44caliber | 14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

General

Target

Loader V2.exe
Size

8.1MB
MD5

70a8a700260d1bf5d40214b4d16f2a4d
SHA1

888afda0f542f857c3627845abb17320c79348a3
SHA256

14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
SHA512

8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
SSDEEP

196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score

10^/10

44caliber xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.20:13908

147.185.221.16:60401

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2276-132-0x0000000000CC0000-0x0000000000CCE000-memory.dmp	disable_win_def

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\injectdll.exe	family_xworm
behavioral1/memory/2276-12-0x0000000000E30000-0x0000000000E72000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral1/memory/2968-21-0x00000000011E0000-0x00000000011F6000-memory.dmp	family_xworm
behavioral1/memory/2696-130-0x0000000001010000-0x0000000001026000-memory.dmp	family_xworm
behavioral1/memory/2176-131-0x0000000000E10000-0x0000000000E52000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1404 powershell.exe
2280 powershell.exe
1884 powershell.exe
1448 powershell.exe

pid	process
1404	powershell.exe
2280	powershell.exe
1884	powershell.exe
1448	powershell.exe

Drops startup file 4 IoCs

Processes:

injectdll.exeloaderr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe

Executes dropped EXE 6 IoCs

Processes:

Loader.exeinjectdll.exeloaderr.exefixer.exesvchost.exesvhost.exe

pid process

2812 Loader.exe
2276 injectdll.exe
2968 loaderr.exe
2824 fixer.exe
2696 svchost.exe
2176 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2812	Loader.exe
2276	injectdll.exe
2968	loaderr.exe
2824	fixer.exe
2696	svchost.exe
2176	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injectdll.exeloaderr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	injectdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	loaderr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2448 schtasks.exe
1900 schtasks.exe

pid	process
2448	schtasks.exe
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

fixer.exepowershell.exeinjectdll.exepowershell.exepowershell.exepowershell.exeloaderr.exe

pid	process
2824	fixer.exe
2824	fixer.exe
2824	fixer.exe
2824	fixer.exe
1404	powershell.exe
2276	injectdll.exe
2280	powershell.exe
1884	powershell.exe
1448	powershell.exe
2968	loaderr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

injectdll.exeloaderr.exefixer.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2276	injectdll.exe
Token: SeDebugPrivilege	2968	loaderr.exe
Token: SeDebugPrivilege	2824	fixer.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2276	injectdll.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2968	loaderr.exe
Token: SeDebugPrivilege	2696	svchost.exe
Token: SeDebugPrivilege	2176	svhost.exe
Token: SeShutdownPrivilege	2276	injectdll.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

injectdll.exeloaderr.exe

pid process

2276 injectdll.exe
2968 loaderr.exe

pid	process
2276	injectdll.exe
2968	loaderr.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader V2.exeLoader.exeloaderr.exeinjectdll.exetaskeng.exe

description	pid	process	target process
PID 2696 wrote to memory of 2812	2696	Loader V2.exe	Loader.exe
PID 2696 wrote to memory of 2812	2696	Loader V2.exe	Loader.exe
PID 2696 wrote to memory of 2812	2696	Loader V2.exe	Loader.exe
PID 2696 wrote to memory of 2276	2696	Loader V2.exe	injectdll.exe
PID 2696 wrote to memory of 2276	2696	Loader V2.exe	injectdll.exe
PID 2696 wrote to memory of 2276	2696	Loader V2.exe	injectdll.exe
PID 2812 wrote to memory of 2968	2812	Loader.exe	loaderr.exe
PID 2812 wrote to memory of 2968	2812	Loader.exe	loaderr.exe
PID 2812 wrote to memory of 2968	2812	Loader.exe	loaderr.exe
PID 2812 wrote to memory of 2824	2812	Loader.exe	fixer.exe
PID 2812 wrote to memory of 2824	2812	Loader.exe	fixer.exe
PID 2812 wrote to memory of 2824	2812	Loader.exe	fixer.exe
PID 2968 wrote to memory of 1404	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1404	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1404	2968	loaderr.exe	powershell.exe
PID 2276 wrote to memory of 2448	2276	injectdll.exe	schtasks.exe
PID 2276 wrote to memory of 2448	2276	injectdll.exe	schtasks.exe
PID 2276 wrote to memory of 2448	2276	injectdll.exe	schtasks.exe
PID 2968 wrote to memory of 2280	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 2280	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 2280	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1884	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1884	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1884	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1448	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1448	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1448	2968	loaderr.exe	powershell.exe
PID 2968 wrote to memory of 1900	2968	loaderr.exe	schtasks.exe
PID 2968 wrote to memory of 1900	2968	loaderr.exe	schtasks.exe
PID 2968 wrote to memory of 1900	2968	loaderr.exe	schtasks.exe
PID 2120 wrote to memory of 2696	2120	taskeng.exe	svchost.exe
PID 2120 wrote to memory of 2696	2120	taskeng.exe	svchost.exe
PID 2120 wrote to memory of 2696	2120	taskeng.exe	svchost.exe
PID 2120 wrote to memory of 2176	2120	taskeng.exe	svhost.exe
PID 2120 wrote to memory of 2176	2120	taskeng.exe	svhost.exe
PID 2120 wrote to memory of 2176	2120	taskeng.exe	svhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\loaderr.exe
"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Users\Admin\AppData\Roaming\injectdll.exe
"C:\Users\Admin\AppData\Roaming\injectdll.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\taskeng.exe
taskeng.exe {D2ED06C8-0CA9-45F5-999A-71FF65FEE11F} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
131B

MD5
50ff7d0474832e40c29a13347aecbc76

SHA1
5f9f8bffda36346b5d9866039170e656596b5e62

SHA256
c131669f85635cdd1d378b318f0ff39df54257e092b81a5c2b5acc00f282c087

SHA512
9ff6734475d89c59a0b6bf28eb4eee774a4855f67c661093c7abcb4ae70c4ec174e3bbfa5404f51f94594d2e4201661ee19af8de93b1aa7ad4d34ec5cff2d04f

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
448B

MD5
d548263beffface766e60c338fa37dbb

SHA1
d894b0096cb29baf11a0c85604bfc5e6ed746c7e

SHA256
15777014b1801f54f481eddbb78ec20cf8c1ddfebb3fdef327e539d44e8de348

SHA512
46a0ec7a881d67a20ea7595a6a91bfdf4cbe194f00e18d08a6e2471f9e4c96596a461f5b0723d619583e9fe16530d4be008860f8944dff31c1f33607e68dc1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe
Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe
Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe
Filesize
7.6MB

MD5
aa16f3774491b600121545a5f194cefc

SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219

SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d753e78b97e4f1634fd534d56b7b5558

SHA1
dee40fcd0ed6c23bf684197a8e5eb9b4c903a3d0

SHA256
d0c224dfcbdc901d6d7aa2cd8af93d2231b08b5e52ba80c195f834584a4bbfdb

SHA512
204e27e68fdca6cee58ce7e5512f8fb49e7f2c725fa4597efbbd8dc2ef206367632b51eb99881eaebd260ae640c3bfd0f0f841528b3af6b7448c9c5f1118a9d1

Download Submit
C:\Users\Admin\AppData\Roaming\injectdll.exe
Filesize
244KB

MD5
74ffb0d60d647dd6ad8d00c1bee48011

SHA1
4c8a707a33b35b78f374c66d59f9c2314c20b25f

SHA256
b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

SHA512
fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1404-96-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1404-95-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-131-0x0000000000E10000-0x0000000000E52000-memory.dmp

Filesize
264KB

Download
memory/2276-40-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-12-0x0000000000E30000-0x0000000000E72000-memory.dmp

Filesize
264KB

Download
memory/2276-123-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-132-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2280-107-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2280-108-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2696-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

Filesize
4KB

Download
memory/2696-130-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/2696-1-0x0000000000110000-0x0000000000928000-memory.dmp

Filesize
8.1MB

Download
memory/2812-13-0x0000000000C10000-0x00000000013A4000-memory.dmp

Filesize
7.6MB

Download
memory/2824-32-0x00000000010D0000-0x000000000111A000-memory.dmp

Filesize
296KB

Download
memory/2968-21-0x00000000011E0000-0x00000000011F6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads