44caliber | 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6

Analysis

max time kernel
131s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
Size

303KB
MD5

3d3676c2d36ed1af59c1815af1f74058
SHA1

fc384ba05ea668dfba796b14c34e6056fd0f94b8
SHA256

53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6
SHA512

3cc2c941082ee926efaa0cb015785321b4090e41abfdcfe7e6484ee414498e0fd6f46ceaee86110795ea6fec5e6456d46d4e6b8d65cbf58e635d1daf0f673fdc
SSDEEP

6144:HrzRT6MDdbICydeB7qgGWSlZNaW61mA1D0EfC:HrT2gGWSjNPq1D3C

Score

10^/10

44caliber credential_access spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app

flow	ioc
5	freegeoip.app
6	freegeoip.app

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

pid	process
2188	53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
2188	53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
2188	53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
2188	53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

description pid process

Token: SeDebugPrivilege 2188 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

description	pid	process
Token: SeDebugPrivilege	2188	53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
"C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
742B

MD5
91581fe3decf5aa69cc3a863c539b4dd

SHA1
6c086486f05153d24fc864774f1e0b7348ceaf5d

SHA256
f9eed3c49f70c998615032c83e67a12f8f1174df2e1c72ca139dffeb2e97412d

SHA512
d093ddd8f57cf546320f3168938cfb7f4801943de402fbe9b68423912acb15758215bbe2561a1d69ca8660bc832c305a3b8b0f85a5b1c32527d77c910025588e

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
757B

MD5
b01c5919f3d4dc014d402d1e2f6b68ee

SHA1
8b32f77f79ea3dfc2bc1b45d546b0eca471c6c1e

SHA256
a1614ac304311acde85eefdf7b1ebaf6f1ac74b170944845fa993aaa28e7ac6e

SHA512
0b2028d62eb712702cb4e52b4d8f795bb06765a5e12fa0c35b876c52e0c91ae7179bf073476561c4890c32abad8dafc5f9937ea5f1274128f578ee666f12ddf7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
aa2291de3148196f169042f36665d028

SHA1
91a19dd133bc68a0cc3b1c10a4a0db0e3a62ce61

SHA256
c422a39cd5246fcc3c17c46b65ff605308bfb00ce6a8aeed39e65e2ba868df9a

SHA512
1e84516988217cedf8088937fb4fca120be6f14df568db76f6030d5d2f413627098cd955c09bc2a194bd3111f43fa5195a8fbf50677cf9fbcf6c877ebf3b3586

Download Submit
memory/2188-0-0x0000028AD7680000-0x0000028AD76D2000-memory.dmp

Filesize
328KB

Download
memory/2188-1-0x00007FF9B78D3000-0x00007FF9B78D5000-memory.dmp

Filesize
8KB

Download
memory/2188-33-0x00007FF9B78D0000-0x00007FF9B8391000-memory.dmp

Filesize
10.8MB

Download
memory/2188-122-0x00007FF9B78D0000-0x00007FF9B8391000-memory.dmp

Filesize
10.8MB

Download