44caliber | e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.scr
Size

282KB
MD5

9dc5e3d364fba20137971eb948ed5089
SHA1

5848daad55e30e542e17213ea83d4c4e8ad66641
SHA256

e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89
SHA512

a0eac98d1b820b59fa2ed0ab98bd70b3fa96af2d0d1498f6ad2e23829f6d1852bbc7512d9683ed1985c4d221bada57461a65ea18556d48235d7a8f6a127eefa9
SSDEEP

6144:if+BLtABPDMtBBfn1Y0gIoHOQpafTyUlI1D0fVg9MtW:JtVvgIoHOOZ1DKg96

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1184504729359896607/fPAMX9PDaXX6cd_-7EdUwUPRgvGLKrETMXz361gwk0y19F6LqJJCESeLcwPQReg9mLu9

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.scr

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	123.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	123.scr

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

123.scr

pid process

2532 123.scr
2532 123.scr
2532 123.scr
2532 123.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

123.scr

description pid process

Token: SeDebugPrivilege 2532 123.scr

pid	process
2532	123.scr
2532	123.scr
2532	123.scr
2532	123.scr

description	pid	process
Token: SeDebugPrivilege	2532	123.scr

C:\Users\Admin\AppData\Local\Temp\123.scr
"C:\Users\Admin\AppData\Local\Temp\123.scr" /S
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
366B

MD5
5a22b07e13204fbbe70b4ae8b2d2b228

SHA1
e7a8a2ff9f277e19da421c85248b7b0dc23684ef

SHA256
9ce16ae499366ef66625575d30bf4d34095ea735762156837235775a2241b655

SHA512
943052c6e86b0941bfde8d336af4abe35b234763e6a04eba37d8de72dfc8348de03bced92e07fc589f06d6b4a3e416ac994e121471869141c3b1db51c0f19692

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
433B

MD5
bfe70fc201f03307238c313ecbd6d1db

SHA1
d014d7436ad646defc169ef43fd1a5d71a7acd5f

SHA256
6676dbe21ca5f78d161a8057a16ae2240da5b74533de43a960f39f63fdc85c94

SHA512
f0ccc8f528cc846d30f356aeff5113df2150fbb6a9a30367664e20ecc04b3e63f596a34f756c0909439f151ed8bb268a938b0ae8304c69aec2694fc5df4ca925

Download Submit
memory/2532-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000FF0000-0x000000000103C000-memory.dmp

Filesize
304KB

Download
memory/2532-4-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-52-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download