44caliber | 9df1a60a4b1b87e74e49523d5f16f4a13526e9b993839aec7c887a063453fdfa

General

Target

e16ee052369026471a2217cb65ee506b.exe
Size

6.0MB
MD5

e16ee052369026471a2217cb65ee506b
SHA1

60105513f4f77d0ecad47e0aed4c66ab3e35251b
SHA256

9df1a60a4b1b87e74e49523d5f16f4a13526e9b993839aec7c887a063453fdfa
SHA512

48bfd72ec18fa02eeb1834f09692032d0cf28ce4f36d8a14e34b81c1d825a5a7ced42709293a690c97a88266fb0249d2901f2313e9f200f46ce66b57bdf0ac36
SSDEEP

98304:kT1v0Sc5LEgwytj2KJHZpz+v2zU0XWbbr5vMjl2iQu9ntFEPZ8YGpnN6:018S6ZyKJz+ezUHQtBE

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/871356915303710720/aJQeq8OY3wwqIiXWkN97pUlIjJQhxawbR5zbwOuO96jrzWKG4INekUUjRxLOjy9VbIsi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e16ee052369026471a2217cb65ee506b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	e16ee052369026471a2217cb65ee506b.exe

Executes dropped EXE 3 IoCs

Processes:

Fatality Loader.exeCFG.exeFatality.win.exe

pid process

4800 Fatality Loader.exe
4140 CFG.exe
2044 Fatality.win.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3620 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
7 freegeoip.app

pid	process
4800	Fatality Loader.exe
4140	CFG.exe
2044	Fatality.win.exe

pid	process
3620	icacls.exe

flow	ioc
8	freegeoip.app
7	freegeoip.app

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fatality Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Fatality Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Fatality Loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Fatality Loader.exe

pid process

4800 Fatality Loader.exe
4800 Fatality Loader.exe
4800 Fatality Loader.exe
4800 Fatality Loader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Fatality Loader.exe

description pid process

Token: SeDebugPrivilege 4800 Fatality Loader.exe

pid	process
4800	Fatality Loader.exe
4800	Fatality Loader.exe
4800	Fatality Loader.exe
4800	Fatality Loader.exe

description	pid	process
Token: SeDebugPrivilege	4800	Fatality Loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e16ee052369026471a2217cb65ee506b.exeFatality.win.exejavaw.exe

description	pid	process	target process
PID 436 wrote to memory of 4800	436	e16ee052369026471a2217cb65ee506b.exe	Fatality Loader.exe
PID 436 wrote to memory of 4800	436	e16ee052369026471a2217cb65ee506b.exe	Fatality Loader.exe
PID 436 wrote to memory of 4140	436	e16ee052369026471a2217cb65ee506b.exe	CFG.exe
PID 436 wrote to memory of 4140	436	e16ee052369026471a2217cb65ee506b.exe	CFG.exe
PID 436 wrote to memory of 4140	436	e16ee052369026471a2217cb65ee506b.exe	CFG.exe
PID 436 wrote to memory of 2044	436	e16ee052369026471a2217cb65ee506b.exe	Fatality.win.exe
PID 436 wrote to memory of 2044	436	e16ee052369026471a2217cb65ee506b.exe	Fatality.win.exe
PID 436 wrote to memory of 2044	436	e16ee052369026471a2217cb65ee506b.exe	Fatality.win.exe
PID 2044 wrote to memory of 3340	2044	Fatality.win.exe	javaw.exe
PID 2044 wrote to memory of 3340	2044	Fatality.win.exe	javaw.exe
PID 3340 wrote to memory of 3620	3340	javaw.exe	icacls.exe
PID 3340 wrote to memory of 3620	3340	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e16ee052369026471a2217cb65ee506b.exe
"C:\Users\Admin\AppData\Local\Temp\e16ee052369026471a2217cb65ee506b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Local\Temp\CFG.exe
"C:\Users\Admin\AppData\Local\Temp\CFG.exe"
2⤵
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe" org.develnext.jphp.ext.javafx.FXLauncher
3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b656cdb19dd132ee8a108c024c2302fe

SHA1
4ba2713165deaff9597898412bdb438e1a72b386

SHA256
50df7505ab9eb33d0c04b2404f1523c262694f8dcb68f3ef3672b1244e24a139

SHA512
8bfb354c7e2ee017ec500668455775acad16977bb7e85e5a1c0f6f7f5b2b69878430b41b168846977941d5e4dbd932450f0b9b1dac685433993bb80797605e81

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
29c6e65e2d9139a3bd35aa409c79b605

SHA1
e389087e7a1809886bc01a4a004625f6d4ef9591

SHA256
abdc004df6b0fcd77bab2266460cd956b79dbf6121a9f49d3f8e72a46750f36c

SHA512
05fa5a636235b71eb2fac237c1664419c1de6873e53bbf2436affc449ac5beb307b1591f1235e1643a1df1cd9bd221dbdd6360cc4242377ef39279f70d6e5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG.exe

Filesize
296KB

MD5
6249238b5d6ce6217998b97d544a2d60

SHA1
2c68d31bd2084cc722a34ee64fa4a5b638d524f5

SHA256
8fc1c3bbcf19c0b4f789967fa495ca817c3b1d3918cc572cd2c9405c556404e9

SHA512
ac6c35472cb0234d64bd5eb8b025e169f617c2ce81cb2efc2f2ce8a6ac84ee2198f3c0ed126284abf387bf47d0ebaac2a96722a5122dd6ee69c1a46cc8a83ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality Loader.exe

Filesize
299KB

MD5
c62e8659a538d545f07e0c9f9d4e7473

SHA1
feaa24f501803d8f179732d4920561deb8b4c08f

SHA256
5895294f317b1cf6c4598d293501249917f8177adea6c0f4241517ee2596365e

SHA512
d0c46943279825cebf4de80d50b53fea409d2ecfae9922af97c93f199b62fdf572a278bdee04fe2a13cf7be8a2ac1fa92a081a8b614a0a89348d894600b1d5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe

Filesize
1.8MB

MD5
7c697001a9e19106d2ad4b08d9704af3

SHA1
ae205bdbc5651413cb10603b1bf5bbc78197346e

SHA256
d929f6792b663452d5df1135d9109875eb76d227a15970e108795b44e7704580

SHA512
30e940141502306d7a1cb692db67bd43d924b3350cfefbb16a5733b0da7dbf8ecacbbb222bb3f0939ade0567e93b74ba29b0641a060e7edf602c688c95bf1eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality.win.exe

Filesize
1.3MB

MD5
effbd85dd9816abd1e4105a9295d9d15

SHA1
75615804eed6f01c3cc0f02805efc22ce3a41a12

SHA256
248d4fd5076e408461807f8f03bde800ec19ac54b7a45aea07a2ce9813fce519

SHA512
710a0c1b0963c07d61607a10f0a16c28c49847b8ea5eac0f9a4d8e64c19483de8c35b72f057461b0c7e31c6deb2537f3c76dc2dc61d2b7c5d7afccce9e1b6173

Download Submit
memory/436-1-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

Filesize
10.8MB

Download
memory/436-4-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

Filesize
64KB

Download
memory/436-0-0x0000000000CF0000-0x00000000012F4000-memory.dmp

Filesize
6.0MB

Download
memory/436-69-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

Filesize
10.8MB

Download
memory/2044-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3340-206-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-200-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-230-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-220-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-172-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-176-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-185-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-193-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-216-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-73-0x000001EE5F720000-0x000001EE60720000-memory.dmp

Filesize
16.0MB

Download
memory/3340-214-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-209-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/3340-211-0x000001EE5DD10000-0x000001EE5DD11000-memory.dmp

Filesize
4KB

Download
memory/4800-17-0x0000000000130000-0x0000000000180000-memory.dmp

Filesize
320KB

Download
memory/4800-201-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-24-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-25-0x000000001ADE0000-0x000000001ADF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads