44caliber | 14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

General

Target

Loader V2.exe
Size

8.1MB
MD5

70a8a700260d1bf5d40214b4d16f2a4d
SHA1

888afda0f542f857c3627845abb17320c79348a3
SHA256

14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
SHA512

8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
SSDEEP

196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score

10^/10

44caliber xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.20:13908

147.185.221.16:60401

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2420-135-0x00000000020F0000-0x00000000020FE000-memory.dmp	disable_win_def

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\injectdll.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral1/memory/2608-32-0x00000000011A0000-0x00000000011B6000-memory.dmp	family_xworm
behavioral1/memory/2420-39-0x0000000000010000-0x0000000000052000-memory.dmp	family_xworm
behavioral1/memory/324-131-0x0000000001150000-0x0000000001192000-memory.dmp	family_xworm
behavioral1/memory/3004-130-0x00000000002A0000-0x00000000002B6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3064 powershell.exe
1316 powershell.exe
1532 powershell.exe
1004 powershell.exe

pid	process
3064	powershell.exe
1316	powershell.exe
1532	powershell.exe
1004	powershell.exe

Drops startup file 4 IoCs

Processes:

loaderr.exeinjectdll.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe

Executes dropped EXE 6 IoCs

Processes:

Loader.exeinjectdll.exeloaderr.exefixer.exesvhost.exesvchost.exe

pid process

2436 Loader.exe
2420 injectdll.exe
2608 loaderr.exe
804 fixer.exe
324 svhost.exe
3004 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2436	Loader.exe
2420	injectdll.exe
2608	loaderr.exe
804	fixer.exe
324	svhost.exe
3004	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injectdll.exeloaderr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	injectdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	loaderr.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
10 ip-api.com
11 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	freegeoip.app
5	freegeoip.app
10	ip-api.com
11	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1468 schtasks.exe
1452 schtasks.exe

pid	process
1468	schtasks.exe
1452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

fixer.exepowershell.exepowershell.exepowershell.exepowershell.exeinjectdll.exeloaderr.exe

pid	process
804	fixer.exe
804	fixer.exe
804	fixer.exe
804	fixer.exe
3064	powershell.exe
1316	powershell.exe
1532	powershell.exe
1004	powershell.exe
2420	injectdll.exe
2608	loaderr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

loaderr.exeinjectdll.exefixer.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2608	loaderr.exe
Token: SeDebugPrivilege	2420	injectdll.exe
Token: SeDebugPrivilege	804	fixer.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2420	injectdll.exe
Token: SeDebugPrivilege	2608	loaderr.exe
Token: SeDebugPrivilege	3004	svchost.exe
Token: SeDebugPrivilege	324	svhost.exe
Token: SeShutdownPrivilege	2420	injectdll.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

injectdll.exeloaderr.exe

pid process

2420 injectdll.exe
2608 loaderr.exe

pid	process
2420	injectdll.exe
2608	loaderr.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader V2.exeLoader.exeloaderr.exeinjectdll.exetaskeng.exe

description	pid	process	target process
PID 2028 wrote to memory of 2436	2028	Loader V2.exe	Loader.exe
PID 2028 wrote to memory of 2436	2028	Loader V2.exe	Loader.exe
PID 2028 wrote to memory of 2436	2028	Loader V2.exe	Loader.exe
PID 2028 wrote to memory of 2420	2028	Loader V2.exe	injectdll.exe
PID 2028 wrote to memory of 2420	2028	Loader V2.exe	injectdll.exe
PID 2028 wrote to memory of 2420	2028	Loader V2.exe	injectdll.exe
PID 2436 wrote to memory of 2608	2436	Loader.exe	loaderr.exe
PID 2436 wrote to memory of 2608	2436	Loader.exe	loaderr.exe
PID 2436 wrote to memory of 2608	2436	Loader.exe	loaderr.exe
PID 2436 wrote to memory of 804	2436	Loader.exe	fixer.exe
PID 2436 wrote to memory of 804	2436	Loader.exe	fixer.exe
PID 2436 wrote to memory of 804	2436	Loader.exe	fixer.exe
PID 2608 wrote to memory of 3064	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 3064	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 3064	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1316	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1316	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1316	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1532	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1532	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1532	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1004	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1004	2608	loaderr.exe	powershell.exe
PID 2608 wrote to memory of 1004	2608	loaderr.exe	powershell.exe
PID 2420 wrote to memory of 1468	2420	injectdll.exe	schtasks.exe
PID 2420 wrote to memory of 1468	2420	injectdll.exe	schtasks.exe
PID 2420 wrote to memory of 1468	2420	injectdll.exe	schtasks.exe
PID 2608 wrote to memory of 1452	2608	loaderr.exe	schtasks.exe
PID 2608 wrote to memory of 1452	2608	loaderr.exe	schtasks.exe
PID 2608 wrote to memory of 1452	2608	loaderr.exe	schtasks.exe
PID 556 wrote to memory of 324	556	taskeng.exe	svhost.exe
PID 556 wrote to memory of 3004	556	taskeng.exe	svchost.exe
PID 556 wrote to memory of 324	556	taskeng.exe	svhost.exe
PID 556 wrote to memory of 324	556	taskeng.exe	svhost.exe
PID 556 wrote to memory of 3004	556	taskeng.exe	svchost.exe
PID 556 wrote to memory of 3004	556	taskeng.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\loaderr.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- C:\Users\Admin\AppData\Roaming\injectdll.exe
  "C:\Users\Admin\AppData\Roaming\injectdll.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1468

C:\Windows\system32\taskeng.exe
taskeng.exe {931D5DDF-3884-4702-9300-4894CBAE252F} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
479B

MD5
6273b47c5272225361713dfa473da7ec

SHA1
e0a0e961c80a138f7f2c4ca95ef289c6206e9f08

SHA256
8ed83fe2d59dce4c364a26743da51c2c6e2ad4f5a95364129eb014f3f137b50b

SHA512
f92b70b7df675e038106636d235c99efd36147fb6e336973e16bca5d3ccf5db4e4b97365282512c20277fcbb730e8f8cabf156a782959a39251f476d017065fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe

Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe

Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
7.6MB

MD5
aa16f3774491b600121545a5f194cefc

SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219

SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
785417237820fcb4725c7f7809f45b8b

SHA1
1867d6790568fb7b537ca100dd3a0af7fe203cdf

SHA256
2fb9018dea93b558817b60e6e2073ff6d992a143b25431ce789438525eddc802

SHA512
a692a5fcde4a29d9717c0e0fde7e8c65391839611023cb5080afd68759d02ced4d4d1181a03844f0f5f786adb821a9a23445b33ef5f117c39adc757c6cb3ee1a

Download Submit
C:\Users\Admin\AppData\Roaming\injectdll.exe

Filesize
244KB

MD5
74ffb0d60d647dd6ad8d00c1bee48011

SHA1
4c8a707a33b35b78f374c66d59f9c2314c20b25f

SHA256
b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

SHA512
fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

Download Submit
memory/324-131-0x0000000001150000-0x0000000001192000-memory.dmp

Filesize
264KB

Download
memory/804-30-0x0000000000B50000-0x0000000000B9A000-memory.dmp

Filesize
296KB

Download
memory/1316-104-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1316-105-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2028-0-0x000007FEF5F33000-0x000007FEF5F34000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x0000000000970000-0x0000000001188000-memory.dmp

Filesize
8.1MB

Download
memory/2420-39-0x0000000000010000-0x0000000000052000-memory.dmp

Filesize
264KB

Download
memory/2420-135-0x00000000020F0000-0x00000000020FE000-memory.dmp

Filesize
56KB

Download
memory/2436-40-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-9-0x0000000000BA0000-0x0000000001334000-memory.dmp

Filesize
7.6MB

Download
memory/2436-132-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-32-0x00000000011A0000-0x00000000011B6000-memory.dmp

Filesize
88KB

Download
memory/3004-130-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/3064-97-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3064-98-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads