44caliber | 405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105

General

Target

nerat.exe
Size

61KB
MD5

60797170ebbe376274cf30e64b127706
SHA1

648e9c31b92f4d3fb93e7ca8be73836883c41538
SHA256

405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
SHA512

754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
SSDEEP

1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP

Score

10^/10

44caliber xworm execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32901

engineering-thoroughly.gl.at.ply.gg:32901

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-1-0x00000000002C0000-0x00000000002D6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2636 powershell.exe
2460 powershell.exe
1748 powershell.exe
2592 powershell.exe

pid	process
2636	powershell.exe
2460	powershell.exe
1748	powershell.exe
2592	powershell.exe

Drops startup file 2 IoCs

Processes:

nerat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nerat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nerat.exe

Executes dropped EXE 1 IoCs

Processes:

yriayk.exe

pid process

2268 yriayk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 freegeoip.app
2 ip-api.com
9 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeyriayk.exe

pid process

2592 powershell.exe
2636 powershell.exe
2460 powershell.exe
1748 powershell.exe
2268 yriayk.exe
2268 yriayk.exe
2268 yriayk.exe

pid	process
2268	yriayk.exe

flow	ioc
10	freegeoip.app
2	ip-api.com
9	freegeoip.app

pid	process
2592	powershell.exe
2636	powershell.exe
2460	powershell.exe
1748	powershell.exe
2268	yriayk.exe
2268	yriayk.exe
2268	yriayk.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

nerat.exepowershell.exepowershell.exepowershell.exepowershell.exeyriayk.exe

description	pid	process
Token: SeDebugPrivilege	2012	nerat.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2012	nerat.exe
Token: SeDebugPrivilege	2268	yriayk.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

nerat.exeyriayk.exe

description	pid	process	target process
PID 2012 wrote to memory of 2592	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2592	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2592	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2636	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2636	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2636	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2460	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2460	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2460	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 1748	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 1748	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 1748	2012	nerat.exe	powershell.exe
PID 2012 wrote to memory of 2268	2012	nerat.exe	yriayk.exe
PID 2012 wrote to memory of 2268	2012	nerat.exe	yriayk.exe
PID 2012 wrote to memory of 2268	2012	nerat.exe	yriayk.exe
PID 2268 wrote to memory of 1580	2268	yriayk.exe	WerFault.exe
PID 2268 wrote to memory of 1580	2268	yriayk.exe	WerFault.exe
PID 2268 wrote to memory of 1580	2268	yriayk.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\nerat.exe
"C:\Users\Admin\AppData\Local\Temp\nerat.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nerat.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nerat.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\yriayk.exe
  "C:\Users\Admin\AppData\Local\Temp\yriayk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2268 -s 1084
    3⤵
    PID:1580

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2932

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yriayk.exe

Filesize
303KB

MD5
3d3676c2d36ed1af59c1815af1f74058

SHA1
fc384ba05ea668dfba796b14c34e6056fd0f94b8

SHA256
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6

SHA512
3cc2c941082ee926efaa0cb015785321b4090e41abfdcfe7e6484ee414498e0fd6f46ceaee86110795ea6fec5e6456d46d4e6b8d65cbf58e635d1daf0f673fdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
50e9c012e7a2de38946fa9f668d5f0fb

SHA1
fa444da71e82cd667d40818f21280e9fdb4ab89c

SHA256
c98561db3592909b10cd1ebf65e78fa19b3baedc885655138f8e70530f91ad74

SHA512
f6ac95bfa49cf472c136ece0588c76e0538200b9a25b57a7f4c594a8424dc4792f3d8ef1d071e99909da4fe8584dc279eb1758364b1e4bf41a36db74d20729a1

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2012-31-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2012-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2012-32-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-39-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/2592-7-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2592-8-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/2636-15-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2636-14-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads