General

  • Target

    994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397.exe

  • Size

    1.3MB

  • Sample

    240820-b7g7tsxflh

  • MD5

    7ce622cc13886a55bfce9bcc088c8dc6

  • SHA1

    6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0

  • SHA256

    994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

  • SHA512

    d824d400f0663b3c7ad2a81a4fc449b78d1a01e97517168245716d2b454c7fc4e1bbc09af56a9913462626184a5db0b6f65ce77f2d5eb1ed39c5ed3bb505efad

  • SSDEEP

    24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8

Targets

    • Target

      994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397.exe

    • Size

      1.3MB

    • MD5

      7ce622cc13886a55bfce9bcc088c8dc6

    • SHA1

      6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0

    • SHA256

      994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

    • SHA512

      d824d400f0663b3c7ad2a81a4fc449b78d1a01e97517168245716d2b454c7fc4e1bbc09af56a9913462626184a5db0b6f65ce77f2d5eb1ed39c5ed3bb505efad

    • SSDEEP

      24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM

    • 44Caliber

      An open source infostealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks