agenttesla | 20656fdafd57e6c5a39f48939cbc5c4073d3ea8662a97ef13d26b1247302e1ae | Triage

Submit
Reports

Overview

overview

Static

static

Setup.bat

windows7-x64

8

Setup.bat

windows10-2004-x64

Sharing

General

Target

WizWorm v4.zip
Size

37.3MB
Sample

240902-xpn4bavglk
MD5

ec4c4b3ce3366a6059c77c640108cd3f
SHA1

8af810badf7302e582d0d9d18aa1fe8c4cb8288c
SHA256

20656fdafd57e6c5a39f48939cbc5c4073d3ea8662a97ef13d26b1247302e1ae
SHA512

649f7306e361b9c26f39fc150767853231c0245b54969a5c98f31260b8967f64bfe682cd69a648b2df20ccfc1d5d4b13508ab8ecc4c7c2047af2d8feefa8b990
SSDEEP

786432:GJvWERE7Qu8rBDnyuEuYEyXbM462vawjvSjFi5bQy56kuHVcJT7mIwnxN07siP:G5nE7b8rBD7Eub+awjeFi5bncVkT7mIL

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

Setup.bat

Resource

win7-20240708-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

Setup.bat

Resource

win10v2004-20240802-en

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:4159

Attributes

Install_directory
%Temp%
install_file
schtask.exe

Targets

- Target
  
  Setup.bat
- Size
  
  18.2MB
- MD5
  
  5250a07fd2f90b5cee4b78aee015305b
- SHA1
  
  f6880b911ef1df3c709ca47b19bc197014c86959
- SHA256
  
  2edb7d64cdcf9445468c24d159cb4ec2316e69b31b82795a0520431d4c395e53
- SHA512
  
  7fba9040b48d4bd644fd6aebbf6992afae192c8042b3a50b0fc78f194307fb4318191b75878408aeea6b5e0f8f83141ee49cc410973110093d8188f7852bef48
- SSDEEP
  
  49152:9ufwwApQLWci6sSzR8hDsjxNu7bUDi1HssPlKrIixn9C5oLnybx7uti5BjgCP/XS:O
Score

10^/10

execution agenttesla xworm keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslaxwormexecutionkeyloggerpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy