44caliber | bd184a1270eb3d6e7c419cdf1b19011ef722c34b738684959d764db44367bdb5 | Triage

Submit
Reports

Overview

overview

Static

static

Nursultan Beta.exe

windows11-21h2-x64

Sharing

General

Target

Nursultan Beta.rar
Size

392KB
Sample

240502-tyl4jacg61
MD5

aff45d938aa8753edeb047abd739e54c
SHA1

3958816eefbe0e29e8c4ceee6f6caefb52fcb53c
SHA256

bd184a1270eb3d6e7c419cdf1b19011ef722c34b738684959d764db44367bdb5
SHA512

bd3f893aa0820b06207469aa7c8055bcf58d8ba8b417236437286b5e96fcedbf26aae7ce269a32ae13bb49ce09d5ca39bd187c97cab48d820ebc236f33e8b5a2
SSDEEP

12288:UWskH6zXkFLMbezRZibiNZNK+0JZjWrCl8jVDK9fzWcNhlh:UXTkhT/Cixp0Jzl8jo5zDh3

Score

10^/10

44caliber xworm execution rat spyware stealer trojan

Static task

static1

xworm 44caliber

4 signatures

Behavioral task

behavioral1

Sample

Nursultan Beta.exe

Resource

win11-20240419-en

44caliber xworm execution rat spyware stealer trojan

windows11-21h2-x64

23 signatures

1800 seconds

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1235294310178492458/n1tsVRd4bDgNQjTi7wJYLYEgwzKAtqbw0H2CgwWJ4hG1R016D9ZXGq5Kouec9-4BGOgv

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%Temp%
install_file
Astral.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

- Target
  
  Nursultan Beta.exe
- Size
  
  1.5MB
- MD5
  
  b8317db1ac92a4c14e7d0d8f3539ae43
- SHA1
  
  22a2385c9bbfce788b08fc24f33f8a0adaefd78e
- SHA256
  
  d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c
- SHA512
  
  e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993
- SSDEEP
  
  12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc
Score

10^/10

44caliber xworm execution rat spyware stealer trojan
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

44caliberxwormexecutionratspywarestealertrojan

© 2018-2024

Terms | Privacy