General
-
Target
BootStrapper.exe
-
Size
172KB
-
Sample
240524-r38f8ahh37
-
MD5
b39f03ec65e160fa650a334f23fbf4ce
-
SHA1
a6c7df0c9f13f3957b1cc4b08f10076fb150a0ce
-
SHA256
2cfa79782d5720680721ceba226d34dbf6a0a40b2a89e806a2b5d434ed30a62f
-
SHA512
d636b77c02c63716800db1beb8e4d63154ffbcd78b0abc6b8c1fafddf3d30e6ae57985b6565e0b7d960d67f6804bb637ffed1c2298fdec53d8bd40c40baeb6a1
-
SSDEEP
3072:kCcgU0lSE2Vw/jdTsvJNVNtcA2lXky01wWkf3+Jptd3mfqwpTGhK0CD1:kCPU68UovJNVv2lXFZ/sp8g
Static task
static1
Malware Config
Extracted
xworm
rest-involving.gl.at.ply.gg:18410
total-parties.gl.at.ply.gg:53271
-
Install_directory
%Temp%
-
install_file
System.exe
Extracted
xworm
5.0
greater-strategic.gl.at.ply.gg:56762
jaH0Qqkzaomv3BbG
-
Install_directory
%Userprofile%
-
install_file
System.exe
Targets
-
-
Target
BootStrapper.exe
-
Size
172KB
-
MD5
b39f03ec65e160fa650a334f23fbf4ce
-
SHA1
a6c7df0c9f13f3957b1cc4b08f10076fb150a0ce
-
SHA256
2cfa79782d5720680721ceba226d34dbf6a0a40b2a89e806a2b5d434ed30a62f
-
SHA512
d636b77c02c63716800db1beb8e4d63154ffbcd78b0abc6b8c1fafddf3d30e6ae57985b6565e0b7d960d67f6804bb637ffed1c2298fdec53d8bd40c40baeb6a1
-
SSDEEP
3072:kCcgU0lSE2Vw/jdTsvJNVNtcA2lXky01wWkf3+Jptd3mfqwpTGhK0CD1:kCPU68UovJNVv2lXFZ/sp8g
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
AgentTesla payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-