Extracted

Extracted

• • Target

    XWorm V5.2.zip

  • Size

    52.0MB

  • MD5

    2bad9510e5b0bf509912c52aaabef753

  • SHA1

    1b1c5fca58bd9f935972ae02d6cc063334d65da7

  • SHA256

    3cb0728db93f2c80aaf137a7016bd7f7fc04164c9516adf8f3e298016a44c559

  • SHA512

    1308d15044067914e9f339ac5fab3faa30c61175d9bf6db114d7306e3bf6dcc219e65c64e6fadfa8739a77013d6d869dc9d12aed76a6ebebd09046fbb035c352

  • SSDEEP

    1572864:cXjrCTvb2VU8IrNhMXLe2KoZQ0/4H+b+LwbgUSiaG2FB:cn9ReNSBZJ/4bT9Gq

  Score

  10^/10

  agentteslaxwormagilenetexecutionkeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2