agenttesla | 20027c560483941c10d60098ea22ee973b647ad934377be62c88ee4acb2fc465

Analysis

max time kernel
39s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.exe
Size

17.9MB
MD5

49f6c848fc3b1f32ed96b08bca221e53
SHA1

0c1da68ae22f31f61ded840a42515793e1432a24
SHA256

7926286cb142cc3d2511cde859dc78ea4d9a26b5007c80bc33879fc3e5800c0c
SHA512

1cb5fea83ccecf175ec1ed6e381bf09f915115458869f05ebdbfbd2a92b6ec41f0a5d004e0bf74a80ccc68491554bb7df95d10242f22ce1429a2bcff124b5ba1
SSDEEP

196608:M0gakUV27n9vemQvnDi9BsSqzcB/BAe1d4ihvy85JhhYc3BSL1kehn4inje:MXakUQ7n9vemmmB16ayIhhkRka4i

Score

10^/10

agenttesla keylogger spyware stealer trojan vmprotect

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/824-4-0x000000001DF60000-0x000000001E154000-memory.dmp	family_agenttesla

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/824-1-0x0000000000AD0000-0x00000000029DE000-memory.dmp	vmprotect

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.6.exe

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.exe"
1⤵
- Enumerates system info in registry
PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x0000000000AD0000-0x00000000029DE000-memory.dmp

Filesize
31.1MB

Download
memory/824-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-3-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-4-0x000000001DF60000-0x000000001E154000-memory.dmp

Filesize
2.0MB

Download
memory/824-5-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-6-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-7-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/824-8-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-9-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-10-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-11-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/824-12-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download