44caliber | 71190786d6d6f7af66708fac94461b22d6196be27134f561e5ab4017fd748d6d | Triage

Submit
Reports

Overview

overview

Static

static

Halint Injector.exe

windows10-1703-x64

Sharing

General

Target

Halint Injector.exe
Size

1.4MB
Sample

240426-p3sdwscg4v
MD5

e5bfe496294df1f358aa1e31912d12b6
SHA1

ad4c7a307b3487f22a2d38acb8b63244aba911d3
SHA256

71190786d6d6f7af66708fac94461b22d6196be27134f561e5ab4017fd748d6d
SHA512

60945bae77a2b89e9d305e7e14bc872b2933f15dff5a06a1313608902503b93a6e5444c19690c45096dac2d193ce45fea58124084e8f5819431a4b093dd12747
SSDEEP

12288:udzJaifWz3BY1D8pXl8LdhNAl2E+2gAGq62BdaqtL4MD0BK/dpyDkXcx0cmUYwxr:CnWVjsNGbhBdaqtL4wr8kX8EoMc

Score

10^/10

44caliber xworm rat spyware stealer trojan

Static task

static1

xworm 44caliber

4 signatures

Behavioral task

behavioral1

Sample

Halint Injector.exe

Resource

win10-20240404-en

44caliber xworm rat spyware stealer trojan

windows10-1703-x64

25 signatures

300 seconds

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%AppData%
install_file
Client.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

- Target
  
  Halint Injector.exe
- Size
  
  1.4MB
- MD5
  
  e5bfe496294df1f358aa1e31912d12b6
- SHA1
  
  ad4c7a307b3487f22a2d38acb8b63244aba911d3
- SHA256
  
  71190786d6d6f7af66708fac94461b22d6196be27134f561e5ab4017fd748d6d
- SHA512
  
  60945bae77a2b89e9d305e7e14bc872b2933f15dff5a06a1313608902503b93a6e5444c19690c45096dac2d193ce45fea58124084e8f5819431a4b093dd12747
- SSDEEP
  
  12288:udzJaifWz3BY1D8pXl8LdhNAl2E+2gAGq62BdaqtL4MD0BK/dpyDkXcx0cmUYwxr:CnWVjsNGbhBdaqtL4wr8kX8EoMc
Score

10^/10

44caliber xworm rat spyware stealer trojan
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

44caliberxwormratspywarestealertrojan

© 2018-2024

Terms | Privacy