Extracted

• • Target

    XWorm V5.6.7z

  • Size

    18.5MB

  • MD5

    8b6bc1d51fabdf54d2bf97d5d80ce963

  • SHA1

    8e4595e0bc0c29177ccd590aab430ef1734e88a5

  • SHA256

    9ea90c73eb93f4d3fadc8f35e0200c72d3f0573d454a8a82b4a6f9407d176d44

  • SHA512

    c1cd937c6d0d50370e64fe453f51ca194ac46684cfd0b0ae49dd9c494f20058d57058535a2c372a9cc8ec7310f70d4285462d44243dbd245f224da1cb33f1aba

  • SSDEEP

    393216:1JDFgNmFH7nwXDx8MiiTpzHuxWAk42uShm0ULvcPMWDMJF:1ZFgNqH7c1FbGWAX0cKMWov

  Score

  10^/10

  agentteslastormkittyxwormcredential_accessdiscoverykeyloggerratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  behavioral1