44caliber | 2243ca5017e8cf7c354213ff586c9a356b6029c5066fca3d65993d721098026c

General

Target

alint Injector.exe
Size

421KB
MD5

0da7db970ca52a95cba75fcdaeffc234
SHA1

ed3c5a22e314ecb49dc986850d7584507d28d1ec
SHA256

2243ca5017e8cf7c354213ff586c9a356b6029c5066fca3d65993d721098026c
SHA512

4d7df30b85e808207eb80dbe8e953ed3556959e68ecede9c1c2c7dbf78ef59dd58934216f1c8de8c33adbd36143e33402515c96bdfbbdbbc52f0a90ea9573087
SSDEEP

6144:2LtdFT6MDdbICydeBvRaifWp93duW6jmA1D00Yp0YsoG6bx8LW:6dzJaifWz3BY1D8pXl8LW

Score

10^/10

44caliber xworm rat spyware stealer trojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%AppData%
install_file
Client.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Opera GX.exe	family_xworm
behavioral1/memory/2356-23-0x0000000000400000-0x0000000000471000-memory.dmp	family_xworm
behavioral1/memory/3720-30-0x00000000005D0000-0x00000000005E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

Opera GX.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Opera GX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Opera GX.exe

Executes dropped EXE 4 IoCs

Processes:

Chrome.exeOpera GX.exeClient.exeClient.exe

pid process

4000 Chrome.exe
3720 Opera GX.exe
3940 Client.exe
1748 Client.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
5 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1040 schtasks.exe

flow	ioc
1	freegeoip.app
5	ip-api.com

pid	process
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Chrome.exepowershell.exepowershell.exepowershell.exepowershell.exeOpera GX.exe

pid	process
4000	Chrome.exe
4000	Chrome.exe
4000	Chrome.exe
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
3720	Opera GX.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Chrome.exeOpera GX.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4000	Chrome.exe
Token: SeDebugPrivilege	3720	Opera GX.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe
Token: SeProfSingleProcessPrivilege	1392	powershell.exe
Token: SeIncBasePriorityPrivilege	1392	powershell.exe
Token: SeCreatePagefilePrivilege	1392	powershell.exe
Token: SeBackupPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	1392	powershell.exe
Token: SeShutdownPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeSystemEnvironmentPrivilege	1392	powershell.exe
Token: SeRemoteShutdownPrivilege	1392	powershell.exe
Token: SeUndockPrivilege	1392	powershell.exe
Token: SeManageVolumePrivilege	1392	powershell.exe
Token: 33	1392	powershell.exe
Token: 34	1392	powershell.exe
Token: 35	1392	powershell.exe
Token: 36	1392	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeSystemEnvironmentPrivilege	3480	powershell.exe
Token: SeRemoteShutdownPrivilege	3480	powershell.exe
Token: SeUndockPrivilege	3480	powershell.exe
Token: SeManageVolumePrivilege	3480	powershell.exe
Token: 33	3480	powershell.exe
Token: 34	3480	powershell.exe
Token: 35	3480	powershell.exe
Token: 36	3480	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeIncreaseQuotaPrivilege	4524	powershell.exe
Token: SeSecurityPrivilege	4524	powershell.exe
Token: SeTakeOwnershipPrivilege	4524	powershell.exe
Token: SeLoadDriverPrivilege	4524	powershell.exe
Token: SeSystemProfilePrivilege	4524	powershell.exe
Token: SeSystemtimePrivilege	4524	powershell.exe
Token: SeProfSingleProcessPrivilege	4524	powershell.exe
Token: SeIncBasePriorityPrivilege	4524	powershell.exe
Token: SeCreatePagefilePrivilege	4524	powershell.exe
Token: SeBackupPrivilege	4524	powershell.exe
Token: SeRestorePrivilege	4524	powershell.exe
Token: SeShutdownPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeSystemEnvironmentPrivilege	4524	powershell.exe
Token: SeRemoteShutdownPrivilege	4524	powershell.exe
Token: SeUndockPrivilege	4524	powershell.exe
Token: SeManageVolumePrivilege	4524	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Opera GX.exe

pid process

3720 Opera GX.exe

pid	process
3720	Opera GX.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

alint Injector.exeOpera GX.exe

description	pid	process	target process
PID 2356 wrote to memory of 4000	2356	alint Injector.exe	Chrome.exe
PID 2356 wrote to memory of 4000	2356	alint Injector.exe	Chrome.exe
PID 2356 wrote to memory of 3720	2356	alint Injector.exe	Opera GX.exe
PID 2356 wrote to memory of 3720	2356	alint Injector.exe	Opera GX.exe
PID 3720 wrote to memory of 1392	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 1392	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 3480	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 3480	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 4524	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 4524	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 4316	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 4316	3720	Opera GX.exe	powershell.exe
PID 3720 wrote to memory of 1040	3720	Opera GX.exe	schtasks.exe
PID 3720 wrote to memory of 1040	3720	Opera GX.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\alint Injector.exe
"C:\Users\Admin\AppData\Local\Temp\alint Injector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\AppData\Local\Temp\Opera GX.exe
"C:\Users\Admin\AppData\Local\Temp\Opera GX.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opera GX.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Opera GX.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Creates scheduled task(s)
PID:1040

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f83a6333f5c2d7e8e1c6b11d68b83a2c

SHA1
b82fc4b8a375c5903e9b2b795fb3b27e28d86f80

SHA256
c7e7a89c6d194d4494af5c12f0af2b87dfe7abc8cf05c97044b115c48bc960c4

SHA512
6fc4ac6cd97db74c4e58af283135485ba568c803fccaec9d701f1eabb0f975f1d86306059fed5850a52e2327c06396a59de68403962bddfc96722a620692ef07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56a3b2dc2e453b074ca5363164c693f2

SHA1
c74acc6e4841653ca575aa7bb9e389860ea96bde

SHA256
1f0be5d394dd91ef35327d343107f1d89f96d7f650381a7f8694061af3e2fd5e

SHA512
4949f243c2bcc1e71358d95f634df74702cc63d48b421ff403d3bc800d9dae896eba4497098d8563a7cfaef8d3066e3c79044c5561f79cf127eb0462deb795d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1fb2478d7360bd481eea2cf35d12aea8

SHA1
c52252f549c327b1a45c01de6e068fc9621fe99e

SHA256
8716caf82a5be5a23cebe8385ff261859526f772da892e03520bdfaad4aaa42d

SHA512
74bd6ef0e694b4104de26fdff86c190eaf5c4cd779abc177ffb3988d94213c133d2207212e2e9f71c93a7ab43fe75356042d9c9f2940cc3dc0b7252d07c38bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
Filesize
303KB

MD5
0806acefdfc7d5602fb29b696edb0c64

SHA1
ff456af5fecb477cc00fffbaa4c206d18a62ee6a

SHA256
beecfc72917651d131028b60ab9a5dfb0b8e5e4ec60248321637048e06c524b7

SHA512
aa9bf80089dd565e2a4fa0af41f42c033c8093f83e52020b6c86c4cafeb49b627d712de89625adfbbc537d60f8fa0525b3c02164f4e34900c64ca3fd4fee134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera GX.exe
Filesize
74KB

MD5
ef36a6fed3a555b4aee8288dbe0143ee

SHA1
b31be44e9e4767d7df123d742f32802aa343d0ec

SHA256
4ab06ce2922222f591b776a0c6c332952ff24bbcf6f757692a6ed5f9b45cc67a

SHA512
04d87228b20401ab5c7d36be3a217c09a413c671a28c016fa82fe5b19cf7b5579f15bf74212bd6a5fd141bb4e29897dc754bda20896323f8f60fc55a3e47a09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atscglv5.dr2.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1392-37-0x0000022AF8D10000-0x0000022AF8D32000-memory.dmp

Filesize
136KB

Download
memory/1392-40-0x0000022AF8DC0000-0x0000022AF8E36000-memory.dmp

Filesize
472KB

Download
memory/2356-23-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3720-31-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3720-30-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/3720-213-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4000-32-0x0000025C426A0000-0x0000025C426B0000-memory.dmp

Filesize
64KB

Download
memory/4000-24-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4000-212-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4000-6-0x0000025C28020000-0x0000025C28072000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads