General

  • Target

    nerestpc 0.28.2.zip

  • Size

    2.0MB

  • Sample

    240401-yxwzkaeg63

  • MD5

    78de1fc0bf68c1c2e33d35fc6daed8f0

  • SHA1

    2ebe67283bd9ac99f7c7010b1993891cd9a159a7

  • SHA256

    74597c931af92ad08a01a550599a9455f5081c3521e4db55d413957041b3f83b

  • SHA512

    57c1022496010f1abc93e177961d10f7887126357a839373263044e2a10ee51a03400c162ced41bffb87609b81be877aeb87ffa740bbb45ea7f23af3b9d1395a

  • SSDEEP

    49152:LFj9tIjTQeiZs822mFuk2BvgOeYN8R2CZTuRiLv4FgV:heiZsd+kMvhezRX8mv4yV

Malware Config

Extracted

Family

xworm

C2

18.ip.gl.ply.gg:7988

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      nerestpc 0.28.2.zip

    • Size

      2.0MB

    • MD5

      78de1fc0bf68c1c2e33d35fc6daed8f0

    • SHA1

      2ebe67283bd9ac99f7c7010b1993891cd9a159a7

    • SHA256

      74597c931af92ad08a01a550599a9455f5081c3521e4db55d413957041b3f83b

    • SHA512

      57c1022496010f1abc93e177961d10f7887126357a839373263044e2a10ee51a03400c162ced41bffb87609b81be877aeb87ffa740bbb45ea7f23af3b9d1395a

    • SSDEEP

      49152:LFj9tIjTQeiZs822mFuk2BvgOeYN8R2CZTuRiLv4FgV:heiZsd+kMvhezRX8mv4yV

    Score
    1/10
    • Target

      nerestpc 0.28.2.exe

    • Size

      2.0MB

    • MD5

      4fb728a1b09e1c06b4725870dc45a979

    • SHA1

      3a2550777bd9910875ffced0f8d254cff3755f82

    • SHA256

      578a5cb8ef5bb0847769953552c0624adae58df9bb3fd975ba07a17101b8b0ee

    • SHA512

      165be9e2d2e27dca6f3cccc94c54cfc22ccaa533b19aa769c847e4f285f0ee969e53e4b3d6035f0d861b382ac30035a1755465e7f69858ff078159a1403dd054

    • SSDEEP

      49152:sZFQrpyj9MZgCPZAWyBirRkw1pyD5dITsp3mHsuv4YYqNX:C6rpFZgCBAWyBi1k1sspWHZ1N

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks