44caliber | f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlastedCrack.exe
Size

549KB
MD5

0321782a20a84473a2bf7204f4b94d49
SHA1

0232950dfddc20314c4bed9815590191ce31283c
SHA256

f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22
SHA512

5be35b75c329057f5cd81a532405cc55e5460a2992fc1a7e2585db68750215a80f9b019175d062a45291884da54431fe31f6f1b2daf600c25116857531eef0e5
SSDEEP

12288:UCQjgAtAHM+vetZxF5EWry8AJGy0wT+t13X2F:U5ZWs+OZVEWry8AFU3X2F

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1217779080850706492/4knjig6DiCOeXSkGA1LGWaAo5XXa_s8z91RQ954jqRgqAhjOtgNK-aoBNJU45eHP5Ir2

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	BlastedCrack.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	XWors.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
8	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2432	XWors.exe
2432	XWors.exe
2432	XWors.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	XWors.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2432	340	BlastedCrack.exe	83
PID 340 wrote to memory of 2432	340	BlastedCrack.exe	83

C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe
"C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe

Filesize
303KB

MD5
a147413e40194267cf19da405bbb8be4

SHA1
8f1c9d6c88f1ca967ecd4e9749195ff006e59be1

SHA256
652920284464f45452dd695167982d5f73909284063a21e66899ad785be5325c

SHA512
4a8f3ebb1b4cb3fbea4fc0f0a0df44953ef33e5fc66b13ab3d02801e02e1deb171c4955e2331d526e2af1ac4de9b12b3b2e8994b3da7feff6e9b68fea457c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.lnk

Filesize
992B

MD5
9238ad2608f57aaac6da2b2a822701d4

SHA1
21fc46daf0a8969a14bd07f9f9d10a1b2828036b

SHA256
1ac3ca9e60cc963701872728a84e0bfbddafeb017e29a81867612ba706078279

SHA512
c110718703eac037a5f427ad64e3c135bb4481af8d147610eb7d5a9ec708736c21bc94f614c5264ef02ab4d64da1271d97d1266ed9c30644c7ddd44bdbcf4ea6

Download Submit
memory/2432-14-0x00007FF99C363000-0x00007FF99C365000-memory.dmp

Filesize
8KB

Download
memory/2432-15-0x0000023692A60000-0x0000023692AB2000-memory.dmp

Filesize
328KB

Download
memory/2432-45-0x00007FF99C360000-0x00007FF99CE21000-memory.dmp

Filesize
10.8MB

Download
memory/2432-46-0x00007FF99C360000-0x00007FF99CE21000-memory.dmp

Filesize
10.8MB

Download