44caliber | a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96

General

Target

NewProject1.exe
Size

4.9MB
MD5

eace0ed3521967a36f02f3408a76689d
SHA1

54210340f93b45b7bd0eff93da29151a5e846174
SHA256

a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
SHA512

9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
SSDEEP

98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

extreme injector.exeExtreme Injector v3.exeInsidious.exe

pid process

1944 extreme injector.exe
1768 Extreme Injector v3.exe
3048 Insidious.exe
Loads dropped DLL 3 IoCs

Processes:

NewProject1.exeextreme injector.exe

pid process

2264 NewProject1.exe
1944 extreme injector.exe
1944 extreme injector.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

17 raw.githubusercontent.com
18 raw.githubusercontent.com
22 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1944	extreme injector.exe
1768	Extreme Injector v3.exe
3048	Insidious.exe

pid	process
2264	NewProject1.exe
1944	extreme injector.exe
1944	extreme injector.exe

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com

flow	ioc
21	freegeoip.app

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

NewProject1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	NewProject1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NewProject1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NewProject1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious.exe

pid process

3048 Insidious.exe
3048 Insidious.exe
3048 Insidious.exe

pid	process
3048	Insidious.exe
3048	Insidious.exe
3048	Insidious.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Insidious.exeExtreme Injector v3.exe

description	pid	process
Token: SeDebugPrivilege	3048	Insidious.exe
Token: SeDebugPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: SeDebugPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1768	Extreme Injector v3.exe
Token: 33	1768	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NewProject1.exeextreme injector.exeInsidious.exe

description	pid	process	target process
PID 2264 wrote to memory of 1944	2264	NewProject1.exe	extreme injector.exe
PID 2264 wrote to memory of 1944	2264	NewProject1.exe	extreme injector.exe
PID 2264 wrote to memory of 1944	2264	NewProject1.exe	extreme injector.exe
PID 2264 wrote to memory of 1944	2264	NewProject1.exe	extreme injector.exe
PID 1944 wrote to memory of 1768	1944	extreme injector.exe	Extreme Injector v3.exe
PID 1944 wrote to memory of 1768	1944	extreme injector.exe	Extreme Injector v3.exe
PID 1944 wrote to memory of 1768	1944	extreme injector.exe	Extreme Injector v3.exe
PID 1944 wrote to memory of 1768	1944	extreme injector.exe	Extreme Injector v3.exe
PID 1944 wrote to memory of 3048	1944	extreme injector.exe	Insidious.exe
PID 1944 wrote to memory of 3048	1944	extreme injector.exe	Insidious.exe
PID 1944 wrote to memory of 3048	1944	extreme injector.exe	Insidious.exe
PID 1944 wrote to memory of 3048	1944	extreme injector.exe	Insidious.exe
PID 3048 wrote to memory of 584	3048	Insidious.exe	WerFault.exe
PID 3048 wrote to memory of 584	3048	Insidious.exe	WerFault.exe
PID 3048 wrote to memory of 584	3048	Insidious.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NewProject1.exe
"C:\Users\Admin\AppData\Local\Temp\NewProject1.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
"C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 1080
4⤵
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
59facdb92f418ffcf13b5b413a100db4

SHA1
38ebab6841d5f4a96f453928bc27af98113e4e69

SHA256
59be322794018edc97f4a29efac50300b91cad0e4aa06c27fd8900eb778dfaba

SHA512
76f47e9dd8ed9c07fd2269d01ba5fce903372004b004c9c26f694836cc12704ab14e096281b4385d6041468b3f52f96ea5c1f8f2e073fc12a04d25f085eb0483

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF1C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
281KB

MD5
b3cc053a740c79d2844a542e951b3335

SHA1
44fa83e0bfd8c7761ba8fbe0f687a53a062d89a0

SHA256
278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993

SHA512
b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe

Download Submit
\Users\Admin\AppData\Local\Temp\extreme injector.exe
Filesize
3.3MB

MD5
2ffea9e69ec40e9f4337787a953e02f1

SHA1
5d2df0bec27c916a95b39d90f2c4cbfe485a4e29

SHA256
a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204

SHA512
6ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698

Download Submit
memory/1768-155-0x0000000000F70000-0x0000000001156000-memory.dmp

Filesize
1.9MB

Download
memory/1944-140-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2264-0-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/3048-154-0x0000000000E90000-0x0000000000EDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads