agenttesla | fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb | Triage

Submit
Reports

Overview

overview

Static

static

XWorm V5.2.rar

windows7-x64

XWorm V5.2.rar

windows10-2004-x64

3

Sharing

General

Target

XWorm V5.2.rar
Size

30.8MB
Sample

240516-p1dsqadg88
MD5

fedb5514599b1b6b2583d2d02f67b18d
SHA1

30bf61c43970f8f60e8770f649ab9a406020ac18
SHA256

fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb
SHA512

3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7
SSDEEP

786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb

Score

10^/10

agenttesla stormkitty agilenet discovery keylogger persistence spyware stealer trojan

Static task

static1

agilenet agenttesla stormkitty

7 signatures

Behavioral task

behavioral1

Sample

XWorm V5.2.rar

Resource

win7-20240220-en

agenttesla agilenet discovery keylogger persistence spyware stealer trojan

windows7-x64

29 signatures

300 seconds

Behavioral task

behavioral2

Sample

XWorm V5.2.rar

Resource

win10v2004-20240508-en

windows10-2004-x64

12 signatures

300 seconds

Malware Config

Targets

- Target
  
  XWorm V5.2.rar
- Size
  
  30.8MB
- MD5
  
  fedb5514599b1b6b2583d2d02f67b18d
- SHA1
  
  30bf61c43970f8f60e8770f649ab9a406020ac18
- SHA256
  
  fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb
- SHA512
  
  3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7
- SSDEEP
  
  786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb
Score

10^/10

agenttesla agilenet discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

agilenetagentteslastormkitty

behavioral1

agentteslaagilenetdiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy