agenttesla | 3a77ee6438c4c26856aeb1d4013627b03ab07b98b06d978c7e067caca0e657f3

Analysis

max time kernel
59s
max time network
60s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xworm.zip
Size

64.9MB
MD5

4eacddfe84635b2c1817c4533ff63920
SHA1

8c0087fc2b84fbf59aa163abcc86b79b769a83d6
SHA256

3a77ee6438c4c26856aeb1d4013627b03ab07b98b06d978c7e067caca0e657f3
SHA512

af315d17172ff165bcea5937a0b7c37248178252e61ae19102ac3732bc1b5b4481f298a4474c4fee84794b40e9edac9b17002df85cdd17a240ac1db9bdfd92e8
SSDEEP

1572864:ZgbHGPnh4vk0M0jruxV7oswXMdNHxzQcvAyOO3RlE6L:xnEkU2mX4zQWAnOBN

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000006ad-250.dat	family_xworm
behavioral1/memory/4244-252-0x00000000005A0000-0x00000000005B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/memory/2556-442-0x000001EEED7A0000-0x000001EEED994000-memory.dmp	family_agenttesla
behavioral1/files/0x000700000001ac72-441.dat	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3564	powershell.exe
5000	powershell.exe
1100	powershell.exe
2316	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe

Executes dropped EXE 4 IoCs

pid	Process
2620	Xworm V5.6 Starter.exe
4244	Xworm.exe
1056	Xworm V5.6.exe
2556	Xworm V5.6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	Xworm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
4244	Xworm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4184	7zG.exe
Token: 35	4184	7zG.exe
Token: SeSecurityPrivilege	4184	7zG.exe
Token: SeSecurityPrivilege	4184	7zG.exe
Token: SeDebugPrivilege	4244	Xworm.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	3564	powershell.exe
Token: SeTakeOwnershipPrivilege	3564	powershell.exe
Token: SeLoadDriverPrivilege	3564	powershell.exe
Token: SeSystemProfilePrivilege	3564	powershell.exe
Token: SeSystemtimePrivilege	3564	powershell.exe
Token: SeProfSingleProcessPrivilege	3564	powershell.exe
Token: SeIncBasePriorityPrivilege	3564	powershell.exe
Token: SeCreatePagefilePrivilege	3564	powershell.exe
Token: SeBackupPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeSystemEnvironmentPrivilege	3564	powershell.exe
Token: SeRemoteShutdownPrivilege	3564	powershell.exe
Token: SeUndockPrivilege	3564	powershell.exe
Token: SeManageVolumePrivilege	3564	powershell.exe
Token: 33	3564	powershell.exe
Token: 34	3564	powershell.exe
Token: 35	3564	powershell.exe
Token: 36	3564	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	powershell.exe
Token: SeSecurityPrivilege	1100	powershell.exe
Token: SeTakeOwnershipPrivilege	1100	powershell.exe
Token: SeLoadDriverPrivilege	1100	powershell.exe
Token: SeSystemProfilePrivilege	1100	powershell.exe
Token: SeSystemtimePrivilege	1100	powershell.exe
Token: SeProfSingleProcessPrivilege	1100	powershell.exe
Token: SeIncBasePriorityPrivilege	1100	powershell.exe
Token: SeCreatePagefilePrivilege	1100	powershell.exe
Token: SeBackupPrivilege	1100	powershell.exe
Token: SeRestorePrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeSystemEnvironmentPrivilege	1100	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4184	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	Xworm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4244	2620	Xworm V5.6 Starter.exe	80
PID 2620 wrote to memory of 4244	2620	Xworm V5.6 Starter.exe	80
PID 2620 wrote to memory of 1056	2620	Xworm V5.6 Starter.exe	81
PID 2620 wrote to memory of 1056	2620	Xworm V5.6 Starter.exe	81
PID 4244 wrote to memory of 3564	4244	Xworm.exe	83
PID 4244 wrote to memory of 3564	4244	Xworm.exe	83
PID 4244 wrote to memory of 5000	4244	Xworm.exe	88
PID 4244 wrote to memory of 5000	4244	Xworm.exe	88
PID 4244 wrote to memory of 1100	4244	Xworm.exe	90
PID 4244 wrote to memory of 1100	4244	Xworm.exe	90
PID 4244 wrote to memory of 2316	4244	Xworm.exe	92
PID 4244 wrote to memory of 2316	4244	Xworm.exe	92
PID 4244 wrote to memory of 4188	4244	Xworm.exe	94
PID 4244 wrote to memory of 4188	4244	Xworm.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\xworm.zip
1⤵
PID:1276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\xworm\" -spe -an -ai#7zMap4163:90:7zEvent5509
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4184

C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6 Starter.exe
"C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6 Starter.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\Xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4188
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1056

C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
603651c39c9e292b514183a668e47efe

SHA1
f4423dca6808bec14d60682be5c5ea2aa259aff4

SHA256
7b0008ab40f178a6f5ecbb7a637c0e67c694b100ac638f8ddcaf3db96a4ea2be

SHA512
160555acc7db21fe1c3339848e027bd2975578ab3dd14ec5530162a1f73e823ada6b0c97598908f97c9fc8a744d4abd28684e1f05d9be1fe7ceebde941b073c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ebc4e9af6aaec46a4285fba919570b4

SHA1
bb3cf56c770dae2973844dcc7ac0712486c89501

SHA256
14425aea5f387b013a11f7954380f9ef85d9e29a569860eb553a319467246b54

SHA512
9205a54680d7810b87977bc481a97a9d2fd3459f4859051a520c6d1814add614569c6881949ef1493cfe6a583b2939c6b86cbcdf54e0599eeeb26035e8177235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37f83123ffd598c9b19b1f934f2c75a6

SHA1
7fb4fb78d6b85981f56834f0016b0711966f8ed8

SHA256
0f57585f2773f0422cfeb8db26e25ce17484ccab1c25a59ae9a233695cbac935

SHA512
311569c44f78a51c01e1ff2e208c47139813291b6309e575f74ec872b2d6bcdb75f4e6f7a512ba8cb651e5da80009c0fe98a9c7ccc2dd943bd01a3098dc35bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm.exe

Filesize
76KB

MD5
2440671e67fb9e5087758e8c496d2c3a

SHA1
eac0d14a9866208ac6920a7a906eef761b3e0c2a

SHA256
e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3

SHA512
6bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnx1m5z2.wib.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6 Starter.exe

Filesize
7.7MB

MD5
bbf43a166ade7e2a0d2b930c41fb20a3

SHA1
d956dd742690aa25a59a84104cd3adbc40fcba78

SHA256
e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b

SHA512
fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b

Download Submit
C:\Users\Admin\Desktop\xworm\Xworm-V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/1056-259-0x0000013FBBA90000-0x0000013FBC978000-memory.dmp

Filesize
14.9MB

Download
memory/2556-442-0x000001EEED7A0000-0x000001EEED994000-memory.dmp

Filesize
2.0MB

Download
memory/2620-246-0x0000000000690000-0x0000000000E42000-memory.dmp

Filesize
7.7MB

Download
memory/3564-267-0x000001383EFB0000-0x000001383F026000-memory.dmp

Filesize
472KB

Download
memory/3564-264-0x000001383EE00000-0x000001383EE22000-memory.dmp

Filesize
136KB

Download
memory/4244-252-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download