General

  • Target

    6d0887ff7ad06bcc664a9c0393df240467a1ce36383311a4eea6e0fb40d05340

  • Size

    616KB

  • Sample

    240530-cbvzgsac8w

  • MD5

    79518e1aded2254563027faf02d3ff03

  • SHA1

    da6e1297a25c10da7fb301bf8abbbb2ef24b342d

  • SHA256

    6d0887ff7ad06bcc664a9c0393df240467a1ce36383311a4eea6e0fb40d05340

  • SHA512

    e46493401b7f6976020709d6260f647b252df9fc070549cf95c41737f1aaaeeb2c7937676fb548dcabdbe6f65fe060a3bf7fed8601d01bbdb99cb201d76389bf

  • SSDEEP

    12288:i0uI8ruENu+U9WcxcupFgfYtL8UavowjCedZ:HMrBUr7piTJuK

Malware Config

Extracted

Family

xworm

Version

5.0

C2

172.93.222.235:7725

Mutex

EaDc0m9mpwzOMMwb

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      6d0887ff7ad06bcc664a9c0393df240467a1ce36383311a4eea6e0fb40d05340

    • Size

      616KB

    • MD5

      79518e1aded2254563027faf02d3ff03

    • SHA1

      da6e1297a25c10da7fb301bf8abbbb2ef24b342d

    • SHA256

      6d0887ff7ad06bcc664a9c0393df240467a1ce36383311a4eea6e0fb40d05340

    • SHA512

      e46493401b7f6976020709d6260f647b252df9fc070549cf95c41737f1aaaeeb2c7937676fb548dcabdbe6f65fe060a3bf7fed8601d01bbdb99cb201d76389bf

    • SSDEEP

      12288:i0uI8ruENu+U9WcxcupFgfYtL8UavowjCedZ:HMrBUr7piTJuK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks