44caliber | a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96

General

Target

New Project 1.exe
Size

4.9MB
MD5

eace0ed3521967a36f02f3408a76689d
SHA1

54210340f93b45b7bd0eff93da29151a5e846174
SHA256

a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
SHA512

9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
SSDEEP

98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

extreme injector.exeExtreme Injector v3.exeInsidious.exe

pid process

1496 extreme injector.exe
2116 Extreme Injector v3.exe
2304 Insidious.exe
Loads dropped DLL 3 IoCs

Processes:

New Project 1.exeextreme injector.exe

pid process

2272 New Project 1.exe
1496 extreme injector.exe
1496 extreme injector.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
14 raw.githubusercontent.com
15 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1496	extreme injector.exe
2116	Extreme Injector v3.exe
2304	Insidious.exe

pid	process
2272	New Project 1.exe
1496	extreme injector.exe
1496	extreme injector.exe

flow	ioc
18	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

New Project 1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Project 1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Project 1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Project 1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious.exe

pid process

2304 Insidious.exe
2304 Insidious.exe
2304 Insidious.exe

pid	process
2304	Insidious.exe
2304	Insidious.exe
2304	Insidious.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Insidious.exeExtreme Injector v3.exe

description	pid	process
Token: SeDebugPrivilege	2304	Insidious.exe
Token: SeDebugPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: SeDebugPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2116	Extreme Injector v3.exe
Token: 33	2116	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

New Project 1.exeextreme injector.exeInsidious.exe

description	pid	process	target process
PID 2272 wrote to memory of 1496	2272	New Project 1.exe	extreme injector.exe
PID 2272 wrote to memory of 1496	2272	New Project 1.exe	extreme injector.exe
PID 2272 wrote to memory of 1496	2272	New Project 1.exe	extreme injector.exe
PID 2272 wrote to memory of 1496	2272	New Project 1.exe	extreme injector.exe
PID 1496 wrote to memory of 2116	1496	extreme injector.exe	Extreme Injector v3.exe
PID 1496 wrote to memory of 2116	1496	extreme injector.exe	Extreme Injector v3.exe
PID 1496 wrote to memory of 2116	1496	extreme injector.exe	Extreme Injector v3.exe
PID 1496 wrote to memory of 2116	1496	extreme injector.exe	Extreme Injector v3.exe
PID 1496 wrote to memory of 2304	1496	extreme injector.exe	Insidious.exe
PID 1496 wrote to memory of 2304	1496	extreme injector.exe	Insidious.exe
PID 1496 wrote to memory of 2304	1496	extreme injector.exe	Insidious.exe
PID 1496 wrote to memory of 2304	1496	extreme injector.exe	Insidious.exe
PID 2304 wrote to memory of 484	2304	Insidious.exe	WerFault.exe
PID 2304 wrote to memory of 484	2304	Insidious.exe	WerFault.exe
PID 2304 wrote to memory of 484	2304	Insidious.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Project 1.exe
"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
  "C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2304 -s 1188
      4⤵
      PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar107C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
281KB

MD5
b3cc053a740c79d2844a542e951b3335

SHA1
44fa83e0bfd8c7761ba8fbe0f687a53a062d89a0

SHA256
278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993

SHA512
b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe

Download Submit
\Users\Admin\AppData\Local\Temp\extreme injector.exe

Filesize
3.3MB

MD5
2ffea9e69ec40e9f4337787a953e02f1

SHA1
5d2df0bec27c916a95b39d90f2c4cbfe485a4e29

SHA256
a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204

SHA512
6ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698

Download Submit
memory/1496-125-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2116-140-0x0000000000940000-0x0000000000B26000-memory.dmp

Filesize
1.9MB

Download
memory/2272-0-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2304-139-0x0000000000EF0000-0x0000000000F3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads