agenttesla | 76f8bfdea241d034362819d0a4491235209514802507b32ac16a24261680a5e5 | Triage

Submit
Reports

Overview

overview

Static

static

3

INJECTIONDLL.exe

windows10-2004-x64

Sharing

General

Target

INJECTIONDLL.exe
Size

6.3MB
Sample

240608-hh6mfsah37
MD5

4fa451322fabe9dd1d67d0c8bb30a7dc
SHA1

121db34eaf47dc90298157296a8f3ea8a16ab8e6
SHA256

76f8bfdea241d034362819d0a4491235209514802507b32ac16a24261680a5e5
SHA512

a930cbb354d43dbadd90eb343a754766d8ab62b45d5aff3ecd8f169924a381c9753e4ca2703dacd5b0e677c0b6ff4d760d9a8185f1e096f74262df7d4f7be8c9
SSDEEP

98304:DTebMFy6qog0TUujQMrWQD3G+6Lo61klSy+yICgkIvJRbtzb1Bn5EvTKKEqX7E9e:faMZbgnEQwV3VAR938g3Tp/5E8Y

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

INJECTIONDLL.exe

Resource

win10v2004-20240226-en

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

park-thomson.gl.at.ply.gg:36283

Mutex

JhdYpXnrMu5gRxUg

Attributes

Install_directory
%LocalAppData%
install_file
WindowsUpdate.exe

aes.plain

Targets

- Target
  
  INJECTIONDLL.exe
- Size
  
  6.3MB
- MD5
  
  4fa451322fabe9dd1d67d0c8bb30a7dc
- SHA1
  
  121db34eaf47dc90298157296a8f3ea8a16ab8e6
- SHA256
  
  76f8bfdea241d034362819d0a4491235209514802507b32ac16a24261680a5e5
- SHA512
  
  a930cbb354d43dbadd90eb343a754766d8ab62b45d5aff3ecd8f169924a381c9753e4ca2703dacd5b0e677c0b6ff4d760d9a8185f1e096f74262df7d4f7be8c9
- SSDEEP
  
  98304:DTebMFy6qog0TUujQMrWQD3G+6Lo61klSy+yICgkIvJRbtzb1Bn5EvTKKEqX7E9e:faMZbgnEQwV3VAR938g3Tp/5E8Y
Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslaxwormexecutionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy