agenttesla | e38c9eb5ca2d9e9f287e914cc3b6c667cb64aaa4251671e268d741b95da2dd80 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

WizWorm (M...rm.exe

windows10-2004-x64

Sharing

General

Target

WizWorm (Modified XWorm).zip
Size

24.8MB
Sample

240715-txp4sssbqb
MD5

32ecce31bdf92872683db61212ff5680
SHA1

5f6b12892d7e2ef406a890207b0e7cfede5b3c66
SHA256

e38c9eb5ca2d9e9f287e914cc3b6c667cb64aaa4251671e268d741b95da2dd80
SHA512

8da875b941b937a43b13786179a33e9062742dadc6cebed36a10b4182c5e79074293b09cfe212400eca83c8c08cc5ca3756a48d5f05f606e2cab92a7e6e3c0c7
SSDEEP

786432:wMzXzpPSOsuxVYWR2LHsdOVGRRCCxbLwjTtDTgV:wMzXzpPSLuv/2LMUURHuTI

Score

10^/10

agenttesla xworm execution rat trojan

Static task

static1

agenttesla xworm

6 signatures

Behavioral task

behavioral1

Sample

WizWorm (Modified XWorm)/WizWorm.exe

Resource

win10v2004-20240709-en

xworm execution rat trojan

windows10-2004-x64

9 signatures

60 seconds

Malware Config

Extracted

Family

xworm

C2

auto-london.gl.at.ply.gg:51655

Attributes

Install_directory
%LocalAppData%
install_file
NigNigRat.exe

Targets

- Target
  
  WizWorm (Modified XWorm)/WizWorm.exe
- Size
  
  99KB
- MD5
  
  a9b00ac5f9c02e540c61381a5fae62c3
- SHA1
  
  273e272cc73d519c5cba2839de4e6043fd8977b0
- SHA256
  
  3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
- SHA512
  
  924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570
- SSDEEP
  
  1536:n1vP5KmktoR0wQNB+QC+ZMh/uFPah6x2C4bFwOL/n6106/Y7FwoOLTrXatVSFayK:VxLCLN06PahfLbFZL/6PWZOL6GPPy
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agentteslaxworm

behavioral1

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy