Overview

overview

10

Static

static

3

Loader V2.exe

windows7-x64

10

Loader V2.exe

windows10-1703-x64

10

Loader V2.exe

windows10-2004-x64

Loader V2.exe

windows11-21h2-x64

Analysis

  • max time kernel
    56s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader V2.exe

  • Size

    8.1MB

  • MD5

    70a8a700260d1bf5d40214b4d16f2a4d

  • SHA1

    888afda0f542f857c3627845abb17320c79348a3

  • SHA256

    14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

  • SHA512

    8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83

  • SSDEEP

    196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score
10/10
44caliberxwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.20:13908

147.185.221.16:60401
Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

  • telegram

    https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Roaming\Loader.exe
      "C:\Users\Admin\AppData\Roaming\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
        "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1884
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1900
      • C:\Users\Admin\AppData\Local\Temp\fixer.exe
        "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
    • C:\Users\Admin\AppData\Roaming\injectdll.exe
      "C:\Users\Admin\AppData\Roaming\injectdll.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2448
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D2ED06C8-0CA9-45F5-999A-71FF65FEE11F} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\svchost.exe
      C:\Users\Admin\AppData\Local\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    131B

    MD5

    50ff7d0474832e40c29a13347aecbc76

    SHA1

    5f9f8bffda36346b5d9866039170e656596b5e62

    SHA256

    c131669f85635cdd1d378b318f0ff39df54257e092b81a5c2b5acc00f282c087

    SHA512

    9ff6734475d89c59a0b6bf28eb4eee774a4855f67c661093c7abcb4ae70c4ec174e3bbfa5404f51f94594d2e4201661ee19af8de93b1aa7ad4d34ec5cff2d04f

    Download Submit

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    448B

    MD5

    d548263beffface766e60c338fa37dbb

    SHA1

    d894b0096cb29baf11a0c85604bfc5e6ed746c7e

    SHA256

    15777014b1801f54f481eddbb78ec20cf8c1ddfebb3fdef327e539d44e8de348

    SHA512

    46a0ec7a881d67a20ea7595a6a91bfdf4cbe194f00e18d08a6e2471f9e4c96596a461f5b0723d619583e9fe16530d4be008860f8944dff31c1f33607e68dc1bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fixer.exe
    Filesize

    274KB

    MD5

    88505913c2c75f796c9a021aab2d356d

    SHA1

    5b5c06998d3e200c21c77ea4efaeaecdc7344e78

    SHA256

    62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

    SHA512

    6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
    Filesize

    65KB

    MD5

    95f8f28f5a8503461db6804cda9c4934

    SHA1

    81c0a30e498093d41948777135bbd407c7611cda

    SHA256

    aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

    SHA512

    5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Loader.exe
    Filesize

    7.6MB

    MD5

    aa16f3774491b600121545a5f194cefc

    SHA1

    c872fe765ecff1dada8378ad8a12cd5cf0425219

    SHA256

    c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

    SHA512

    8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d753e78b97e4f1634fd534d56b7b5558

    SHA1

    dee40fcd0ed6c23bf684197a8e5eb9b4c903a3d0

    SHA256

    d0c224dfcbdc901d6d7aa2cd8af93d2231b08b5e52ba80c195f834584a4bbfdb

    SHA512

    204e27e68fdca6cee58ce7e5512f8fb49e7f2c725fa4597efbbd8dc2ef206367632b51eb99881eaebd260ae640c3bfd0f0f841528b3af6b7448c9c5f1118a9d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\injectdll.exe
    Filesize

    244KB

    MD5

    74ffb0d60d647dd6ad8d00c1bee48011

    SHA1

    4c8a707a33b35b78f374c66d59f9c2314c20b25f

    SHA256

    b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

    SHA512

    fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

    Download Submit

  • memory/1404-96-0x0000000002690000-0x0000000002698000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1404-95-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2176-131-0x0000000000E10000-0x0000000000E52000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2276-40-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2276-12-0x0000000000E30000-0x0000000000E72000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2276-123-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2276-132-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2280-107-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2280-108-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2696-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-130-0x0000000001010000-0x0000000001026000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2696-1-0x0000000000110000-0x0000000000928000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2812-13-0x0000000000C10000-0x00000000013A4000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2824-32-0x00000000010D0000-0x000000000111A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2968-21-0x00000000011E0000-0x00000000011F6000-memory.dmp

    Filesize

    88KB

    Download