General
-
Target
XWorm V5.3.7z
-
Size
43.4MB
-
Sample
240310-g4whyaea98
-
MD5
d06bfd3b8385b6da7d7cefa963ea7288
-
SHA1
f97c1cd79b033be1b3487eb25a18a23839c06fcc
-
SHA256
4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c
-
SHA512
32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9
-
SSDEEP
786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj
Static task
static1
Behavioral task
behavioral1
Sample
XWorm V5.3.7z
Resource
win10-20240214-en
Malware Config
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot6674855898:AAEqgJIld017FODaGpZtYNQshE6vteMfI6Q/sendMessage?chat_id=6645844086
Targets
-
-
Target
XWorm V5.3.7z
-
Size
43.4MB
-
MD5
d06bfd3b8385b6da7d7cefa963ea7288
-
SHA1
f97c1cd79b033be1b3487eb25a18a23839c06fcc
-
SHA256
4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c
-
SHA512
32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9
-
SSDEEP
786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
AgentTesla payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-