agenttesla | 1130ac1350c012b1ef293304ae61c9abe22ac8a0e20c708de009fa037ac71421 | Triage

Submit
Reports

Overview

overview

Static

static

3

work.exe

windows7-x64

work.exe

windows10-2004-x64

Resubmissions

25/08/2024, 18:33

240825-w7mgrsyakh 10

25/08/2024, 18:30

240825-w5rnpszclq 10

Sharing

Copy URL Twitter E-mail

General

Target

work.exe
Size

1.9MB
Sample

240825-w5rnpszclq
MD5

696093ad8d776d6a18e21e60bbfcb00f
SHA1

cbf05a6a0abfe1245b7bc3b989a82c40e896c6ba
SHA256

1130ac1350c012b1ef293304ae61c9abe22ac8a0e20c708de009fa037ac71421
SHA512

b30fc0fef3181999e12a522ec688a6909053462c64cddd63705a99d7d4d4488fc95b338ae1fd65f6f50c1c185b1edfb060c014ff5177636bfa098c0165beaf48
SSDEEP

49152:Od+KzYgjTWq2EtZ4KWSHWm9J8CCNI5cJ9WasWtkWGOfWAk4ZnWu5DO8:y+QWpEfZ2m9Ju25ciasWTGO5k4ZlVZ

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

work.exe

Resource

win7-20240705-en

agenttesla xworm execution keylogger rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

work.exe

Resource

win10v2004-20240802-en

agenttesla xworm execution keylogger rat spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Targets

- Target
  
  work.exe
- Size
  
  1.9MB
- MD5
  
  696093ad8d776d6a18e21e60bbfcb00f
- SHA1
  
  cbf05a6a0abfe1245b7bc3b989a82c40e896c6ba
- SHA256
  
  1130ac1350c012b1ef293304ae61c9abe22ac8a0e20c708de009fa037ac71421
- SHA512
  
  b30fc0fef3181999e12a522ec688a6909053462c64cddd63705a99d7d4d4488fc95b338ae1fd65f6f50c1c185b1edfb060c014ff5177636bfa098c0165beaf48
- SSDEEP
  
  49152:Od+KzYgjTWq2EtZ4KWSHWm9J8CCNI5cJ9WasWtkWGOfWAk4ZnWu5DO8:y+QWpEfZ2m9Ju25ciasWTGO5k4ZlVZ
Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaxwormexecutionkeyloggerratspywarestealertrojan

behavioral2

agentteslaxwormexecutionkeyloggerratspywarestealertrojan

© 2018-2025

Terms | Privacy