44caliber

General

Target

e04e96b1925a5c445f1ef3016f0b00a2ccbfa89b146c8ea387438a84cc41a94b
Size

303KB
Sample

240622-ecx7cawgke
MD5

81395981814527bba10fdc5569ccd4d6
SHA1

32c6d72322fd3722134c27ac5ef8fc6a97bfa703
SHA256

e04e96b1925a5c445f1ef3016f0b00a2ccbfa89b146c8ea387438a84cc41a94b
SHA512

4bb3835cf0655dea57d334127ff9db8a3e67bdb8d29e9a55e7b4273c7c39598da82e27e13a9ffe3b7b2911ab953fcbcbeeda167bbeed07442214e81e845559b9
SSDEEP

6144:Rv1T6MDdbICydeBxbf0G3aLpbwsY6kmA1D0pxZ:RvD10G3alsb31DkZ

Score

10^/10

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253304224196984893/JH0PA6nL6myGUIKPz_N_bVCbVnI4WvBPBULf0vxvnyTgGWp80X7oQ3w5M2foj3UdtDl6

Targets

- Target
  
  e04e96b1925a5c445f1ef3016f0b00a2ccbfa89b146c8ea387438a84cc41a94b
- Size
  
  303KB
- MD5
  
  81395981814527bba10fdc5569ccd4d6
- SHA1
  
  32c6d72322fd3722134c27ac5ef8fc6a97bfa703
- SHA256
  
  e04e96b1925a5c445f1ef3016f0b00a2ccbfa89b146c8ea387438a84cc41a94b
- SHA512
  
  4bb3835cf0655dea57d334127ff9db8a3e67bdb8d29e9a55e7b4273c7c39598da82e27e13a9ffe3b7b2911ab953fcbcbeeda167bbeed07442214e81e845559b9
- SSDEEP
  
  6144:Rv1T6MDdbICydeBxbf0G3aLpbwsY6kmA1D0pxZ:RvD10G3alsb31DkZ
Score

10^/10

44caliber spyware stealer
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables referencing Discord tokens regular expressions
- Detects executables referencing credit card regular expressions
- Detects executables referencing many VPN software clients. Observed in infosteslers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables Discord URL observed in first stage droppers

Detects executables referencing Discord tokens regular expressions

Detects executables referencing credit card regular expressions

Detects executables referencing many VPN software clients. Observed in infosteslers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2