44caliber | 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82

General

Target

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Size

1.2MB
MD5

b3cdce3b009f3e939234082945e89807
SHA1

7129f64c79954ba3e764efd44eaf3567a541ccac
SHA256

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82
SHA512

97ab0bc727fac0e3d5a5231266fc5de257f3ddbc614990ed487e41897847ceaf2e027e9f2e93fb44f077532e87f472d902b7f3ba70b75db904a66f706a428ecd
SSDEEP

24576:gFtCQinvekY81UmRAOO0+B+i/rOjX25RxQps2ARjTjMpXCYmJS:Wv5mRfO9bzOjX21QJA9H6CYX

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/899702716115329035/bngOeqo8LUOszmsJtzqpLnMtfNXAZr9oXhUZ9DwQPgZG1cj1Y0F0qgN18O94CQ_gvLSj

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	freegeoip.app
7	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid	Process
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid	Process
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

description	pid	Process
Token: SeDebugPrivilege	4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

pid	Process
4552	93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe

C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
"C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
425B

MD5
850567f267d70c9198dd9015f6959242

SHA1
70a668b9ee665025a3ec3f81ab48d2b56cac7d89

SHA256
f2c5f685deed209fc068db10d3fcd4fbeab7e037393e40d901b3c8c434e3fbb3

SHA512
9a045c42fc745f41c64d97c7f5cc16eaf78b471b4cb8abeb279d9dec047e108906b319dc8da822ea04d95c582272111ec40e4cdd145c66fb92de010aec0ed491

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
440B

MD5
fbf65a1aaba3fea5b99ed101d7014e4b

SHA1
44b4c508cf6d5aedc40bb0bc00042b113db76851

SHA256
d9c40761f27704a63c82d3ee015123e3169e2406ccc66febe8083c66192c5296

SHA512
7c0e88d2a6cce3211f23926b8efe9b1a11401fa17dde02a802320f38bca3bb76d87d0471b6850e8995a4e63200d31be5e53508c33b9906deca01bdbcf9496a30

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
792B

MD5
f57170906e9b409068d64cd42806ce4f

SHA1
919fba817b3cc943e6f35f7ddc9e8b70e88690ad

SHA256
15a3024dffbd8f76b7f1250cef0ad036391ef8a8fad2803663440d5877c91a29

SHA512
60819df42006233b6cff64bada2fe0d4730f95dc13d982b5aeb48185e7155e5509edce7fa5efd1c2c4df05bf257fc74de70c2cf30af7ee06335c51977c3ab244

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
688108c395323fc0795a2ef7b8b3c7a4

SHA1
0d9a9535d3963afe3dd7cb99adeb817f4e1560f6

SHA256
d083fab5500949c09aa0180a4489f788c02f2bffb827fbf7ed0f62f702858d98

SHA512
040eed7fb0b5207a042164e9d3b61009debde6a88db2ac5db615b3fcce41eabb42c270ba02c7d97751cb145cc8c4cad68b0d9bffe792bdead8ea136b61eacf31

Download Submit
memory/4552-3-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4552-38-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/4552-37-0x00000000068C0000-0x0000000006952000-memory.dmp

Filesize
584KB

Download
memory/4552-0-0x0000000000B30000-0x0000000000EDC000-memory.dmp

Filesize
3.7MB

Download
memory/4552-2-0x0000000000B30000-0x0000000000EDC000-memory.dmp

Filesize
3.7MB

Download
memory/4552-1-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/4552-122-0x0000000007250000-0x00000000072B6000-memory.dmp

Filesize
408KB

Download
memory/4552-126-0x0000000000B30000-0x0000000000EDC000-memory.dmp

Filesize
3.7MB

Download
memory/4552-127-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads