Overview

overview

10

Static

static

3

NovaManage...4).exe

windows7-x64

10

NovaManage...4).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NovaManagerInstaller (4).exe

  • Size

    2.8MB

  • Sample

    240901-zwe54a1gkr

  • MD5

    3055a388e5f9b721da480f312807373f

  • SHA1

    1dbb315c1c6c11248d153957d1eff47db605ce4e

  • SHA256

    24ccac765017c273b8b75b27e77dca90feccf19cbd149567fe58b07e87bba443

  • SHA512

    e7a1dcabdda47f13e2aaf5af02943bd916a17271b9b6c6f954f531aad0e3984788dc7c65bdbc4a1ac528c2a261533a461fe5fdc5106cb2a1d6bbc1a586926010

  • SSDEEP

    49152:MXYD0FANdWDaBYYj5cMX8nal2Wi1LIXQlY8ilFf9F6MA0crNn1c7bT76:MXY2DQj5ca8l3iff9krB8bTW

Score
10/10
agentteslaxwormdefense_evasiondiscoveryexecutionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

every-cg.gl.at.ply.gg:5872

Mutex

OwcUM7wMu7X3270J

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Microsoft OneDrive.exe

aes.plain

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Security.exe

Targets

    • Target

      NovaManagerInstaller (4).exe

    • Size

      2.8MB

    • MD5

      3055a388e5f9b721da480f312807373f

    • SHA1

      1dbb315c1c6c11248d153957d1eff47db605ce4e

    • SHA256

      24ccac765017c273b8b75b27e77dca90feccf19cbd149567fe58b07e87bba443

    • SHA512

      e7a1dcabdda47f13e2aaf5af02943bd916a17271b9b6c6f954f531aad0e3984788dc7c65bdbc4a1ac528c2a261533a461fe5fdc5106cb2a1d6bbc1a586926010

    • SSDEEP

      49152:MXYD0FANdWDaBYYj5cMX8nal2Wi1LIXQlY8ilFf9F6MA0crNn1c7bT76:MXY2DQj5ca8l3iff9krB8bTW

    Score
    10/10
    agentteslaxwormdefense_evasiondiscoveryexecutionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks