44caliber | ede32cc0261506b8e6fffd357c22b175ce5a45a2de83f65b49d4484ec0e969f5

General

Target

Loader.exe
Size

9.2MB
MD5

8e4bc9547894a5ede75a2bd4235a8fb9
SHA1

794f7e9856e5024bcce49c1ce5415ee70abfdb88
SHA256

ede32cc0261506b8e6fffd357c22b175ce5a45a2de83f65b49d4484ec0e969f5
SHA512

6ed8462f58af3bbdff9451d659f93b8214db5912f2045d483d4a8278114633d07f76a78c1ee8b4661f858ae5730a7a175d0554c3e1d672ccfb603c74a4bec03d
SSDEEP

196608:6rltiwhW9T7MdeNBn6hKmXoBiibJkuJU1WcaonK+i7:Q+90deNBnYYBHyEcaI3i

Score

10^/10

44caliber credential_access spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation Loader.exe
Executes dropped EXE 1 IoCs

Processes:

fixer.exe

pid process

2468 fixer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
7 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Loader.exe

flow	ioc
8	freegeoip.app
7	freegeoip.app

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fixer.exetaskmgr.exe

pid	process
2468	fixer.exe
2468	fixer.exe
2468	fixer.exe
2468	fixer.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2808 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fixer.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2468	fixer.exe
Token: SeDebugPrivilege	2808	taskmgr.exe
Token: SeSystemProfilePrivilege	2808	taskmgr.exe
Token: SeCreateGlobalPrivilege	2808	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

taskmgr.exe

pid	process
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

taskmgr.exe

pid	process
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 3680 wrote to memory of 3520	3680	Loader.exe	Loader.exe
PID 3680 wrote to memory of 3520	3680	Loader.exe	Loader.exe
PID 3680 wrote to memory of 2468	3680	Loader.exe	fixer.exe
PID 3680 wrote to memory of 2468	3680	Loader.exe	fixer.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
c6f14ec20f955e829bf5f935c13780a0

SHA1
04d8be62a353a1f6ffcb5b374acdc7cd37a4c334

SHA256
7fc26c6d39b115aa7d7f5f286f9d5a246086d50e17e1b67fa0cdde71a0fa0f30

SHA512
8ad64b33e8755c6ccce7541d2e150b4bb34d98ffa3fa4adf8c2d9b1951cb057b38eb662caa0471c7adc8c9e5f47189b3dbafc22a0796124131846450a9197e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe

Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
memory/2468-61-0x00007FFC45640000-0x00007FFC46101000-memory.dmp

Filesize
10.8MB

Download
memory/2468-151-0x00007FFC45640000-0x00007FFC46101000-memory.dmp

Filesize
10.8MB

Download
memory/2468-18-0x000002C03EA30000-0x000002C03EA7A000-memory.dmp

Filesize
296KB

Download
memory/2808-154-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-162-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-159-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-160-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-161-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-155-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-153-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-165-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-164-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/2808-163-0x0000023FAAE40000-0x0000023FAAE41000-memory.dmp

Filesize
4KB

Download
memory/3520-41-0x00007FFC45640000-0x00007FFC46101000-memory.dmp

Filesize
10.8MB

Download
memory/3520-152-0x00007FFC45640000-0x00007FFC46101000-memory.dmp

Filesize
10.8MB

Download
memory/3680-0-0x00007FFC45643000-0x00007FFC45645000-memory.dmp

Filesize
8KB

Download
memory/3680-1-0x0000000000380000-0x0000000000CBA000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads