44caliber | 79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fb

General

Target

79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
Size

274KB
MD5

4034bc9858eec0ab0f53013852e4a130
SHA1

95380a8ca4c372e06d017cabc9a7b7144c55347d
SHA256

79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fb
SHA512

2a7ed7751bb2445bbbce94ddaaf55870977fee0495e3cbea8c71b619de4b1cc46558d3be539e123123a38b3bedb689d23cb2aadf6a43e58558b0e0ea5b409aa2
SSDEEP

6144:Wf+BLtABPDkkZ68Dm6pwyUruui8XafTyClI1D0vDx:xozqyUruuzf1DAx

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1338494455816130602/RfPMucy7qNgnF1KO1MI5iOATLOqPdaYE1pn3HhuPCtXjqRXs3t1NFhCJsYBUYOc2mSD5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Downloads MZ/PE file 2 IoCs

flow	pid	Process
41	1008	Process not Found
57	2968	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4512	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3424	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
3424	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
3424	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
3424	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe

C:\Users\Admin\AppData\Local\Temp\79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe
"C:\Users\Admin\AppData\Local\Temp\79b3ca1b8819f91ab47df7421e1bff2b7cd53dfcb3bc6f9257eca9a651f8f6fbN.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTMyNjQ4MjEtMDY4Qi00OTc2LTlGMkUtOEFDRTE0MTVDQUM1fSIgdXNlcmlkPSJ7MERFMzRCMUItNzg1Qy00MjlELUIzRkYtMEVDNjc0MjhFNjZCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjFGQjBFRTQtMUREQS00RDE5LTlGRkUtOTlBMkRFNkVCRTkwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzc5MDI2NzY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
741B

MD5
b4cb8c980c5624ddc8bef6a1d70566b9

SHA1
33fbf4978a6c83b7a14c924c2b1a88999ad8f5d2

SHA256
4701e53845b82047b246b4a4f658b0bb3e6df2a6922eae882edac11cca08a5e6

SHA512
6d4ecd7529fe97bce8ee61b72902de5f0998cacb30475eff99a2e5c2ee9d461e9065b185b82109fed9253bec8db198cb0d7cb37ce7b1de374bbefcc9f949946f

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
849B

MD5
c2ea23b145e5a83a72ce6e0a7fd51bf8

SHA1
0534f373aad839ada4d5010cd35cd4f693f273c4

SHA256
4ccd61a6396280077fbe947037d5018b096f7193e033eeefabc7100efbe74c4f

SHA512
5d0bf59b6f6ee5646a7d56c8cc77e524df605b39152937d51c03cae3288b7ed322787b5a3300b82925db6066be8266878ff6abbfbafb2eb61c86db682ba18c79

Download Submit
memory/3424-0-0x00007FF952023000-0x00007FF952025000-memory.dmp

Filesize
8KB

Download
memory/3424-1-0x0000019871350000-0x000001987139A000-memory.dmp

Filesize
296KB

Download
memory/3424-24-0x00007FF952020000-0x00007FF952AE1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-124-0x00007FF952020000-0x00007FF952AE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing