agenttesla

General

Target

Acal BFi UK - Products List 020240704.exe
Size

341KB
Sample

240704-tvs3nsygpk
MD5

ee12c46b73b56744c0dfc093d681ac13
SHA1

c0ec40f38d10ac100473cf93c9a70b1f566cf55d
SHA256

d23bfe6129eb1b44c79612e9743c286ee15d5024e61796662c3fb86cf0d27141
SHA512

e67fe7f2708ab10910610757eaa8068430d5652f9549c1fc969efe96637084fbb7812a62e34ba8bbc960c00d97b7266b3e4eb385cfca1d5c0d9565486cec8281
SSDEEP

768:4weX0qJNPaYNsQe21zEjss2S3g1Ircn0sspAgpq8bLyg1uMN0+dzsR0+eE2:2TuQbk/pqELy0uyT+f2

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:2005

79.110.62.113:2005

Mutex

0QFmCI3ycTg10NnI

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/

Targets

- Target
  
  Acal BFi UK - Products List 020240704.exe
- Size
  
  341KB
- MD5
  
  ee12c46b73b56744c0dfc093d681ac13
- SHA1
  
  c0ec40f38d10ac100473cf93c9a70b1f566cf55d
- SHA256
  
  d23bfe6129eb1b44c79612e9743c286ee15d5024e61796662c3fb86cf0d27141
- SHA512
  
  e67fe7f2708ab10910610757eaa8068430d5652f9549c1fc969efe96637084fbb7812a62e34ba8bbc960c00d97b7266b3e4eb385cfca1d5c0d9565486cec8281
- SSDEEP
  
  768:4weX0qJNPaYNsQe21zEjss2S3g1Ircn0sspAgpq8bLyg1uMN0+dzsR0+eE2:2TuQbk/pqELy0uyT+f2
Score

10^/10

agenttesla stormkitty xworm keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Xworm Payload

StormKitty

StormKitty payload

Xworm

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2