General

  • Target

    7ce622cc13886a55bfce9bcc088c8dc6.bin

  • Size

    1.3MB

  • Sample

    240821-bqtjjataqa

  • MD5

    05399838495931788ac923e230677773

  • SHA1

    3c3780e3338af6101a326bd0610135d0daf59d0a

  • SHA256

    80c07d676480e52a2feb657c9acd1282cc1e279d7f336fb61973823cebc37d5d

  • SHA512

    958184313b4df3a26adc3ffa8466b2fcd46e925439d4744bc71fb9017c3fa5344d937c4c7fba70679088030ecef4fae443fef08b32e0221a36caa3712f819c6a

  • SSDEEP

    24576:6iU95Djgqda1Ay3JQXiM4jlknt2np9RPjxM47B2gfbqmLCJ9GEKRCwyXQTfMqg:fUHgG8JeClknt2np9ldXnzqmLC9GZRcf

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8

Targets

    • Target

      994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397.exe

    • Size

      1.3MB

    • MD5

      7ce622cc13886a55bfce9bcc088c8dc6

    • SHA1

      6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0

    • SHA256

      994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

    • SHA512

      d824d400f0663b3c7ad2a81a4fc449b78d1a01e97517168245716d2b454c7fc4e1bbc09af56a9913462626184a5db0b6f65ce77f2d5eb1ed39c5ed3bb505efad

    • SSDEEP

      24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM

    • 44Caliber

      An open source infostealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks