Resubmissions

17-03-2024 18:57

240317-xl3gjadg5s 10

17-03-2024 18:51

240317-xhqcssdf4w 10

General

  • Target

    XWorm v5.1-5.2.7z

  • Size

    54.5MB

  • Sample

    240317-xhqcssdf4w

  • MD5

    76219b3556e25086fc52f8e2b93fbd0c

  • SHA1

    066a0f875820e51a60c3552a06b7b97f8bab6bbc

  • SHA256

    fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

  • SHA512

    ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104

  • SSDEEP

    786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

Malware Config

Targets

    • Target

      XWorm v5.1-5.2.7z

    • Size

      54.5MB

    • MD5

      76219b3556e25086fc52f8e2b93fbd0c

    • SHA1

      066a0f875820e51a60c3552a06b7b97f8bab6bbc

    • SHA256

      fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

    • SHA512

      ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104

    • SSDEEP

      786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      XWorm/XWorm V5.1/XWorm V5.1.exe

    • Size

      9.3MB

    • MD5

      540a501c683c91729e712fe83cf4e92f

    • SHA1

      d426473f486cd7b46ec8d3bae4a3f9b42f780f89

    • SHA256

      567ac8995973807a1288847d357dd8014118f07194a4db64cccaeab5871d54e1

    • SHA512

      25aa06429cc1272c1932e543d41563905964ef2b7dad9e6b0a13aee8c6fff5a4a9e9f4ba023435d265ddb36cdfebaca8efadfd8e9a3918747e29a2764e09a2a6

    • SSDEEP

      196608:fHMCjsbDbqTw0l1s3PIump2n7lpQutrONgFETLU6Jz8p:fHaXYDXs3PIo7wutrMYEB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe

    • Size

      109KB

    • MD5

      4241a6375a548b2a6b8c7bf749cb40a5

    • SHA1

      32d938a053ac3a127c9d48128c2de8262ff2e6fc

    • SHA256

      3ef2fc92e45af81d0de1515de17c1b58fa8904bdfaa6fa729547110e4b181ddc

    • SHA512

      d2c5f1a2d993a193895a5c562aad7a297120dd0fe009d04faf6d45ae0e25c700607e78a3bc0f104f742744cd2a986acadc623b0d1eebbacd9145c9a48ace42b3

    • SSDEEP

      1536:5V1PFOX0jrClW7PUYSmqSwqmyVttdGFQeOPigx:5V1PFu0jrCQn3qSwqmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe

    • Size

      109KB

    • MD5

      4bf2058e2fe4ee6490873acd8d00fc71

    • SHA1

      099f6cd30e1db09c0c51fad208a2c2706c6bd437

    • SHA256

      53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea

    • SHA512

      f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5

    • SSDEEP

      1536:xPsDAsCSuhbXNBcqhZ6tJaW9lSr89qmyVttdGFQeOPigx:1s5maVJaWPSI9qmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.2/IconExtractor.dll

    • Size

      10KB

    • MD5

      640d8ffa779c6dd5252a262e440c66c0

    • SHA1

      3252d8a70a18d5d4e0cc84791d587dd12a394c2a

    • SHA256

      440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2

    • SHA512

      e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32

    • SSDEEP

      192:7f77J4cGYyfQknxLvIgyLY5xJeU5pPpZlEAs:HS2yINgyLYLJR5wl

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/HVNC.dll

    • Size

      58KB

    • MD5

      b5ea6d82ec2d4127124eb9467eb5ce16

    • SHA1

      0a27f08f94a80024854721c73c7715af95581da7

    • SHA256

      ecb1a845bc2e813193e628eea48738f2354eb1ce8902a092118aa48ea2ff4bc7

    • SHA512

      ab459d26ce689d5c7fb533fb754b875896c214e0001ecc6e8b061f7cdaf1aec06400f66f506822775337a42b80f4e1e9ab008a658cfacc873cfa83eaab6f1880

    • SSDEEP

      1536:qKtNhYe3TQz12BWR77E3WxD9IhETnYT3CW3:rNhYecz12BWR7WCrKB3

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/HVNCMemory.dll

    • Size

      39KB

    • MD5

      14ca9b8f7993924b77078e08ec0d5df5

    • SHA1

      fb2b5717da357f6d13bb1127980c22bada68836a

    • SHA256

      8ab3391fa5880be5991133416bae0d5b76daa2d43c8ff92ff44d6dda23386e57

    • SHA512

      64aac1a872666bce5bb86144a6f96bb6905a2d900d76e8d2d6f1cf8b499baefd35c7fb4d6b5150d5717451c5ad632d677ae6f85737d334a7cebbd9d725c9964f

    • SSDEEP

      768:hbsnFtMqFJAkIAW3fY3WNSrfaA9oQoy1bqLRPD:hYF1jARvGWNE/okcb

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/HiddenApps.dll

    • Size

      45KB

    • MD5

      c5efa70a04a026b9a2fa97b1ea43e840

    • SHA1

      aab2de0ab74c12e04256ff2b113b062dc93179e6

    • SHA256

      f9ef7709f34e944d99ca5bef6af1524d7cf3889894084b7ae61e9202f267a728

    • SHA512

      1348d4ebd3ac5b56eb32820ee14f9aee20a43b7dc3d06dd7fd62c8f227b12a27d0c0376c7d858e78315cd92d17e588bc2e37648c04d146530db706e8b3c4ff1d

    • SSDEEP

      768:zy37gsdDvMZ9+rdm2KExqbMYRQpWk/x0qqBi3X/G0gpfN3ff2oA:idDvML+r/rqbMYRQpl/x5qI/dEdX2J

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/Informations.dll

    • Size

      22KB

    • MD5

      310ba7a07953ed7f783e89bcff6197e3

    • SHA1

      147aa53e0d7cb027e6c67fa50fcb0dc0c770e157

    • SHA256

      b10616eb3f5e4b0ceffc696179cdb616c78ef970dedbac10845a39985c91a38a

    • SHA512

      554ead0f700dd617eed6055a84ecad288c4779ab20206e7434a8f3443a03a95a501014cd52390eb57570c25ea2bd7a298b96e88e8550d10b2a5db4f9633af529

    • SSDEEP

      384:24svJAz5thUNHcxxypeGQ/0n3TmyxhxJNSLSg4RjjoZ:24suz/LypeGQEjfNSQM

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/Keylogger.dll

    • Size

      17KB

    • MD5

      40ba99b80654259d0428c7e4f3645948

    • SHA1

      8fa93e0f035694cd8e420aa2232aca859b3a2a6b

    • SHA256

      3361bb2309e4ee31f14081bc170ac530e2ae9d1336026e736190a0304e2e77e4

    • SHA512

      fc1deb29eea114e5a472102a51d49fa253a5c79821acffa930b30089ebecec4312437d4720b46e92149be2ce69aed57dc3939621a596ed6c413397363fa44ee7

    • SSDEEP

      192:uCK9HKDyS0+NKdUxEIj1aq8fgYO1Lnq4Ur1XneDN6IW1Y6Up91KNN10UbnnSL2CV:K5Oe+4dw1IDMO4U5uD8Upih0yZCV

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/Maps.dll

    • Size

      15KB

    • MD5

      b74f037f6c6de44e817660922a3044fc

    • SHA1

      eb5acc30d3f607193bd819e8c0cdaaf70295c5b4

    • SHA256

      ccb32961b904a22c2531313ed7c3733d7288daab181074f034eb4c73a0958a65

    • SHA512

      a547961b87ecdbc0f9bf02381f16e03795dc73eda744a86da2cc07c97d7f1b65642971347d1ca69f36ead63c3b9078b6e0f2ecb4b6f2178a3b9a62f3ffb76579

    • SSDEEP

      384:/HC+Q4WPRdJElcjp8J4jtepa9BX/bS9E2:/HCbRdWle2C5x/u6

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/MessageBox.dll

    • Size

      15KB

    • MD5

      bde9c12607827e21c64e1d64033043b5

    • SHA1

      d980614dda65f1f4c3a73d1f9c8162e597fcac4e

    • SHA256

      2170fe155b56e362500ece32013bbf8d45d5dc93e689ab33d3612066c7450f75

    • SHA512

      e015d9b915b748d1683c18621919161f9d495221c9bf788b661e3eeab60320ee0b0d9d64a393fafa47b521b484f0af2c9948f6dac0a9b7ef1e8910571e7e98eb

    • SSDEEP

      192:kpDQ4tBCjRD6W2Y7gF/OF2glT/9r169G3m6IW1mX/j0rsVHvJsJtDdZKML2vW9:0QcRW2UVT/95gG3UX/j0ZyvW9

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/Microphone.dll

    • Size

      540KB

    • MD5

      747554e4ca902a8d18b797c2edcb43ed

    • SHA1

      508d7c9f0b031a352a1a1f25d4c6abf4167392d5

    • SHA256

      1f135bc57ea4f44bf8a37d66b42788bed5aba753c5cbd0b4d3349ede64abfc59

    • SHA512

      deb3f480dc7febb1d9ff4ccdb1dd04d83e9fbe7e74fb0dd39d103dbe85fa0c434407ab032e9bca027e38a0f482d08308513cd821b09dc08aafafd905e97126fd

    • SSDEEP

      6144:yF8i30ykMPoxBemtSQvAVYm8Ou/JgtKMV6fb78+Ommg8YCQ18aFgRWAdoYCY8gQg:uP32emtLAV8OXebgreL7AwuaruedUB

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/Plugins/Ngrok-Disk.dll

    • Size

      7.0MB

    • MD5

      4443f2173682ef836df2f89e1b44296e

    • SHA1

      1b0db6530eb5c5404af614143f464d663382c2e4

    • SHA256

      01e170bc479dc22cec4658a39067e001a72a974a4e562aca01162f82decd20b6

    • SHA512

      7bb8df753fc3636d3b01f2145c1df553b34a427a9e07d4c563a1fb2e23480ba2d609658d6ca2c4deaa386feff8af741397a3cbdb15c28157c4cf4ba8244fb61f

    • SSDEEP

      196608:+CsxED7kwTV6B/nCR7+AA3e5MryK5Rj1Bpw7Vdjz8wEO+Dl:+TED7/VEqt/A3TryARj1BpwLktl

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/XWorm V5.2.exe

    • Size

      12.2MB

    • MD5

      8b7b015c1ea809f5c6ade7269bdc5610

    • SHA1

      c67d5d83ca18731d17f79529cfdb3d3dcad36b96

    • SHA256

      7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

    • SHA512

      e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

    • SSDEEP

      196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe

    • Size

      109KB

    • MD5

      f3b2ec58b71ba6793adcc2729e2140b1

    • SHA1

      d9e93a33ac617afe326421df4f05882a61e0a4f2

    • SHA256

      2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

    • SHA512

      473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

    • SSDEEP

      1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

MITRE ATT&CK Enterprise v15

Tasks

static1

agilenetagentteslastormkitty
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
7/10

behavioral3

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral30

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral31

Score
1/10

behavioral32

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10