44caliber | c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

General

Target

Loader.exe
Size

7.6MB
MD5

aa16f3774491b600121545a5f194cefc
SHA1

c872fe765ecff1dada8378ad8a12cd5cf0425219
SHA256

c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
SHA512

8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
SSDEEP

196608:8G46NbTO5uFqiXBIaqVCbB9+FsdH6HBiE555x:8G46N3O5uciXBvq09+wC/Hr

Score

10^/10

44caliber xworm credential_access execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:60401

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral1/memory/948-21-0x0000000000BA0000-0x0000000000BB6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3252 powershell.exe
4212 powershell.exe
4396 powershell.exe
3188 powershell.exe

pid	process
3252	powershell.exe
4212	powershell.exe
4396	powershell.exe
3188	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeloaderr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	loaderr.exe

Executes dropped EXE 2 IoCs

Processes:

loaderr.exefixer.exe

pid process

948 loaderr.exe
1476 fixer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
7 ip-api.com
9 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
948	loaderr.exe
1476	fixer.exe

flow	ioc
6	freegeoip.app
7	ip-api.com
9	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2412 schtasks.exe

pid	process
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

fixer.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1476	fixer.exe
1476	fixer.exe
1476	fixer.exe
3252	powershell.exe
3252	powershell.exe
1476	fixer.exe
4212	powershell.exe
4212	powershell.exe
4396	powershell.exe
4396	powershell.exe
3188	powershell.exe
3188	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

loaderr.exefixer.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	948	loaderr.exe
Token: SeDebugPrivilege	1476	fixer.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Loader.exeloaderr.exe

description	pid	process	target process
PID 3232 wrote to memory of 948	3232	Loader.exe	loaderr.exe
PID 3232 wrote to memory of 948	3232	Loader.exe	loaderr.exe
PID 3232 wrote to memory of 1476	3232	Loader.exe	fixer.exe
PID 3232 wrote to memory of 1476	3232	Loader.exe	fixer.exe
PID 948 wrote to memory of 3252	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 3252	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 4212	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 4212	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 4396	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 4396	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 3188	948	loaderr.exe	powershell.exe
PID 948 wrote to memory of 3188	948	loaderr.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\loaderr.exe
"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
1a83355810062b93e566f0bbe7a760ac

SHA1
27f4bd9e070397e83cb0e4b4b11a40028d83a639

SHA256
28a45c2f4bf900f05679ac65e44fef62bdeb60b4500b955ec3d07901aefeb884

SHA512
3d10271bcced28a7c76e713b9e0c8385cd919480d300e79c24b18f5d294c81873f6cad579cb547d718fa2b15fc2e154733098848fff02154a7a5d30525f892eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pevxdjij.rej.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe
Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe
Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
memory/948-33-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

Filesize
10.8MB

Download
memory/948-72-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

Filesize
10.8MB

Download
memory/948-220-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/948-21-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

Filesize
88KB

Download
memory/948-221-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

Filesize
10.8MB

Download
memory/1476-31-0x0000025C81810000-0x0000025C8185A000-memory.dmp

Filesize
296KB

Download
memory/1476-34-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

Filesize
10.8MB

Download
memory/1476-214-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

Filesize
10.8MB

Download
memory/3232-0-0x00007FFAF4AC3000-0x00007FFAF4AC5000-memory.dmp

Filesize
8KB

Download
memory/3232-1-0x0000000000390000-0x0000000000B24000-memory.dmp

Filesize
7.6MB

Download
memory/3252-85-0x00000278AD080000-0x00000278AD29C000-memory.dmp

Filesize
2.1MB

Download
memory/3252-78-0x00000278AD050000-0x00000278AD072000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads