44caliber

Resubmissions

23-06-2024 10:41

240623-mrc4qaycph 10

23-06-2024 10:36

240623-mm7sjasdlk 10

23-06-2024 10:32

240623-mk1lfascrp 10

23-06-2024 10:26

240623-mgw4vaybre 10

Sharing

Copy URL

Twitter E-mail

General

Target

Solara.zip
Size

400KB
Sample

240623-mrc4qaycph
MD5

20804935c8018d330c47fa7acde89358
SHA1

7e79e69996cf54bf3da5807e37805db03d23f34e
SHA256

65dcaf8699e4d8d8aaa1c177fc49bfe4ff69ad4fd3891d61f68c5239e217cb14
SHA512

7c7cf8a3e6d90376a1a958c57527750c5a04d6d27c90397aac458898a34601a36c5f345afeabaa72f0ece7f3701ac729b68b5bd9f93252552feb4a1f092fc398
SSDEEP

12288:/3IY0Y/4SF9rsCJmLagibphNFc6V9pr+YJGIYKxgDc:/3NAS3mL2b/rV9pUKxGc

Score

10^/10

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi

Targets

- Target
  
  Solara/SolaraB/SolaraBootstrapper.exe
- Size
  
  826KB
- MD5
  
  886d05ab350457e2ddde2f569dc0668a
- SHA1
  
  3448ca0ce7b2f279694f8a360348c0ade71b9322
- SHA256
  
  286b6d3aa77caa78854b3648d96d80a1f207d7b94fb54103b44600a6f72839b5
- SHA512
  
  31186e5e079389f820a026843340468cf183c31ee18d60537d48e83b4ecb08b86f2e1b41012b4fa25ebbbd33a4fbc833986815e71010b74df3e04fdaf49d7962
- SSDEEP
  
  12288:gCQjgAtAHM+vetZxF5EWry8AJGy03eJxZM6gMkIhS:g5ZWs+OZVEWry8AFL06gGS
Score

10^/10

44caliber evasion spyware stealer themida trojan
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2