44caliber | 14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

Analysis

max time kernel
57s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 19:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Loader V2.exe
Size

8.1MB
MD5

70a8a700260d1bf5d40214b4d16f2a4d
SHA1

888afda0f542f857c3627845abb17320c79348a3
SHA256

14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
SHA512

8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
SSDEEP

196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score

10^/10

44caliber xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.20:13908

147.185.221.16:60401

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral4/memory/1028-239-0x0000000002D10000-0x0000000002D1E000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\injectdll.exe	family_xworm
behavioral4/memory/1028-25-0x0000000000B60000-0x0000000000BA2000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral4/memory/1592-62-0x0000000000980000-0x0000000000996000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

872 powershell.exe
1448 powershell.exe
2716 powershell.exe
3952 powershell.exe

pid	process
872	powershell.exe
1448	powershell.exe
2716	powershell.exe
3952	powershell.exe

Drops startup file 4 IoCs

Processes:

loaderr.exeinjectdll.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe

Executes dropped EXE 6 IoCs

Processes:

Loader.exeinjectdll.exeloaderr.exefixer.exesvchost.exesvhost.exe

pid process

1544 Loader.exe
1028 injectdll.exe
1592 loaderr.exe
3700 fixer.exe
1264 svchost.exe
1488 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1544	Loader.exe
1028	injectdll.exe
1592	loaderr.exe
3700	fixer.exe
1264	svchost.exe
1488	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injectdll.exeloaderr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	injectdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	loaderr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
1 ip-api.com
2 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	freegeoip.app
1	ip-api.com
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2356 schtasks.exe
1860 schtasks.exe

pid	process
2356	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fixer.exepowershell.exepowershell.exepowershell.exeinjectdll.exepowershell.exeloaderr.exe

pid	process
3700	fixer.exe
3700	fixer.exe
3700	fixer.exe
3700	fixer.exe
872	powershell.exe
872	powershell.exe
1448	powershell.exe
1448	powershell.exe
2716	powershell.exe
2716	powershell.exe
1028	injectdll.exe
3952	powershell.exe
3952	powershell.exe
1592	loaderr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

injectdll.exefixer.exeloaderr.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	1028	injectdll.exe
Token: SeDebugPrivilege	3700	fixer.exe
Token: SeDebugPrivilege	1592	loaderr.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1028	injectdll.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1592	loaderr.exe
Token: SeDebugPrivilege	1264	svchost.exe
Token: SeDebugPrivilege	1488	svhost.exe
Token: SeShutdownPrivilege	1028	injectdll.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

injectdll.exeloaderr.exe

pid process

1028 injectdll.exe
1592 loaderr.exe

pid	process
1028	injectdll.exe
1592	loaderr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Loader V2.exeLoader.exeloaderr.exeinjectdll.exe

description	pid	process	target process
PID 3304 wrote to memory of 1544	3304	Loader V2.exe	Loader.exe
PID 3304 wrote to memory of 1544	3304	Loader V2.exe	Loader.exe
PID 3304 wrote to memory of 1028	3304	Loader V2.exe	injectdll.exe
PID 3304 wrote to memory of 1028	3304	Loader V2.exe	injectdll.exe
PID 1544 wrote to memory of 1592	1544	Loader.exe	loaderr.exe
PID 1544 wrote to memory of 1592	1544	Loader.exe	loaderr.exe
PID 1544 wrote to memory of 3700	1544	Loader.exe	fixer.exe
PID 1544 wrote to memory of 3700	1544	Loader.exe	fixer.exe
PID 1592 wrote to memory of 872	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 872	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 1448	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 1448	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 2716	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 2716	1592	loaderr.exe	powershell.exe
PID 1028 wrote to memory of 2356	1028	injectdll.exe	schtasks.exe
PID 1028 wrote to memory of 2356	1028	injectdll.exe	schtasks.exe
PID 1592 wrote to memory of 3952	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 3952	1592	loaderr.exe	powershell.exe
PID 1592 wrote to memory of 1860	1592	loaderr.exe	schtasks.exe
PID 1592 wrote to memory of 1860	1592	loaderr.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\loaderr.exe
"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Users\Admin\AppData\Roaming\injectdll.exe
"C:\Users\Admin\AppData\Roaming\injectdll.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
d4cc54d2c89190d6e0c94c44efb9bd83

SHA1
3b0d452059e908d1c0332d0d22fb3258e3bc5037

SHA256
a55d1727a2c835ef5ad06df8088df4ae19bd837793e1ee29408bc802728933ee

SHA512
c87649693de68c4ddde9571190c180e5a7e30d198d4d00c0898614dcc22678b1eae130758e6a0cbf1800a7aba738bee59c1c98445ecaa8d45036885c35b1e843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvrp4qq0.ux5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe

Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe

Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
7.6MB

MD5
aa16f3774491b600121545a5f194cefc

SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219

SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\injectdll.exe

Filesize
244KB

MD5
74ffb0d60d647dd6ad8d00c1bee48011

SHA1
4c8a707a33b35b78f374c66d59f9c2314c20b25f

SHA256
b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

SHA512
fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

Download Submit
memory/872-189-0x0000021E986A0000-0x0000021E986C2000-memory.dmp

Filesize
136KB

Download
memory/1028-29-0x00007FFED1020000-0x00007FFED1AE2000-memory.dmp

Filesize
10.8MB

Download
memory/1028-234-0x00007FFED1020000-0x00007FFED1AE2000-memory.dmp

Filesize
10.8MB

Download
memory/1028-25-0x0000000000B60000-0x0000000000BA2000-memory.dmp

Filesize
264KB

Download
memory/1028-239-0x0000000002D10000-0x0000000002D1E000-memory.dmp

Filesize
56KB

Download
memory/1544-26-0x00007FFED1020000-0x00007FFED1AE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-98-0x00007FFED1020000-0x00007FFED1AE2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-27-0x0000000000AB0000-0x0000000001244000-memory.dmp

Filesize
7.6MB

Download
memory/1592-62-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/3304-0-0x00007FFED1023000-0x00007FFED1025000-memory.dmp

Filesize
8KB

Download
memory/3304-1-0x0000000000730000-0x0000000000F48000-memory.dmp

Filesize
8.1MB

Download
memory/3700-183-0x00000215284A0000-0x0000021528653000-memory.dmp

Filesize
1.7MB

Download
memory/3700-53-0x000002150D120000-0x000002150D16A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads