44caliber | ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04

Analysis

max time kernel
135s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe
Size

281KB
MD5

c2a957c32ba544e18bdce5c89b31e4ec
SHA1

4ffea92024bfa254b6cde85f9b3bc203d1c268fb
SHA256

ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04
SHA512

97b080498fca48a287f15cbae0a12042f865f839af67d29c51459ef685eb25f49ce089424be1886ab7c7e5f5cf922770e80f2874f12c9aaeff63b749ec612827
SSDEEP

3072:idHdrST3duBTeYNq83VpxQinpsXfuAfAQcUC+bqAHd84sHjhIrdlfGm23hI/KQ7L:cs3duBaYNqhWQGWqAHS4sHjKZxE

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1227237091100856442/BrQxsxv7iOW1INure2NRj8h9j_kNz4zTZWTlu2pl8X31A4tO36IWEoyPoqQ6KOZ7S1qy

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables Discord URL observed in first stage droppers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables referencing Discord tokens regular expressions 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
4 freegeoip.app

flow	ioc
1	freegeoip.app
4	freegeoip.app

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe

pid	process
1196	ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe
1196	ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe
1196	ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe

description pid process

Token: SeDebugPrivilege 1196 ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe

description	pid	process
Token: SeDebugPrivilege	1196	ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe

C:\Users\Admin\AppData\Local\Temp\ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe
"C:\Users\Admin\AppData\Local\Temp\ad163810f30beced498a9a1a318feace07c079aba853f34684d2e1c9a796ab04.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-0-0x000002C67D6D0000-0x000002C67D71C000-memory.dmp

Filesize
304KB

Download
memory/1196-10-0x00007FF8428E0000-0x00007FF8433A1000-memory.dmp

Filesize
10.8MB

Download
memory/1196-28-0x000002C67FDE0000-0x000002C67FDF0000-memory.dmp

Filesize
64KB

Download
memory/1196-32-0x00007FF8428E0000-0x00007FF8433A1000-memory.dmp

Filesize
10.8MB

Download