agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

OxycoRat.zip
Size

128.7MB
Sample

240902-tlvj5svdja
MD5

12b56e6bcabd01a956035c581a4483c9
SHA1

cebd39acb7aa418717f6aa3c9f82ff214c9e535b
SHA256

42e2abe0db24e083cad593a5f11758972c9e50909f371574614086ce419e4590
SHA512

f06caf6f2c1cb522f0f1df2da492e3e6114bb6b0234c23eef9be7856384b3253ae13f46cabb0500f3ee7e10462a9aab61a8eda1060cd33bab46e25264a587e6e
SSDEEP

3145728:VwKL/f/OreQ1DWjGB2EcH9tya6k//n3PNv+tNOKMPU:Vrf/OyQ1DWj04tXViNOTPU

Score

10^/10

Malware Config

Extracted

Family

xworm

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Targets

- Target
  
  AxInterop.WMPLib.dll
- Size
  
  52KB
- MD5
  
  a3d56b5f9b8013d9c7edc956f14cfc3e
- SHA1
  
  e1daea03548794c245114f246d8847d4aef8cd26
- SHA256
  
  fa48acd3d2c6f288685845d121836f90a7b29838e0e5b157c18eef05180abd2a
- SHA512
  
  3e440a62626dba15d66018530c906e2ca5ac72ccb2a7e936e2f85605047554ed7047a8879da83d4f082936cd2630e8da0e29b83e8289f5ef363a7c89e5d3d730
- SSDEEP
  
  768:6TiglqcPGmH+BSITBFo+iRdbBFS1WSbfi5qlD+P2mHvaVhXUWdYzXnO:JgvH+oETfiRnFS1WSbfi5qlsaV2WGjO
Score

1^/10
behavioral1
- Target
  
  Dynamitey.dll
- Size
  
  165KB
- MD5
  
  be2e56a09631590b126e7391c7452c48
- SHA1
  
  a2553f248739cfc26b8ab48d749d4a70de589e0c
- SHA256
  
  da043bd3a340f9155a54547e3bc379279d488e9ba56ce76076c5a5d6c26337a4
- SHA512
  
  741a259a7a6217168d3c1ff8ff0e41d39c20c672dd3aa8cab8b1fca4877ccc0af2cc4382f5e6bc3192b042445e29bf0b1581f4255d42aaf5a61c2f76a2844240
- SSDEEP
  
  3072:3NS1izfuCxst/mKWF9gepzIPmjmfsf8s:IOfuCxst/mKWntqHsf8
Score

1^/10
behavioral2
- Target
  
  GeoIPCitys.dll
- Size
  
  191KB
- MD5
  
  c070f2421851420e832e4f5989a775a2
- SHA1
  
  d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46
- SHA256
  
  d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131
- SHA512
  
  75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e
- SSDEEP
  
  3072:87IcHKc0TwY4O6BlLiJxTmd9h1+fJ5uJnjpUoh/ht21hYvpMaoySJHPc8E:8dHV0Tn4pox6d9G4k
Score

1^/10
behavioral3
- Target
  
  Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  c19e9e6a4bc1b668d19505a0437e7f7e
- SHA1
  
  73be712aef4baa6e9dabfc237b5c039f62a847fa
- SHA256
  
  9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
- SHA512
  
  b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
- SSDEEP
  
  49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score

1^/10
behavioral4
- Target
  
  Interop.WMPLib.dll
- Size
  
  323KB
- MD5
  
  9f2802234d5dd98bacfa518f51213bda
- SHA1
  
  1ea89e9080595a8d585758f2815279e798029180
- SHA256
  
  cd7b170cb138925910bba2be1f4b06dfeeabe5602973ecdeaf61b0dc0962ebfa
- SHA512
  
  c3ac7da12cdca1ab828ff3ad6dbbbce16c87bfbfc3dbfc66a01582b92d006722c0f97fa0f1b1cfa6f69cad656467a2ed55094d505d9a82b41235caa4a5104c9f
- SSDEEP
  
  6144:upkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0Funwh6DsN2PIpCrN:upkr2dY/aBcjJOBHOBIQBajMtWvoJiLt
Score

1^/10
behavioral5
- Target
  
  NAudio.dll
- Size
  
  498KB
- MD5
  
  6ca17abccae3050f391401b2955f9333
- SHA1
  
  0975b039a793accb58130d6639262cd291d80d5d
- SHA256
  
  3ad5d09b4c8c3146d15955a564a9f1a57d7c795b189a25c6f722a738d95ef89c
- SHA512
  
  c08f366aae9baf0e7762f47a2f79d0dee5187a1d7631e5838590b7c12911bdeb6247e0ff860ade36e04f1d6717f919ad98df6d3a1a556bff4b8994db9616ccec
- SSDEEP
  
  12288:MnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6C:K8lrT+r5ADakP4i9gs
Score

1^/10
behavioral6
- Target
  
  Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral7
- Target
  
  Oxyco Rat V3‌‌.exe
- Size
  
  127.7MB
- MD5
  
  80cb709a1b0fe1c20b9ce2815a1407cc
- SHA1
  
  606f290963a21c41324e19d69b55d56f137c340c
- SHA256
  
  1191148cbaf0cb1a2e480b38d5b6412fc6be858f5c3a1062be65e0121ffd931c
- SHA512
  
  fde2961c37fcf6c83e7ca1d0fc3c63eb5109a258cb87975a9a867ef67259ad77e1f561041332d03a83d9b889a9cc4c32ca512b13bce9ee47cf4cb62878c98b56
- SSDEEP
  
  3145728:/wlH1VrNO4u3+tUZ302ih086cmXfEcza5+53Chpp:/SVrM4u3+tdpEMvs3CPp
Score

10^/10

agenttesla xworm discovery execution keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral8
- Target
  
  System.IO.Compression.ZipFile.dll
- Size
  
  24KB
- MD5
  
  dcda916372128f13ada8b07026c1b3e7
- SHA1
  
  99d6c187de8510206a93d2eed9c65e65e0c86e72
- SHA256
  
  b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a
- SHA512
  
  d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9
- SSDEEP
  
  384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa
Score

1^/10
behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm

AgentTesla payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9