440-130-0x000000001C520000-0x000000001C6C9000-memory.dmp

Filesize
1.7MB

Download
memory/4440-131-0x00007FFE933F0000-0x00007FFE93EB1000-memory.dmp

Filesize
10.8MB

Download