General
-
Target
#πΎπ βπππΌβπ ππ.π.bat
-
Size
20KB
-
Sample
231201-yfr92sff88
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
Static task
static1
Behavioral task
behavioral1
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win10v2004-20231127-en
Malware Config
Extracted
xworm
goofyah-26004.portmap.host:26004
-
Install_directory
%AppData%
-
install_file
GVClientV4.exe
Targets
-
-
Target
#πΎπ βπππΌβπ ππ.π.bat
-
Size
20KB
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
AgentTesla payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-