44caliber | f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlastedCrack.exe
Size

549KB
MD5

0321782a20a84473a2bf7204f4b94d49
SHA1

0232950dfddc20314c4bed9815590191ce31283c
SHA256

f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22
SHA512

5be35b75c329057f5cd81a532405cc55e5460a2992fc1a7e2585db68750215a80f9b019175d062a45291884da54431fe31f6f1b2daf600c25116857531eef0e5
SSDEEP

12288:UCQjgAtAHM+vetZxF5EWry8AJGy0wT+t13X2F:U5ZWs+OZVEWry8AFU3X2F

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1217779080850706492/4knjig6DiCOeXSkGA1LGWaAo5XXa_s8z91RQ954jqRgqAhjOtgNK-aoBNJU45eHP5Ir2

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 1 IoCs

Processes:

XWors.exe

pid	Process
2504	XWors.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

XWors.exe

pid	Process
2504	XWors.exe
2504	XWors.exe
2504	XWors.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XWors.exe

description	pid	Process
Token: SeDebugPrivilege	2504	XWors.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

BlastedCrack.exeXWors.exe

description	pid	Process	procid_target
PID 2904 wrote to memory of 2504	2904	BlastedCrack.exe	28
PID 2904 wrote to memory of 2504	2904	BlastedCrack.exe	28
PID 2904 wrote to memory of 2504	2904	BlastedCrack.exe	28
PID 2504 wrote to memory of 2536	2504	XWors.exe	29
PID 2504 wrote to memory of 2536	2504	XWors.exe	29
PID 2504 wrote to memory of 2536	2504	XWors.exe	29

C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe
"C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2504 -s 1200
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe

Filesize
303KB

MD5
a147413e40194267cf19da405bbb8be4

SHA1
8f1c9d6c88f1ca967ecd4e9749195ff006e59be1

SHA256
652920284464f45452dd695167982d5f73909284063a21e66899ad785be5325c

SHA512
4a8f3ebb1b4cb3fbea4fc0f0a0df44953ef33e5fc66b13ab3d02801e02e1deb171c4955e2331d526e2af1ac4de9b12b3b2e8994b3da7feff6e9b68fea457c0cd

Download Submit
memory/2504-13-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2504-14-0x00000000010C0000-0x0000000001112000-memory.dmp

Filesize
328KB

Download
memory/2504-32-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-33-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2504-34-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-35-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download