44caliber | a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96 | Triage

Sharing

General

Target

NewProject1.exe
Size

4.9MB
Sample

240522-wcq7gaah52
MD5

eace0ed3521967a36f02f3408a76689d
SHA1

54210340f93b45b7bd0eff93da29151a5e846174
SHA256

a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
SHA512

9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
SSDEEP

98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score

10^/10

44caliber persistence spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Targets

- Target
  
  NewProject1.exe
- Size
  
  4.9MB
- MD5
  
  eace0ed3521967a36f02f3408a76689d
- SHA1
  
  54210340f93b45b7bd0eff93da29151a5e846174
- SHA256
  
  a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
- SHA512
  
  9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
- SSDEEP
  
  98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ
Score

10^/10

44caliber spyware stealer persistence
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Modifies WinLogon for persistence
  persistence
- Downloads MZ/PE file
- Modifies AppInit DLL entries
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

44caliberspywarestealer

behavioral2

44caliberpersistencespywarestealer