44caliber | 14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

General

Target

Loader V2.exe
Size

8.1MB
MD5

70a8a700260d1bf5d40214b4d16f2a4d
SHA1

888afda0f542f857c3627845abb17320c79348a3
SHA256

14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
SHA512

8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
SSDEEP

196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score

10^/10

44caliber xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.20:13908

147.185.221.16:60401

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2324-136-0x000000001AF00000-0x000000001AF0E000-memory.dmp	disable_win_def

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\injectdll.exe	family_xworm
behavioral1/memory/2324-12-0x0000000000DA0000-0x0000000000DE2000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral1/memory/2704-39-0x0000000000D30000-0x0000000000D46000-memory.dmp	family_xworm
behavioral1/memory/1912-130-0x0000000000BC0000-0x0000000000BD6000-memory.dmp	family_xworm
behavioral1/memory/2760-133-0x0000000000BE0000-0x0000000000C22000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2968 powershell.exe
2216 powershell.exe
1704 powershell.exe
1324 powershell.exe

pid	process
2968	powershell.exe
2216	powershell.exe
1704	powershell.exe
1324	powershell.exe

Drops startup file 4 IoCs

Processes:

loaderr.exeinjectdll.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe

Executes dropped EXE 6 IoCs

Processes:

Loader.exeinjectdll.exeloaderr.exefixer.exesvchost.exesvhost.exe

pid process

3068 Loader.exe
2324 injectdll.exe
2704 loaderr.exe
1844 fixer.exe
1912 svchost.exe
2760 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3068	Loader.exe
2324	injectdll.exe
2704	loaderr.exe
1844	fixer.exe
1912	svchost.exe
2760	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injectdll.exeloaderr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	injectdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	loaderr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app
10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	freegeoip.app
6	freegeoip.app
10	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1416 schtasks.exe
2312 schtasks.exe

pid	process
1416	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

fixer.exepowershell.exeinjectdll.exepowershell.exepowershell.exepowershell.exeloaderr.exe

pid	process
1844	fixer.exe
1844	fixer.exe
1844	fixer.exe
1844	fixer.exe
2968	powershell.exe
2324	injectdll.exe
2216	powershell.exe
1704	powershell.exe
1324	powershell.exe
2704	loaderr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

injectdll.exeloaderr.exefixer.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2324	injectdll.exe
Token: SeDebugPrivilege	2704	loaderr.exe
Token: SeDebugPrivilege	1844	fixer.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2324	injectdll.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2704	loaderr.exe
Token: SeDebugPrivilege	1912	svchost.exe
Token: SeDebugPrivilege	2760	svhost.exe
Token: SeShutdownPrivilege	2324	injectdll.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

injectdll.exeloaderr.exe

pid process

2324 injectdll.exe
2704 loaderr.exe

pid	process
2324	injectdll.exe
2704	loaderr.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader V2.exeLoader.exeloaderr.exeinjectdll.exetaskeng.exe

description	pid	process	target process
PID 2064 wrote to memory of 3068	2064	Loader V2.exe	Loader.exe
PID 2064 wrote to memory of 3068	2064	Loader V2.exe	Loader.exe
PID 2064 wrote to memory of 3068	2064	Loader V2.exe	Loader.exe
PID 2064 wrote to memory of 2324	2064	Loader V2.exe	injectdll.exe
PID 2064 wrote to memory of 2324	2064	Loader V2.exe	injectdll.exe
PID 2064 wrote to memory of 2324	2064	Loader V2.exe	injectdll.exe
PID 3068 wrote to memory of 2704	3068	Loader.exe	loaderr.exe
PID 3068 wrote to memory of 2704	3068	Loader.exe	loaderr.exe
PID 3068 wrote to memory of 2704	3068	Loader.exe	loaderr.exe
PID 3068 wrote to memory of 1844	3068	Loader.exe	fixer.exe
PID 3068 wrote to memory of 1844	3068	Loader.exe	fixer.exe
PID 3068 wrote to memory of 1844	3068	Loader.exe	fixer.exe
PID 2704 wrote to memory of 2968	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 2968	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 2968	2704	loaderr.exe	powershell.exe
PID 2324 wrote to memory of 1416	2324	injectdll.exe	schtasks.exe
PID 2324 wrote to memory of 1416	2324	injectdll.exe	schtasks.exe
PID 2324 wrote to memory of 1416	2324	injectdll.exe	schtasks.exe
PID 2704 wrote to memory of 2216	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 2216	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 2216	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1704	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1704	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1704	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1324	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1324	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 1324	2704	loaderr.exe	powershell.exe
PID 2704 wrote to memory of 2312	2704	loaderr.exe	schtasks.exe
PID 2704 wrote to memory of 2312	2704	loaderr.exe	schtasks.exe
PID 2704 wrote to memory of 2312	2704	loaderr.exe	schtasks.exe
PID 1932 wrote to memory of 1912	1932	taskeng.exe	svchost.exe
PID 1932 wrote to memory of 1912	1932	taskeng.exe	svchost.exe
PID 1932 wrote to memory of 1912	1932	taskeng.exe	svchost.exe
PID 1932 wrote to memory of 2760	1932	taskeng.exe	svhost.exe
PID 1932 wrote to memory of 2760	1932	taskeng.exe	svhost.exe
PID 1932 wrote to memory of 2760	1932	taskeng.exe	svhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\loaderr.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1324
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Users\Admin\AppData\Roaming\injectdll.exe
  "C:\Users\Admin\AppData\Roaming\injectdll.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1416

C:\Windows\system32\taskeng.exe
taskeng.exe {BB3FE535-94F1-4C11-9458-53FAA4EF2B04} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fixer.exe

Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe

Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
7.6MB

MD5
aa16f3774491b600121545a5f194cefc

SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219

SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc87da16642a83f322c2c68fe57662e3

SHA1
3760e8433b8987410028f02b355109a817ae5464

SHA256
4bdc4a23b67d814fa1635aa25c84fc34334fd8641543a98fcd1379c8718c4fd3

SHA512
cb7552046bdcf6c48c506c8f6a94148ad7f4b14b5ea96f937dfce4c3e2af8b1be52346c41ede824039ef868ae665946f7ac340bb53020f81c78b1892ac3cd228

Download Submit
C:\Users\Admin\AppData\Roaming\injectdll.exe

Filesize
244KB

MD5
74ffb0d60d647dd6ad8d00c1bee48011

SHA1
4c8a707a33b35b78f374c66d59f9c2314c20b25f

SHA256
b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

SHA512
fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1844-38-0x0000000000CD0000-0x0000000000D1A000-memory.dmp

Filesize
296KB

Download
memory/1912-130-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/2064-1-0x0000000000240000-0x0000000000A58000-memory.dmp

Filesize
8.1MB

Download
memory/2064-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

Filesize
4KB

Download
memory/2216-109-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2216-108-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2324-40-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-125-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-12-0x0000000000DA0000-0x0000000000DE2000-memory.dmp

Filesize
264KB

Download
memory/2324-136-0x000000001AF00000-0x000000001AF0E000-memory.dmp

Filesize
56KB

Download
memory/2704-39-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/2760-133-0x0000000000BE0000-0x0000000000C22000-memory.dmp

Filesize
264KB

Download
memory/2968-99-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2968-98-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/3068-13-0x0000000000D60000-0x00000000014F4000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads