Overview

overview

10

Static

static

10

Xworm V5.6.exe

windows7-x64

10

Xworm V5.6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xworm V5.6.exe

  • Size

    14.9MB

  • MD5

    56ccb739926a725e78a7acf9af52c4bb

  • SHA1

    5b01b90137871c3c8f0d04f510c4d56b23932cbc

  • SHA256

    90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

  • SHA512

    2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

  • SSDEEP

    196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i

Score
10/10
agentteslaxwormkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

K8gQNnuQfSaMvyLt

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • AgentTesla payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\foeo1sny\foeo1sny.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AB98A282714F35A028821C642A7A.TMP"
        3⤵
          PID:2948
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2340
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x5b8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1056
        • C:\Users\Admin\Documents\XClient.exe
          "C:\Users\Admin\Documents\XClient.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES77EE.tmp
          Filesize

          1KB

          MD5

          179873a55625903b9b84ab59a92e9d8e

          SHA1

          ebabea38496fa2142a8919329a5f5213ba5425c7

          SHA256

          f2e0d433fa13fcf4412122ce88925767209e2c13b3116702cc245671050977ed

          SHA512

          dfe223edf0ac2df4d82247e5bf7456727594d2b403917c9964a4f2d51f9fbdddcb8c8db1bc0ad302a1ce33af6279291d4b004f50602105416138096adf28b3ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\foeo1sny\foeo1sny.0.vb
          Filesize

          78KB

          MD5

          7005dcef76235ec6687f2ab3dbad7922

          SHA1

          d401d663d8d7a798f733ee0d4ed45a5153fbc9c0

          SHA256

          8a1dfe11d553f1076280c3a5eb226e31bfe65f8e3920fd4e9041d13b70964c17

          SHA512

          24a4c998914bb70ca2445b72393e8746ddec7a27a3b96af61b1d4fb41d147ae5a3c965f29dc2bae0572e05d22d29ef4cb91d9226a6a53c9d58479ca681ae9ad0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\foeo1sny\foeo1sny.cmdline
          Filesize

          292B

          MD5

          7de50dea6c33ea10a42133e2754fcbc4

          SHA1

          db0b8e25b5b2e92f5d3a2adbb0f8d2f91569491b

          SHA256

          9dbf65f3a5485ab11e809e32c3c76d4b0abc3acf932af283dbccd1f8f00463d3

          SHA512

          7b89a68781ff9b2460e9270a896ca588cb44b7dc7149646633082507ad337b6c1fcb5ef855f7b7dbb3166bd10b9092f904748f309176d239fcdc4f3854baa5b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbc5AB98A282714F35A028821C642A7A.TMP
          Filesize

          1KB

          MD5

          d40c58bd46211e4ffcbfbdfac7c2bb69

          SHA1

          c5cf88224acc284a4e81bd612369f0e39f3ac604

          SHA256

          01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

          SHA512

          48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

          Download Submit

        • C:\Users\Admin\Documents\XClient.exe
          Filesize

          32KB

          MD5

          90c5d2e4d96ca773f5dec6e57dbb3bca

          SHA1

          5e3351300e587088b27d6bc8222f2578c33d1ad2

          SHA256

          c971fd446f67b996e7fbb3fc1b7b2c810b5a6929e1db8e8aa9d26adc8988f6d1

          SHA512

          857162c25905dee22a8645ace413fd4ad6e9ae2e7d2b4524e5296718f277d5ae2fbe5f88f236ca637add3c8a104d04e0ed3269adf4bb165a7c630ff17d0a8fd4

          Download Submit

        • memory/836-6-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

          Filesize

          4KB

          Download

        • memory/836-4-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-7-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-8-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-9-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-10-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-11-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-13-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-14-0x0000000027300000-0x0000000027310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/836-15-0x0000000028A00000-0x0000000028B68000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/836-5-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

          Filesize

          4KB

          Download

        • memory/836-3-0x000000001C700000-0x000000001C8F4000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/836-2-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-30-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/836-1-0x0000000000970000-0x0000000001858000-memory.dmp

          Filesize

          14.9MB

          Download

        • memory/836-38-0x0000000028440000-0x00000000284F2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/836-35-0x0000000026080000-0x0000000026102000-memory.dmp

          Filesize

          520KB

          Download

        • memory/836-36-0x000000001C900000-0x000000001C92C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/836-37-0x0000000028B70000-0x0000000028E52000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1012-34-0x00000000009E0000-0x00000000009EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1012-39-0x0000000000450000-0x000000000045E000-memory.dmp

          Filesize

          56KB

          Download