44caliber | 79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
Size

274KB
MD5

4034bc9858eec0ab0f53013852e4a130
SHA1

95380a8ca4c372e06d017cabc9a7b7144c55347d
SHA256

79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fb
SHA512

2a7ed7751bb2445bbbce94ddaaf55870977fee0495e3cbea8c71b619de4b1cc46558d3be539e123123a38b3bedb689d23cb2aadf6a43e58558b0e0ea5b409aa2
SSDEEP

6144:Wf+BLtABPDkkZ68Dm6pwyUruui8XafTyClI1D0vDx:xozqyUruuzf1DAx

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1338494455816130602/RfPMucy7qNgnF1KO1MI5iOATLOqPdaYE1pn3HhuPCtXjqRXs3t1NFhCJsYBUYOc2mSD5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1344	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
1344	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
1344	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
1344	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

C:\Users\Admin\AppData\Local\Temp\79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
"C:\Users\Admin\AppData\Local\Temp\79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
239B

MD5
a6afd7e091d6be1b664ee641fbfa5723

SHA1
197133b0f669d569dbf5b183e7c4503b9ab113f6

SHA256
1a477d80fbe0b1d9644ba48fdadbd1152f2a563efd52c5e9a07cc88420632dd4

SHA512
5daa896af4bec0b463a06afeba1ca1180339e7a8fe846ac8913337f737e35875160689b6962cf7c140253bcf423ad40682bfe628e264f007abf5bffc7105bd54

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
476B

MD5
c102b8a02236c2dbc9a54a4ed84f1f41

SHA1
1d7e197bcba728c0095bab6d8244d03b0789a475

SHA256
c89fe6fa6c5620be359548e88f02e938bee84f3274b647e2e4ede554d1fa5e34

SHA512
f196e162e8165bb83d1c0e3d3a6edc88e08f55537de499fb427cb657ee3dfbdc0642de4cbb5db27ff99347803c127f24f9a25b5d29151a2b603c3c96cf2ca437

Download Submit
memory/1344-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/1344-1-0x0000000001350000-0x000000000139A000-memory.dmp

Filesize
296KB

Download
memory/1344-8-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-22-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/1344-23-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-55-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download