General
-
Target
https://cdn.discordapp.com/attachments/1270264454394810408/1278443670881701888/GorillaExecutor.zip?ex=66d0d2f3&is=66cf8173&hm=9a0358edd6192e90475affcb01b1c6f2c378c695840af5ec0e1963d139391bf0&
-
Sample
240828-yp89xstamg
Malware Config
Extracted
xworm
5.0
147.185.221.22:21505
8w0AA6eU6LkEznEy
-
Install_directory
%LocalAppData%
-
install_file
Windows Host Proccess.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1270264454394810408/1278443670881701888/GorillaExecutor.zip?ex=66d0d2f3&is=66cf8173&hm=9a0358edd6192e90475affcb01b1c6f2c378c695840af5ec0e1963d139391bf0&
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
AgentTesla payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1