Overview

overview

10

Static

static

10

alint Injector.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-04-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    alint Injector.exe

  • Size

    421KB

  • MD5

    0da7db970ca52a95cba75fcdaeffc234

  • SHA1

    ed3c5a22e314ecb49dc986850d7584507d28d1ec

  • SHA256

    2243ca5017e8cf7c354213ff586c9a356b6029c5066fca3d65993d721098026c

  • SHA512

    4d7df30b85e808207eb80dbe8e953ed3556959e68ecede9c1c2c7dbf78ef59dd58934216f1c8de8c33adbd36143e33402515c96bdfbbdbbc52f0a90ea9573087

  • SSDEEP

    6144:2LtdFT6MDdbICydeBvRaifWp93duW6jmA1D00Yp0YsoG6bx8LW:6dzJaifWz3BY1D8pXl8LW

Score
10/10
44caliberxwormratspywarestealertrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\alint Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\alint Injector.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\Chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Users\Admin\AppData\Local\Temp\Opera GX.exe
      "C:\Users\Admin\AppData\Local\Temp\Opera GX.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opera GX.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Opera GX.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3480
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4316
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1040
  • C:\Users\Admin\AppData\Roaming\Client.exe
    C:\Users\Admin\AppData\Roaming\Client.exe
    1⤵
    • Executes dropped EXE
    PID:3940
  • C:\Users\Admin\AppData\Roaming\Client.exe
    C:\Users\Admin\AppData\Roaming\Client.exe
    1⤵
    • Executes dropped EXE
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
    Filesize

    654B

    MD5

    16c5fce5f7230eea11598ec11ed42862

    SHA1

    75392d4824706090f5e8907eee1059349c927600

    SHA256

    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

    SHA512

    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f83a6333f5c2d7e8e1c6b11d68b83a2c

    SHA1

    b82fc4b8a375c5903e9b2b795fb3b27e28d86f80

    SHA256

    c7e7a89c6d194d4494af5c12f0af2b87dfe7abc8cf05c97044b115c48bc960c4

    SHA512

    6fc4ac6cd97db74c4e58af283135485ba568c803fccaec9d701f1eabb0f975f1d86306059fed5850a52e2327c06396a59de68403962bddfc96722a620692ef07

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    56a3b2dc2e453b074ca5363164c693f2

    SHA1

    c74acc6e4841653ca575aa7bb9e389860ea96bde

    SHA256

    1f0be5d394dd91ef35327d343107f1d89f96d7f650381a7f8694061af3e2fd5e

    SHA512

    4949f243c2bcc1e71358d95f634df74702cc63d48b421ff403d3bc800d9dae896eba4497098d8563a7cfaef8d3066e3c79044c5561f79cf127eb0462deb795d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1fb2478d7360bd481eea2cf35d12aea8

    SHA1

    c52252f549c327b1a45c01de6e068fc9621fe99e

    SHA256

    8716caf82a5be5a23cebe8385ff261859526f772da892e03520bdfaad4aaa42d

    SHA512

    74bd6ef0e694b4104de26fdff86c190eaf5c4cd779abc177ffb3988d94213c133d2207212e2e9f71c93a7ab43fe75356042d9c9f2940cc3dc0b7252d07c38bdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    Filesize

    303KB

    MD5

    0806acefdfc7d5602fb29b696edb0c64

    SHA1

    ff456af5fecb477cc00fffbaa4c206d18a62ee6a

    SHA256

    beecfc72917651d131028b60ab9a5dfb0b8e5e4ec60248321637048e06c524b7

    SHA512

    aa9bf80089dd565e2a4fa0af41f42c033c8093f83e52020b6c86c4cafeb49b627d712de89625adfbbc537d60f8fa0525b3c02164f4e34900c64ca3fd4fee134e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Opera GX.exe
    Filesize

    74KB

    MD5

    ef36a6fed3a555b4aee8288dbe0143ee

    SHA1

    b31be44e9e4767d7df123d742f32802aa343d0ec

    SHA256

    4ab06ce2922222f591b776a0c6c332952ff24bbcf6f757692a6ed5f9b45cc67a

    SHA512

    04d87228b20401ab5c7d36be3a217c09a413c671a28c016fa82fe5b19cf7b5579f15bf74212bd6a5fd141bb4e29897dc754bda20896323f8f60fc55a3e47a09c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atscglv5.dr2.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/1392-37-0x0000022AF8D10000-0x0000022AF8D32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1392-40-0x0000022AF8DC0000-0x0000022AF8E36000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2356-23-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

    Download

  • memory/3720-31-0x00007FF954660000-0x00007FF95504C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3720-30-0x00000000005D0000-0x00000000005E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3720-213-0x00007FF954660000-0x00007FF95504C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4000-32-0x0000025C426A0000-0x0000025C426B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4000-24-0x00007FF954660000-0x00007FF95504C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4000-212-0x00007FF954660000-0x00007FF95504C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4000-6-0x0000025C28020000-0x0000025C28072000-memory.dmp

    Filesize

    328KB

    Download