Overview

overview

10

Static

static

3

Loader V2.exe

windows7-x64

10

Loader V2.exe

windows10-1703-x64

10

Loader V2.exe

windows10-2004-x64

Loader V2.exe

windows11-21h2-x64

Analysis

  • max time kernel
    46s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader V2.exe

  • Size

    8.1MB

  • MD5

    70a8a700260d1bf5d40214b4d16f2a4d

  • SHA1

    888afda0f542f857c3627845abb17320c79348a3

  • SHA256

    14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

  • SHA512

    8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83

  • SSDEEP

    196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score
10/10
44caliberxwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.20:13908

147.185.221.16:60401
Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

  • telegram

    https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Roaming\Loader.exe
      "C:\Users\Admin\AppData\Roaming\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
        "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:448
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:892
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2472
      • C:\Users\Admin\AppData\Local\Temp\fixer.exe
        "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
    • C:\Users\Admin\AppData\Roaming\injectdll.exe
      "C:\Users\Admin\AppData\Roaming\injectdll.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fixer.exe
    Filesize

    274KB

    MD5

    88505913c2c75f796c9a021aab2d356d

    SHA1

    5b5c06998d3e200c21c77ea4efaeaecdc7344e78

    SHA256

    62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

    SHA512

    6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
    Filesize

    65KB

    MD5

    95f8f28f5a8503461db6804cda9c4934

    SHA1

    81c0a30e498093d41948777135bbd407c7611cda

    SHA256

    aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

    SHA512

    5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Loader.exe
    Filesize

    7.6MB

    MD5

    aa16f3774491b600121545a5f194cefc

    SHA1

    c872fe765ecff1dada8378ad8a12cd5cf0425219

    SHA256

    c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

    SHA512

    8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    316d937ed32a6c9835b976b9bff844ad

    SHA1

    73f77d00c0fc12b39ec20c2a9fc4b4fbdb5af6c7

    SHA256

    fbc0ce933b3d7636fe610b4c1d82239b58d3980f1d77233523398a1c46bb9df0

    SHA512

    10dc04f04ccb4c1ec3f47a7db830cff8d7223adef5148eebac30eb6f399c62b441f8b57cefd5caabf6a7a7313830bf86949f8915992f5825ed78a36ccba47e73

    Download Submit

  • C:\Users\Admin\AppData\Roaming\injectdll.exe
    Filesize

    244KB

    MD5

    74ffb0d60d647dd6ad8d00c1bee48011

    SHA1

    4c8a707a33b35b78f374c66d59f9c2314c20b25f

    SHA256

    b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

    SHA512

    fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/448-105-0x0000000002C70000-0x0000000002C78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/448-104-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1600-42-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1600-13-0x0000000000F10000-0x00000000016A4000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2128-98-0x0000000001D10000-0x0000000001D18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2128-97-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2480-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-1-0x00000000010D0000-0x00000000018E8000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2744-32-0x0000000000E90000-0x0000000000EA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2744-126-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2772-31-0x00000000003E0000-0x000000000042A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2864-12-0x0000000000190000-0x00000000001D2000-memory.dmp

    Filesize

    264KB

    Download