Overview

overview

10

Static

static

10

XWorm V5.2.rar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V5.2.rar

  • Size

    30.8MB

  • Sample

    240516-p8t5nsdg9v

  • MD5

    fedb5514599b1b6b2583d2d02f67b18d

  • SHA1

    30bf61c43970f8f60e8770f649ab9a406020ac18

  • SHA256

    fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb

  • SHA512

    3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7

  • SSDEEP

    786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb

Score
10/10
agentteslastormkittyxwormadwareagilenetdiscoverykeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

lPzjVNS1BMyEpd57

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XWorm V5.2.rar

    • Size

      30.8MB

    • MD5

      fedb5514599b1b6b2583d2d02f67b18d

    • SHA1

      30bf61c43970f8f60e8770f649ab9a406020ac18

    • SHA256

      fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb

    • SHA512

      3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7

    • SSDEEP

      786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb

    Score
    10/10
    agentteslaxwormadwareagilenetdiscoverykeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Registers COM server for autorun

      persistence

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Browser Extensions

1
T1176

BITS Jobs

1
T1197

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Defense Evasion

Modify Registry

6
T1112

Scripting

1
T1064

BITS Jobs

1
T1197

Credential Access

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks