General

  • Target

    XWorm V5.2.zip

  • Size

    36.0MB

  • Sample

    240528-3sd1eaae48

  • MD5

    d6757d3dbf1a98508f5cc3715df07e64

  • SHA1

    bb5d6cb95edf409792cb59e99faa8d977d6404ec

  • SHA256

    bbd19b42209127ad2b015d76f6fc37e35f2c4d751b1b4847a92fd218dd0caf1c

  • SHA512

    34b9ebb5ca64824419c10d30727fac4660160e55cd793bf66470310ec6d2c4e74c3375f54da062032fa2ca3a38866d6a9f212f4b0911733dda56cd2ca012b5d6

  • SSDEEP

    786432:JpMDUYoUO13WMuw2yCqwU0dDL5i4jYC7bsTsVsjGkkFsi5m557vHWa2gPBri:zfYLO1x2Cwhdf0ffTLjrpIot2a7W

Malware Config

Targets

    • Target

      XWorm V5.2/XWorm V5.2.exe

    • Size

      12.2MB

    • MD5

      8b7b015c1ea809f5c6ade7269bdc5610

    • SHA1

      c67d5d83ca18731d17f79529cfdb3d3dcad36b96

    • SHA256

      7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

    • SHA512

      e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

    • SSDEEP

      196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm V5.2/XWormLoader 5.2 x32.exe

    • Size

      109KB

    • MD5

      f3b2ec58b71ba6793adcc2729e2140b1

    • SHA1

      d9e93a33ac617afe326421df4f05882a61e0a4f2

    • SHA256

      2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

    • SHA512

      473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

    • SSDEEP

      1536:5vjAnXqn2nY7WfRMgPQQrMoqmyVttdGFQeOPigx:5LCan2nY7sdQQAoqmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      XWorm V5.2/XWormLoader 5.2 x64.exe

    • Size

      109KB

    • MD5

      e6a20535b636d6402164a8e2d871ef6d

    • SHA1

      981cb1fd9361ca58f8985104e00132d1836a8736

    • SHA256

      b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

    • SHA512

      35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

    • SSDEEP

      1536:TYogSlNwXosKwOYtV1AS9m3xQyVGNNiLkWNF7XxFqmyVttdGFQeOPigx:TvgSlqGS9m3xQyKNbWNV3qmyBeu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

MITRE ATT&CK Enterprise v15

Tasks