44caliber | ff70fe25d30b5252ffc9e083187f1091c2d18e7b33f9c4bf8abd87906a252cc7

Analysis

max time kernel
14s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

274KB
MD5

09a0ec3acb93c6d59932525a2e497398
SHA1

e4ea0facd84f072785f008fb1f6cfcfca914e872
SHA256

ff70fe25d30b5252ffc9e083187f1091c2d18e7b33f9c4bf8abd87906a252cc7
SHA512

b80374b596d2bcfb9b0d07daa9712e095f67b7ce0140a8a5567a5906a64f819c3f46806e95fa60d3f6170e444a25ff4005d45fad702c7addcddba933843d19e7
SSDEEP

6144:0f+BLtABPDMZZzIlzcwKUfmBnxafTy8lI1D0NZv:jZOnKUfmBXx1DUv

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1234062798355431434/JlB7QAXe-wioFkoPtDp2B4GwdSHNOtJbalU_YUgkqCeZlhZBcGaQKTH272rVMLbnp5dM

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app

flow	ioc
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Wave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Wave.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Wave.exe

pid process

4732 Wave.exe
4732 Wave.exe
4732 Wave.exe
4732 Wave.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Wave.exe

description pid process

Token: SeDebugPrivilege 4732 Wave.exe

pid	process
4732	Wave.exe
4732	Wave.exe
4732	Wave.exe
4732	Wave.exe

description	pid	process
Token: SeDebugPrivilege	4732	Wave.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
bec4e961d25604736832c09090a5f336

SHA1
c3a169fb84c6d7075d9c23ac3f5a3baca8521458

SHA256
5caa98a4e86a82635983c69cf59ab7d79b4577eb47738d5b967eb4bec9ca5eef

SHA512
f5d9228d2f5482e7aa614e030fac2f543d24b19afc32e0d3ad57720e18dbbf1914fc19b5601ebddfc747c766074b8c4da1495caa0fb478b83a5b2edca5f06d4f

Download Submit
memory/4732-0-0x0000026B2BF30000-0x0000026B2BF7A000-memory.dmp

Filesize
296KB

Download
memory/4732-10-0x00007FF979FC0000-0x00007FF97AA81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-11-0x0000026B2DD60000-0x0000026B2DD70000-memory.dmp

Filesize
64KB

Download
memory/4732-120-0x00007FF979FC0000-0x00007FF97AA81000-memory.dmp

Filesize
10.8MB

Download