agenttesla | hxxps://www[.]upload[.]ee/files/16472471/XWorm_V5[.]6[.]rar[.]html | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://www.upload.e...

windows10-2004-x64

Sharing

General

Target

https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html
Sample

240414-ljbp9aff54

Score

10^/10

agenttesla stormkitty xworm evasion keylogger rat spyware stealer trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html

Resource

win10v2004-20240226-en

agenttesla stormkitty xworm evasion keylogger rat spyware stealer trojan

windows10-2004-x64

33 signatures

1200 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

sgC4GcOTq0MyOKDT

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

aes.plain

Targets

- Target
  
  https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html
Score

10^/10

agenttesla stormkitty xworm evasion keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Modifies Windows Firewall
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

urlscan1

behavioral1

agentteslastormkittyxwormevasionkeyloggerratspywarestealertrojan

© 2018-2024

Terms | Privacy