MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

44CaliberStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89
SHA3-384 hash:	5b465de2dd97f62f2347d476e53f3974c8a048656dd50fb53a25ea8919fa2984fc0279102b9328d3b456d90ee2cdf15b
SHA1 hash:	5848daad55e30e542e17213ea83d4c4e8ad66641
MD5 hash:	9dc5e3d364fba20137971eb948ed5089
humanhash:	mars-ceiling-aspen-sixteen
File name:	123.scr
Download:	download sample
Signature	44CaliberStealer Create hunting rule
File size:	289'280 bytes
First seen:	2023-12-14 00:38:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:if+BLtABPDMtBBfn1Y0gIoHOQpafTyUlI1D0fVg9MtW:JtVvgIoHOOZ1DKg96
Threatray	58 similar samples on MalwareBazaar
TLSH	T1CE545C0027EC8B56E2FF4BB9E4B01161C3B1B466B83EDB4E6D4461DE2923780D955BB3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	1331170717176933 (2 x 44CaliberStealer)
Reporter	smica83
Tags:	44CaliberStealer exe UKR

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Detection:

GloomaneStealer

Link:

https://www.capesandbox.com/analysis/467343/

Detection(s):

Win.Packed.Datastealer-9856291-0

Win.Packed.Generic-9884627-0

Win.Packed.Msilperseus-9956591-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Reading critical registry keys

Creating a file

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm crypto evasive hacktool lolbin masquerade packed replace stealer

Link:

https://www.filescan.io/uploads/657a4ea73636548f374eb6d2/reports/4d248fc6-f5a9-4ec2-b3b5-7fe7a76cbc57/overview

Verdict:

Malicious

Labled as:

DataStealer.1.Generic

Link:

https://www.hybrid-analysis.com/sample/e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f57a072a-4bbf-44c7-b93e-3e729a673ab9

Result

Threat name:

Rags Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361823

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected Rags Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

75%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89/

Threat name:

ByteCode-MSIL.Trojan.DataStealer

Status:

Malicious

First seen:

2023-12-13 18:13:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ae75z2c63or2le7yduebw7ozinhawqtyjthx4e5v4qwyycbd2eq._file

Verdict:

malicious

44CaliberStealer

16821bc6b2d1d12709248bb605b04fe158a397717d0e6004511e70ef0f537610

44CaliberStealer

98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119

44CaliberStealer

af0c48ca1ed3431b936d489bf1e8255a5d4182bd6164946bd6179ae3f212d0b1

44CaliberStealer

b10d9e9aff4691ad76def8f540df62e7a47c04290250a1489ad4ba08102666e2

44CaliberStealer

ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

44CaliberStealer

dcb14e5383e945eee6cb44605e217da202fcc414dff52d8420cea2ad99bde1fb

44CaliberStealer

e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

44CaliberStealer

+ 48 additional samples on MalwareBazaar

Result

Malware family:

44caliber

Score:

10/10

Tags:

family:44caliber spyware stealer

Link:

https://tria.ge/reports/231214-azma5sadcn/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads user/profile data of web browsers

44Caliber

Malware Config

C2 Extraction:

https://discordapp.com/api/webhooks/1184504729359896607/fPAMX9PDaXX6cd_-7EdUwUPRgvGLKrETMXz361gwk0y19F6LqJJCESeLcwPQReg9mLu9

Unpacked files

SH256 hash:

e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

MD5 hash:

9dc5e3d364fba20137971eb948ed5089

SHA1 hash:

5848daad55e30e542e17213ea83d4c4e8ad66641

Detections:

fortyfourcaliber_stealer

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

INDICATOR_SUSPICIOUS_EXE_References_VPN

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_CC_Regex

MALWARE_Win_GloomaneStealer

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

MALWARE_Win_A310Logger

Link:

https://www.unpac.me/results/fe06ffff-0035-4783-a166-fd4d75f7f7ad/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e009fee742f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467343/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample