agenttesla | 3a5e81d324db316d732da47ab518739928ea4890fddff8b386ababf168719eaa | Triage

Submit
Reports

Overview

overview

Static

static

Xworm 5.6/....6.exe

windows7-x64

Xworm 5.6/....6.exe

windows10-2004-x64

Sharing

General

Target

xworm v5.6.rar
Size

23.2MB
Sample

240821-jp4l4s1cpr
MD5

12613a4c5445f137acff23cb020311c7
SHA1

88a1cf43fd5159b5171ed7e76607be0fb49336fa
SHA256

3a5e81d324db316d732da47ab518739928ea4890fddff8b386ababf168719eaa
SHA512

47aaa3025e101d940c0e7994c0377ffd24aadd871ab9a6e7b3f5ada401eb3690e60a48c14c000d56b0051cf61112d400c5534fae17053e29dd7baf1f66eb9b42
SSDEEP

393216:LyaE/i+e39n3bQr3vuO8kv9e6JIatKidc/fApwx8Ls3A4eTo6OqwDyEWNhTP6tGg:Lyt+3hw/d/iatbdcHApOFmo6OJuNNQtH

Score

10^/10

agenttesla stormkitty xworm execution persistence rat trojan

Static task

static1

agenttesla stormkitty xworm

8 signatures

Behavioral task

behavioral1

Sample

Xworm 5.6/Xworm V5.6.exe

Resource

win7-20240704-en

xworm execution persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

Xworm 5.6/Xworm V5.6.exe

Resource

win10v2004-20240802-en

xworm execution persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

might-gdp.gl.at.ply.gg:58764

capacity-rise.gl.at.ply.gg:36727

Attributes

install_file
USB.exe

Targets

- Target
  
  Xworm 5.6/Xworm V5.6.exe
- Size
  
  7.8MB
- MD5
  
  c271db9b847221076506fd6b80d27e70
- SHA1
  
  97949415366b41d720fc787fec8d79caed7b7167
- SHA256
  
  b33c17ec8a56e93f0c936197fe1b5c79c6db69bd002a89e739bd52871c9ebef1
- SHA512
  
  63e96f38074d6f81ee937e10caf49cb56c2f443dabc8c8ad10542c1e93e26be52a80d7f77761f42ad087d2c711d1f1e72bc467e6724f8256a602434767e6d6d1
- SSDEEP
  
  196608:cmKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5d:cmmq/pkOYxehohbtN
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agentteslastormkittyxworm

behavioral1

xwormexecutionpersistencerattrojan

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy