General

  • Target

    Client1.exe

  • Size

    435KB

  • Sample

    240517-ggqdeaca8w

  • MD5

    db41a85fb5d127502b98a520e0ec8107

  • SHA1

    1ba0d60550a7eef401ce323c6c01f8547f5a9cd3

  • SHA256

    5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

  • SHA512

    df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11

  • SSDEEP

    6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1228959092572295179/zol6YJ2bwh5lmLGXkYg2G33z3qYjeTvdzyXLvgfVZAIQ67YWJuOjrxydQkablWLyTqUE

Targets

    • Target

      Client1.exe

    • Size

      435KB

    • MD5

      db41a85fb5d127502b98a520e0ec8107

    • SHA1

      1ba0d60550a7eef401ce323c6c01f8547f5a9cd3

    • SHA256

      5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

    • SHA512

      df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11

    • SSDEEP

      6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

    • 44Caliber

      An open source infostealer written in C#.

    • Modifies WinLogon for persistence

    • Disables Task Manager via registry modification

    • Disables cmd.exe use via registry modification

    • Modifies AppInit DLL entries

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

MITRE ATT&CK Enterprise v15

Tasks