agenttesla | 3a77ee6438c4c26856aeb1d4013627b03ab07b98b06d978c7e067caca0e657f3 | Triage

Submit
Reports

Overview

overview

Static

static

xworm.zip

windows10-1703-x64

Sharing

General

Target

xworm.zip
Size

64.9MB
Sample

240829-1kv8lssgqh
MD5

4eacddfe84635b2c1817c4533ff63920
SHA1

8c0087fc2b84fbf59aa163abcc86b79b769a83d6
SHA256

3a77ee6438c4c26856aeb1d4013627b03ab07b98b06d978c7e067caca0e657f3
SHA512

af315d17172ff165bcea5937a0b7c37248178252e61ae19102ac3732bc1b5b4481f298a4474c4fee84794b40e9edac9b17002df85cdd17a240ac1db9bdfd92e8
SSDEEP

1572864:ZgbHGPnh4vk0M0jruxV7oswXMdNHxzQcvAyOO3RlE6L:xnEkU2mX4zQWAnOBN

Score

10^/10

agenttesla stormkitty xworm execution keylogger persistence rat spyware stealer trojan

Static task

static1

agenttesla stormkitty xworm

8 signatures

Behavioral task

behavioral1

Sample

xworm.zip

Resource

win10-20240404-en

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

windows10-1703-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  xworm.zip
- Size
  
  64.9MB
- MD5
  
  4eacddfe84635b2c1817c4533ff63920
- SHA1
  
  8c0087fc2b84fbf59aa163abcc86b79b769a83d6
- SHA256
  
  3a77ee6438c4c26856aeb1d4013627b03ab07b98b06d978c7e067caca0e657f3
- SHA512
  
  af315d17172ff165bcea5937a0b7c37248178252e61ae19102ac3732bc1b5b4481f298a4474c4fee84794b40e9edac9b17002df85cdd17a240ac1db9bdfd92e8
- SSDEEP
  
  1572864:ZgbHGPnh4vk0M0jruxV7oswXMdNHxzQcvAyOO3RlE6L:xnEkU2mX4zQWAnOBN
Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agentteslastormkittyxworm

behavioral1

agentteslaxwormexecutionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy