agenttesla

General

Target

WizWorm v4.rar
Size

35.5MB
Sample

240310-rdgxzaea94
MD5

82f10a35d8425c3e46ef808972e73831
SHA1

ac0dca716e71e0aabc3d4ac41d85e3bac5448630
SHA256

1dcb5aba17ea2886a59f960d60dd23b5cb14112f046a0d8de6e6d589e96639d5
SHA512

f7ab8a440697c69a639465dba9772da837f4c9cd0ed8d7672aa3ca6dced3ceb6024277c80c5b17b0c76e47133689965858f54d211e454c44c2c4dd7c3f8ca50d
SSDEEP

786432:p+vcme8z2HYjCBbwIiEgBNVN7lDR+2FQGP1Rtn+FbzmeLc5vLN:Uc7HlsI6BNVsattPDeclN

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5552

wiz.bounceme.net:6000

Mutex

vYK9Xem8pJS2l5cY

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  WizWorm v4.rar
- Size
  
  35.5MB
- MD5
  
  82f10a35d8425c3e46ef808972e73831
- SHA1
  
  ac0dca716e71e0aabc3d4ac41d85e3bac5448630
- SHA256
  
  1dcb5aba17ea2886a59f960d60dd23b5cb14112f046a0d8de6e6d589e96639d5
- SHA512
  
  f7ab8a440697c69a639465dba9772da837f4c9cd0ed8d7672aa3ca6dced3ceb6024277c80c5b17b0c76e47133689965858f54d211e454c44c2c4dd7c3f8ca50d
- SSDEEP
  
  786432:p+vcme8z2HYjCBbwIiEgBNVN7lDR+2FQGP1Rtn+FbzmeLc5vLN:Uc7HlsI6BNVsattPDeclN
Score

10^/10

agenttesla xworm keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Detect Xworm Payload

Xworm

AgentTesla payload

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4