44caliber | 8077c458cca5d446d5699c86d18cd2ed03507f59ab09582a1147e17291f33c65

Analysis

max time kernel
30s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Robux.exe
Size

274KB
MD5

b3dca103204683157780d5562579d100
SHA1

61a249df0a3ce1849b7047e252a323c9f26e44c4
SHA256

8077c458cca5d446d5699c86d18cd2ed03507f59ab09582a1147e17291f33c65
SHA512

89c4335aafa72a286b34460790abe4aa9e035db269f9b5e451a85c98326aa87b31d60a6742125011a54f421283e11cc5cf56d7fccfdcdff95d36dac21abec556
SSDEEP

6144:Af+BLtABPDOpJTNN6eTSUdZ/pOlYeJqlA1D0FkB:ppYSSUdZ/olYet1DHB

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/915691701547446283/wUW0ZMfS9Ea3nfJC3GBW1nyVurXzKmQnFhIAcuEwGucZF2JJhh8YakLcl2RpJb6iFOek

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Robux.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Robux.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4828	Robux.exe
4828	Robux.exe
4828	Robux.exe
4828	Robux.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	Robux.exe

C:\Users\Admin\AppData\Local\Temp\Robux.exe
"C:\Users\Admin\AppData\Local\Temp\Robux.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
699B

MD5
830f1b469a425b0c55414e85bdf72abb

SHA1
807a69bc5ce532712ebd1704f1430e85435ed69f

SHA256
a3265a64e19d5665fc79f7d34b965e5e73be8e3da99e5d9c86b21e0a2803646a

SHA512
74ee4c4491cf53ebb7e016c5d890e4e5b3b06ad619c632c49bb98169f9ed47482a4eb9528cd7f45cce09f8d77a38e823a287f8810ea419dc769429ad9e740b12

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
ba1190c01e030281418d8aebf82737fc

SHA1
954b943f830d7f5039fd2f43870c58eff1b1220d

SHA256
02e884d9ecc5f0d8d78e417f1b70175ef88b65163b12c67f714127f549e8c7ee

SHA512
7d6860b3c6b739a46277213b132cac137c83b292c328290e6135baf490977878b5a8e598ac61620768f58d115d7bf96584f1f3c82437109ca7043456f85d7aae

Download Submit
memory/4828-1-0x00000224F0980000-0x00000224F09CA000-memory.dmp

Filesize
296KB

Download
memory/4828-0-0x00007FFA96DC3000-0x00007FFA96DC5000-memory.dmp

Filesize
8KB

Download
memory/4828-11-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download
memory/4828-118-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

Filesize
10.8MB

Download