agenttesla | e1c064d2472fffaff3b9566f473d5b43310d2643d0d98f364f81c6610e2ed0b5 | Triage

Submit
Reports

Overview

overview

Static

static

3

Loadder.exe

windows11-21h2-x64

Sharing

General

Target

Loadder.exe
Size

98KB
Sample

240514-sz9qjsda98
MD5

7ed8bf17132c1003da9e1fc473b1d0f7
SHA1

e3d1754dbca2398977d0d1fb2b331168025da86c
SHA256

e1c064d2472fffaff3b9566f473d5b43310d2643d0d98f364f81c6610e2ed0b5
SHA512

cdaed8d1f7ddaa3a21c6a42ccca3b2881e562cfeffcd4bcc6f05b48581b138bf579bcdc38b0a71694a34cdc792686f7c8f3f51c7c5e6aca1370ae5ba034dacf9
SSDEEP

1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf9weLHlD/gap4KO8:P7DhdC6kzWypvaQ0FxyNTBf9xx/4W

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Loadder.exe

Resource

win11-20240419-en

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

windows11-21h2-x64

24 signatures

300 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
wlms.exe
pastebin_url
https://pastebin.com/raw/Xuc6dzua

Targets

- Target
  
  Loadder.exe
- Size
  
  98KB
- MD5
  
  7ed8bf17132c1003da9e1fc473b1d0f7
- SHA1
  
  e3d1754dbca2398977d0d1fb2b331168025da86c
- SHA256
  
  e1c064d2472fffaff3b9566f473d5b43310d2643d0d98f364f81c6610e2ed0b5
- SHA512
  
  cdaed8d1f7ddaa3a21c6a42ccca3b2881e562cfeffcd4bcc6f05b48581b138bf579bcdc38b0a71694a34cdc792686f7c8f3f51c7c5e6aca1370ae5ba034dacf9
- SSDEEP
  
  1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf9weLHlD/gap4KO8:P7DhdC6kzWypvaQ0FxyNTBf9xx/4W
Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaxwormexecutionkeyloggerpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy