44caliber | 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82

General

Target

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Size

1.2MB
MD5

b3cdce3b009f3e939234082945e89807
SHA1

7129f64c79954ba3e764efd44eaf3567a541ccac
SHA256

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82
SHA512

97ab0bc727fac0e3d5a5231266fc5de257f3ddbc614990ed487e41897847ceaf2e027e9f2e93fb44f077532e87f472d902b7f3ba70b75db904a66f706a428ecd
SSDEEP

24576:gFtCQinvekY81UmRAOO0+B+i/rOjX25RxQps2ARjTjMpXCYmJS:Wv5mRfO9bzOjX21QJA9H6CYX

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/899702716115329035/bngOeqo8LUOszmsJtzqpLnMtfNXAZr9oXhUZ9DwQPgZG1cj1Y0F0qgN18O94CQ_gvLSj

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app

flow	ioc
5	freegeoip.app
6	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid	process
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid	process
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description pid process

Token: SeDebugPrivilege 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid process

1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	pid	process
Token: SeDebugPrivilege	1524	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
"C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
eb44556e6c1782f22b554c0c872d8ef4

SHA1
6d2bcb9586a6024ec9f92501b1e4718400855546

SHA256
e7734b37edf5bee830f24a37584cf857bfbdb0b6644a6bc789616d9b040d1677

SHA512
c439aa31174d11c95661ec2bb3d9d769834b9285a80f9b0c67b52ae1c078e7bc0efab1d7309f33dd4978ca9f4e4545084c7e5d9119f880b10420915cbacf7d99

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
355B

MD5
09310db260819e4a1b570b0eebed882e

SHA1
5d3b5367a68f41af424f66c218c110f32f70baa4

SHA256
9789eb7b20929ac2e086b7c74ef2fa5fe331f09560e1caa661c7135c7ef23635

SHA512
c4b5b8731127bff877c27dd9d59daae64669d51d8d409ae90a55e0c4f0f00c929f73e32d520ebe7b108863b34035c9350f94805c7403bb085b078ce01d0494c1

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
979B

MD5
a1e7cd9be0cb60705294f7b04512b988

SHA1
e21e47cbbd287fcf84dac07885ba7bf34ed0bf89

SHA256
e0ca204c958f3e07bec991e9b7fd4093715388231a8cc570259bdf227a32bc50

SHA512
de144751878e6ec137ea243196908b2ff7da27dc7754127b3770137c10c4c06a1a69bdc2bfae16bbb3790f5386019ea8b6a82354d55789b3084f71c46a6cb89f

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
964B

MD5
5a5e4ab85481b45fd966285820199a39

SHA1
78217f46248cd8a3c002ccb1b27b0ec223d845b4

SHA256
f4f8bac94e10f435ad769e2318facb1ea6832d58ace7bd2ad01f3168bea6747b

SHA512
3528ab21ab7f80361d642d2621fcc20000229e559387970594f27fadd85c011d94fd338904e878a4e95b0cc88572be1f0f3e319ecee18384abd02b39dbdfdc21

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1000B

MD5
7ac991de37f4fc3852e3da9b3f85bcb2

SHA1
fceab590d077cb9cd2b11b0265deb1253012bb42

SHA256
2882a211d5fdf7e7e5535c612f4118da16fd0b6a501bb381b7b02c512cdb6b85

SHA512
38d49eab9187a4ac73c1b92b8760852590fb5bff6c9f40dd6bd577eff0fc6c19d9503b8b028b3fd38bc14c63d344712e25b2306a2699e9de5103d21819b5ce0c

Download Submit
memory/1524-16-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/1524-37-0x0000000006BA0000-0x0000000007144000-memory.dmp

Filesize
5.6MB

Download
memory/1524-29-0x0000000006050000-0x00000000060E2000-memory.dmp

Filesize
584KB

Download
memory/1524-0-0x0000000000EB0000-0x000000000125C000-memory.dmp

Filesize
3.7MB

Download
memory/1524-2-0x0000000000EB0000-0x000000000125C000-memory.dmp

Filesize
3.7MB

Download
memory/1524-1-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/1524-121-0x0000000007870000-0x00000000078D6000-memory.dmp

Filesize
408KB

Download
memory/1524-125-0x0000000000EB0000-0x000000000125C000-memory.dmp

Filesize
3.7MB

Download
memory/1524-126-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads