General
-
Target
nerestpc 0.28.2.zip
-
Size
2.0MB
-
Sample
240401-yxwzkaeg63
-
MD5
78de1fc0bf68c1c2e33d35fc6daed8f0
-
SHA1
2ebe67283bd9ac99f7c7010b1993891cd9a159a7
-
SHA256
74597c931af92ad08a01a550599a9455f5081c3521e4db55d413957041b3f83b
-
SHA512
57c1022496010f1abc93e177961d10f7887126357a839373263044e2a10ee51a03400c162ced41bffb87609b81be877aeb87ffa740bbb45ea7f23af3b9d1395a
-
SSDEEP
49152:LFj9tIjTQeiZs822mFuk2BvgOeYN8R2CZTuRiLv4FgV:heiZsd+kMvhezRX8mv4yV
Static task
static1
Behavioral task
behavioral1
Sample
nerestpc 0.28.2.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
nerestpc 0.28.2.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
nerestpc 0.28.2.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
18.ip.gl.ply.gg:7988
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
nerestpc 0.28.2.zip
-
Size
2.0MB
-
MD5
78de1fc0bf68c1c2e33d35fc6daed8f0
-
SHA1
2ebe67283bd9ac99f7c7010b1993891cd9a159a7
-
SHA256
74597c931af92ad08a01a550599a9455f5081c3521e4db55d413957041b3f83b
-
SHA512
57c1022496010f1abc93e177961d10f7887126357a839373263044e2a10ee51a03400c162ced41bffb87609b81be877aeb87ffa740bbb45ea7f23af3b9d1395a
-
SSDEEP
49152:LFj9tIjTQeiZs822mFuk2BvgOeYN8R2CZTuRiLv4FgV:heiZsd+kMvhezRX8mv4yV
Score1/10 -
-
-
Target
nerestpc 0.28.2.exe
-
Size
2.0MB
-
MD5
4fb728a1b09e1c06b4725870dc45a979
-
SHA1
3a2550777bd9910875ffced0f8d254cff3755f82
-
SHA256
578a5cb8ef5bb0847769953552c0624adae58df9bb3fd975ba07a17101b8b0ee
-
SHA512
165be9e2d2e27dca6f3cccc94c54cfc22ccaa533b19aa769c847e4f285f0ee969e53e4b3d6035f0d861b382ac30035a1755465e7f69858ff078159a1403dd054
-
SSDEEP
49152:sZFQrpyj9MZgCPZAWyBirRkw1pyD5dITsp3mHsuv4YYqNX:C6rpFZgCBAWyBi1k1sspWHZ1N
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-