44caliber | 405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows7-x64

XClient.exe

windows10-2004-x64

Sharing

General

Target

XClient.exe
Size

61KB
Sample

240620-k2vemsyhmc
MD5

60797170ebbe376274cf30e64b127706
SHA1

648e9c31b92f4d3fb93e7ca8be73836883c41538
SHA256

405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
SHA512

754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
SSDEEP

1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP

Score

10^/10

44caliber xworm execution rat spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win7-20240221-en

xworm execution rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

XClient.exe

Resource

win10v2004-20240226-en

44caliber xworm execution rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32901

engineering-thoroughly.gl.at.ply.gg:32901

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X

Targets

- Target
  
  XClient.exe
- Size
  
  61KB
- MD5
  
  60797170ebbe376274cf30e64b127706
- SHA1
  
  648e9c31b92f4d3fb93e7ca8be73836883c41538
- SHA256
  
  405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
- SHA512
  
  754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
- SSDEEP
  
  1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP
Score

10^/10

xworm execution rat trojan 44caliber spyware stealer
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

44caliberxwormexecutionratspywarestealertrojan

© 2018-2024

Terms | Privacy