Overview

overview

10

Static

static

3

Client1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client1.exe

  • Size

    435KB

  • Sample

    240517-ggqdeaca8w

  • MD5

    db41a85fb5d127502b98a520e0ec8107

  • SHA1

    1ba0d60550a7eef401ce323c6c01f8547f5a9cd3

  • SHA256

    5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

  • SHA512

    df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11

  • SSDEEP

    6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

Score
10/10
44caliberevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1228959092572295179/zol6YJ2bwh5lmLGXkYg2G33z3qYjeTvdzyXLvgfVZAIQ67YWJuOjrxydQkablWLyTqUE

Targets

    • Target

      Client1.exe

    • Size

      435KB

    • MD5

      db41a85fb5d127502b98a520e0ec8107

    • SHA1

      1ba0d60550a7eef401ce323c6c01f8547f5a9cd3

    • SHA256

      5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

    • SHA512

      df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11

    • SSDEEP

      6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

    Score
    10/10
    44caliberevasionexecutionpersistencespywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Modifies WinLogon for persistence

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Disables cmd.exe use via registry modification

      evasion

    • Modifies AppInit DLL entries

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks