agenttesla | 97a22c0ccf016548ea84f9152fb5d58dddb374e9874956fbb9d12ae67aa1e9d2 | Triage

Submit
Reports

Overview

overview

Static

static

XWorm V5.2....2.exe

windows7-x64

XWorm V5.2....2.exe

windows10-2004-x64

Sharing

General

Target

XWorm V5.2.zip
Size

22.4MB
Sample

240904-wvtqbavapp
MD5

75c4494dc75e58877e387a013e3c3c6c
SHA1

fae9424a9824ee6d5708e5e0e800a13b2a5a8760
SHA256

97a22c0ccf016548ea84f9152fb5d58dddb374e9874956fbb9d12ae67aa1e9d2
SHA512

85730abeaa6741d38ac46a7c44335b4e5033e568d8245fb07b491f075dba6aa975524c775799831ef53d93b10cca0fde35a8578ece7a6011e10d6339ca67a0c1
SSDEEP

393216:qncrFe8+5LfQ4RLbX7XjWdZhAxvsaME6W21+6qQfi4fDif77vwSM6f1zCGr+9n3/:qcrFi5bQyLj7TQieaMWY+2zufk+CGr0P

Score

10^/10

agenttesla stormkitty xworm execution rat trojan

Static task

static1

agenttesla stormkitty xworm

8 signatures

Behavioral task

behavioral1

Sample

XWorm V5.2/XWorm V5.2.exe

Resource

win7-20240903-en

xworm execution rat trojan

windows7-x64

16 signatures

600 seconds

Behavioral task

behavioral2

Sample

XWorm V5.2/XWorm V5.2.exe

Resource

win10v2004-20240802-en

xworm execution rat trojan

windows10-2004-x64

15 signatures

600 seconds

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Targets

- Target
  
  XWorm V5.2/XWorm V5.2.exe
- Size
  
  73KB
- MD5
  
  b85f72648cf99409357519725c9bd5fc
- SHA1
  
  de3b9162632a96c4a3ac27da6663399a0d393910
- SHA256
  
  b06d089bd5be63788ef530ff1f93216625aa66d1d811f9ec3f2892268b656011
- SHA512
  
  4569a7a710ea4226dc81b6d158cabae1dd0e5452d5847e5d29d68efa0e2572092c19c9887c5a8498acb78dd2c961bb1d72750e671ff89de0ce2c0b6922292804
- SSDEEP
  
  1536:jqst7fwnejh7pHWpUhFYdsTudTb42WKvCBXH3KyuJG6JyORxaE1QHK:jBFZ7pWpHmWTb42NCXRu7yORoEyHK
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agentteslastormkittyxworm

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy