Resubmissions

17-03-2024 18:57

240317-xl3gjadg5s 10

17-03-2024 18:51

240317-xhqcssdf4w 10

General

  • Target

    XWorm v5.1-5.2.7z

  • Size

    54.5MB

  • Sample

    240317-xl3gjadg5s

  • MD5

    76219b3556e25086fc52f8e2b93fbd0c

  • SHA1

    066a0f875820e51a60c3552a06b7b97f8bab6bbc

  • SHA256

    fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

  • SHA512

    ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104

  • SSDEEP

    786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

Malware Config

Targets

    • Target

      XWorm v5.1-5.2.7z

    • Size

      54.5MB

    • MD5

      76219b3556e25086fc52f8e2b93fbd0c

    • SHA1

      066a0f875820e51a60c3552a06b7b97f8bab6bbc

    • SHA256

      fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

    • SHA512

      ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104

    • SSDEEP

      786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWorm V5.1.exe

    • Size

      9.3MB

    • MD5

      540a501c683c91729e712fe83cf4e92f

    • SHA1

      d426473f486cd7b46ec8d3bae4a3f9b42f780f89

    • SHA256

      567ac8995973807a1288847d357dd8014118f07194a4db64cccaeab5871d54e1

    • SHA512

      25aa06429cc1272c1932e543d41563905964ef2b7dad9e6b0a13aee8c6fff5a4a9e9f4ba023435d265ddb36cdfebaca8efadfd8e9a3918747e29a2764e09a2a6

    • SSDEEP

      196608:fHMCjsbDbqTw0l1s3PIump2n7lpQutrONgFETLU6Jz8p:fHaXYDXs3PIo7wutrMYEB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWorm V5.1.exe.config

    • Size

      183B

    • MD5

      66f09a3993dcae94acfe39d45b553f58

    • SHA1

      9d09f8e22d464f7021d7f713269b8169aed98682

    • SHA256

      7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

    • SHA512

      c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

    Score
    1/10
    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe

    • Size

      109KB

    • MD5

      4241a6375a548b2a6b8c7bf749cb40a5

    • SHA1

      32d938a053ac3a127c9d48128c2de8262ff2e6fc

    • SHA256

      3ef2fc92e45af81d0de1515de17c1b58fa8904bdfaa6fa729547110e4b181ddc

    • SHA512

      d2c5f1a2d993a193895a5c562aad7a297120dd0fe009d04faf6d45ae0e25c700607e78a3bc0f104f742744cd2a986acadc623b0d1eebbacd9145c9a48ace42b3

    • SSDEEP

      1536:5V1PFOX0jrClW7PUYSmqSwqmyVttdGFQeOPigx:5V1PFu0jrCQn3qSwqmyBeu

    Score
    7/10
    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x32.exe.config

    • Size

      187B

    • MD5

      15c8c4ba1aa574c0c00fd45bb9cce1ab

    • SHA1

      0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

    • SHA256

      f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

    • SHA512

      52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

    Score
    3/10
    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe

    • Size

      109KB

    • MD5

      4bf2058e2fe4ee6490873acd8d00fc71

    • SHA1

      099f6cd30e1db09c0c51fad208a2c2706c6bd437

    • SHA256

      53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea

    • SHA512

      f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5

    • SSDEEP

      1536:xPsDAsCSuhbXNBcqhZ6tJaW9lSr89qmyVttdGFQeOPigx:1s5maVJaWPSI9qmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.1/XWormLoader 5.1 x64.exe.config

    • Size

      187B

    • MD5

      15c8c4ba1aa574c0c00fd45bb9cce1ab

    • SHA1

      0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

    • SHA256

      f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

    • SHA512

      52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

    Score
    3/10
    • Target

      XWorm/XWorm V5.2/RVGLib.dll

    • Size

      241KB

    • MD5

      d34c13128c6c7c93af2000a45196df81

    • SHA1

      664c821c9d2ed234aea31d8b4f17d987e4b386f1

    • SHA256

      aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

    • SHA512

      91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

    • SSDEEP

      6144:4vJ05NPsvienBaRWxomAElbgu6Cqe2ZBePW9J:4u6iABa+iu32ne

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/SimpleObfuscator.dll

    • Size

      1.4MB

    • MD5

      9043d712208178c33ba8e942834ce457

    • SHA1

      e0fa5c730bf127a33348f5d2a5673260ae3719d1

    • SHA256

      b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

    • SHA512

      dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

    • SSDEEP

      24576:FDy7cKOfkiRrXP5WtJvW1mpjSWr7uoZme1V86:+8/AtJes1LJ

    Score
    1/10
    • Target

      XWorm/XWorm V5.2/XWorm V5.2.exe

    • Size

      12.2MB

    • MD5

      8b7b015c1ea809f5c6ade7269bdc5610

    • SHA1

      c67d5d83ca18731d17f79529cfdb3d3dcad36b96

    • SHA256

      7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

    • SHA512

      e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

    • SSDEEP

      196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe

    • Size

      109KB

    • MD5

      f3b2ec58b71ba6793adcc2729e2140b1

    • SHA1

      d9e93a33ac617afe326421df4f05882a61e0a4f2

    • SHA256

      2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

    • SHA512

      473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

    • SSDEEP

      1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm/XWorm V5.2/XWormLoader 5.2 x64.exe

    • Size

      109KB

    • MD5

      e6a20535b636d6402164a8e2d871ef6d

    • SHA1

      981cb1fd9361ca58f8985104e00132d1836a8736

    • SHA256

      b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

    • SHA512

      35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

    • SSDEEP

      1536:TYogSlNwXosKwOYtV1AS9m3xQyVGNNiLkWNF7XxFqmyVttdGFQeOPigx:TvgSlqGS9m3xQyKNbWNV3qmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

MITRE ATT&CK Enterprise v15

Tasks

static1

agilenetagentteslastormkitty
Score
10/10

behavioral1

Score
3/10

behavioral2

agilenet
Score
7/10

behavioral3

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

agilenet
Score
7/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral20

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral21

Score
1/10

behavioral22

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

agentteslaagilenetkeyloggerspywarestealertrojan
Score
10/10