44caliber | 405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105

General

Target

XClient.exe
Size

61KB
MD5

60797170ebbe376274cf30e64b127706
SHA1

648e9c31b92f4d3fb93e7ca8be73836883c41538
SHA256

405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
SHA512

754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
SSDEEP

1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP

Score

10^/10

44caliber xworm execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32901

engineering-thoroughly.gl.at.ply.gg:32901

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4292-1-0x0000000000FD0000-0x0000000000FE6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5012	powershell.exe
4576	powershell.exe
3460	powershell.exe
3528	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 1 IoCs

Processes:

rhxesf.exe

pid	Process
5068	rhxesf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	ip-api.com
75	freegeoip.app
76	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exerhxesf.exe

pid	Process
5012	powershell.exe
5012	powershell.exe
4576	powershell.exe
4576	powershell.exe
3460	powershell.exe
3460	powershell.exe
3528	powershell.exe
3528	powershell.exe
5068	rhxesf.exe
5068	rhxesf.exe
5068	rhxesf.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exerhxesf.exe

description	pid	Process
Token: SeDebugPrivilege	4292	XClient.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4292	XClient.exe
Token: SeDebugPrivilege	5068	rhxesf.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

XClient.exe

description	pid	Process	procid_target
PID 4292 wrote to memory of 5012	4292	XClient.exe	95
PID 4292 wrote to memory of 5012	4292	XClient.exe	95
PID 4292 wrote to memory of 4576	4292	XClient.exe	97
PID 4292 wrote to memory of 4576	4292	XClient.exe	97
PID 4292 wrote to memory of 3460	4292	XClient.exe	99
PID 4292 wrote to memory of 3460	4292	XClient.exe	99
PID 4292 wrote to memory of 3528	4292	XClient.exe	101
PID 4292 wrote to memory of 3528	4292	XClient.exe	101
PID 4292 wrote to memory of 5068	4292	XClient.exe	112
PID 4292 wrote to memory of 5068	4292	XClient.exe	112

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\rhxesf.exe
  "C:\Users\Admin\AppData\Local\Temp\rhxesf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3505effaead0f06d098f1aec01836881

SHA1
94bafdbeb2f5adbd8cec709574df5b8dbcc5eba3

SHA256
5d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517

SHA512
934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
58daa789fc00c0d12158eb0c5d563789

SHA1
e04bb86763308a1e6c48ab7fc7dd0353db3570a5

SHA256
d0806239701979185fd4abbaa248deeffb564771ef417743c877187f5555aae7

SHA512
da9e6e4dedc041b2baa0844667b72f903d245390996cf717121cbbbd16558201bc61d1dbf0059f79725fd24ca5898379fb273631ea057641d468fd4d02a02948

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5i0hjyg.akh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhxesf.exe

Filesize
303KB

MD5
3d3676c2d36ed1af59c1815af1f74058

SHA1
fc384ba05ea668dfba796b14c34e6056fd0f94b8

SHA256
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6

SHA512
3cc2c941082ee926efaa0cb015785321b4090e41abfdcfe7e6484ee414498e0fd6f46ceaee86110795ea6fec5e6456d46d4e6b8d65cbf58e635d1daf0f673fdc

Download Submit
memory/4292-1-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/4292-2-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/4292-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

Filesize
8KB

Download
memory/4292-62-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/4292-61-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

Filesize
8KB

Download
memory/4292-17-0x000000001C990000-0x000000001CA92000-memory.dmp

Filesize
1.0MB

Download
memory/5012-9-0x0000026CDC600000-0x0000026CDC622000-memory.dmp

Filesize
136KB

Download
memory/5012-21-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5012-18-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5012-16-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5012-15-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5012-14-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5012-5-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

Filesize
10.8MB

Download
memory/5068-85-0x000001BF7CEA0000-0x000001BF7CEF2000-memory.dmp

Filesize
328KB

Download
memory/5068-113-0x000001BF7F640000-0x000001BF7F742000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads