General
-
Target
XWorm V5.2.rar
-
Size
30.8MB
-
Sample
240516-p8t5nsdg9v
-
MD5
fedb5514599b1b6b2583d2d02f67b18d
-
SHA1
30bf61c43970f8f60e8770f649ab9a406020ac18
-
SHA256
fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb
-
SHA512
3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7
-
SSDEEP
786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
lPzjVNS1BMyEpd57
-
install_file
USB.exe
Targets
-
-
Target
XWorm V5.2.rar
-
Size
30.8MB
-
MD5
fedb5514599b1b6b2583d2d02f67b18d
-
SHA1
30bf61c43970f8f60e8770f649ab9a406020ac18
-
SHA256
fa4e6545f776160094004f3bfc1c9e199ec43e22870b1674b48ecc9a80ec71fb
-
SHA512
3bae5883c01222d537dde94cf4a8aedf86023349be2c742f7e6aa78e9faafc10dcd596968773e8287a58051d7696c2024aedd6704f11a3a1fc2c5fdbf17861f7
-
SSDEEP
786432:+yMMBOS745XHHdXOXZCJxMJW18F3JhLDj55I7cTFXPz:dBzEtn0QJ2g12Jhnt9Zb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
AgentTesla payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Browser Extensions
1BITS Jobs
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4