agenttesla | 97b156f53366d0aac2e46c97b8f7bb3efb1a541e0a923aed24c0f8e7d4c4ee25

Analysis

max time kernel
38s
max time network
38s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZeroxStealerInstaller.exe
Size

2.9MB
MD5

9b1a7d9403b93f7a390d953c2785a9ed
SHA1

0246222a9290cd73bfda0e402722a82d04507a43
SHA256

97b156f53366d0aac2e46c97b8f7bb3efb1a541e0a923aed24c0f8e7d4c4ee25
SHA512

fdf61c48deee07db3563859a934fd9238c3ed33bd68b180fbf46d121b233359b69d3ec6c370f0ca17bbdb444ec8a784985d54a06704dfe1ea22701124b0fc4b0
SSDEEP

49152:qvo+8aGzQqDRtQH/vpxWIfKgVgVKkbmNoi7r+ogPpkZs/ohvc8q8IzIWvuA8KXAb:qh83dRtMvb/KgVLNNwRkVhBNIzWvKo

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

lijaligibidu-35558.portmap.host:35558

127.0.0.1:28019

chilhoek-28019.portmap.host:28019

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012291-5.dat	family_xworm
behavioral1/memory/2412-11-0x0000000001150000-0x0000000001168000-memory.dmp	family_xworm
behavioral1/files/0x0008000000016c7c-10.dat	family_xworm
behavioral1/memory/2968-13-0x0000000000B40000-0x0000000000B5A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2752-25-0x000000001B9E0000-0x000000001BBF6000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe
2232	powershell.exe
1632	powershell.exe
396	powershell.exe
1624	powershell.exe
1668	powershell.exe
1572	powershell.exe
2876	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (2).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (2).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe

Executes dropped EXE 3 IoCs

pid	Process
2412	WindowsSecurity.exe
2968	XClient (2).exe
2752	ZeroxStealerInstaller.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ZeroxStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ZeroxStealerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ZeroxStealerInstaller.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1668	powershell.exe
1572	powershell.exe
2876	powershell.exe
1948	powershell.exe
2968	XClient (2).exe
2232	powershell.exe
1632	powershell.exe
396	powershell.exe
1624	powershell.exe
2412	WindowsSecurity.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	XClient (2).exe
Token: SeDebugPrivilege	2412	WindowsSecurity.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2968	XClient (2).exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2412	WindowsSecurity.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2968	XClient (2).exe
2412	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2412	2972	ZeroxStealerInstaller.exe	30
PID 2972 wrote to memory of 2412	2972	ZeroxStealerInstaller.exe	30
PID 2972 wrote to memory of 2412	2972	ZeroxStealerInstaller.exe	30
PID 2972 wrote to memory of 2968	2972	ZeroxStealerInstaller.exe	31
PID 2972 wrote to memory of 2968	2972	ZeroxStealerInstaller.exe	31
PID 2972 wrote to memory of 2968	2972	ZeroxStealerInstaller.exe	31
PID 2972 wrote to memory of 2752	2972	ZeroxStealerInstaller.exe	32
PID 2972 wrote to memory of 2752	2972	ZeroxStealerInstaller.exe	32
PID 2972 wrote to memory of 2752	2972	ZeroxStealerInstaller.exe	32
PID 2968 wrote to memory of 1668	2968	XClient (2).exe	34
PID 2968 wrote to memory of 1668	2968	XClient (2).exe	34
PID 2968 wrote to memory of 1668	2968	XClient (2).exe	34
PID 2968 wrote to memory of 1572	2968	XClient (2).exe	36
PID 2968 wrote to memory of 1572	2968	XClient (2).exe	36
PID 2968 wrote to memory of 1572	2968	XClient (2).exe	36
PID 2968 wrote to memory of 2876	2968	XClient (2).exe	38
PID 2968 wrote to memory of 2876	2968	XClient (2).exe	38
PID 2968 wrote to memory of 2876	2968	XClient (2).exe	38
PID 2968 wrote to memory of 1948	2968	XClient (2).exe	40
PID 2968 wrote to memory of 1948	2968	XClient (2).exe	40
PID 2968 wrote to memory of 1948	2968	XClient (2).exe	40
PID 2412 wrote to memory of 2232	2412	WindowsSecurity.exe	43
PID 2412 wrote to memory of 2232	2412	WindowsSecurity.exe	43
PID 2412 wrote to memory of 2232	2412	WindowsSecurity.exe	43
PID 2412 wrote to memory of 1632	2412	WindowsSecurity.exe	45
PID 2412 wrote to memory of 1632	2412	WindowsSecurity.exe	45
PID 2412 wrote to memory of 1632	2412	WindowsSecurity.exe	45
PID 2412 wrote to memory of 396	2412	WindowsSecurity.exe	47
PID 2412 wrote to memory of 396	2412	WindowsSecurity.exe	47
PID 2412 wrote to memory of 396	2412	WindowsSecurity.exe	47
PID 2412 wrote to memory of 1624	2412	WindowsSecurity.exe	49
PID 2412 wrote to memory of 1624	2412	WindowsSecurity.exe	49
PID 2412 wrote to memory of 1624	2412	WindowsSecurity.exe	49

C:\Users\Admin\AppData\Local\Temp\ZeroxStealerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ZeroxStealerInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Users\Admin\AppData\Roaming\XClient (2).exe
  "C:\Users\Admin\AppData\Roaming\XClient (2).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d4591f77efab5cd426c4b7df909c0f67

SHA1
f8e66f32a0f05cdcad7f4a9ed61ace9f347a5abf

SHA256
ebf1d4954ec553a4195a625fec27cc0ed1909f16bca217a23f5edf8af9be05a5

SHA512
bf38e6b12225368ea762603bc118f3b3011a8925ce9cda57ddab0acf93a9cf885fae5c7be773bf1673f64890de2fd09d3910a3e90dc9bd584fb1cd77bc4705eb

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient (2).exe

Filesize
81KB

MD5
c1b7e4e3a25be04cc93a44017bd58298

SHA1
b40e7d99a41bd49172cd23470ccb4387b3351942

SHA256
9f36f62ffb252f041490ccf9faf344e03a7987a566cc399f0be06e4e5e60fbcb

SHA512
4192250e78e0a3440e2b5d1b7782566a55d96fa8a68877ff8869f617ce3095374289c78ea3d200082fb91efb8fcbce8fea946fcfea08cef05265a2c3512f99cf

Download Submit
C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe

Filesize
2.7MB

MD5
e4468845f3b426403f3223a1b18cf858

SHA1
9cea44a892f83e660d56a69bc97af2c094b2f087

SHA256
7cebe983265c3a77b2a369b56edd521733e9103f1a42fd09dcaf5abf5dd547bd

SHA512
c4703c2f3f0bb92020b4d920d5ba2e6ba7e505ae736bc7b4d5289ed8b3faff3748061f731e6f6ecf0aa6d78eccbfa187175a07f54bd7e4b97345f8bc91080840

Download Submit
memory/1572-38-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1572-37-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1668-30-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1668-31-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/2412-22-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-11-0x0000000001150000-0x0000000001168000-memory.dmp

Filesize
96KB

Download
memory/2412-50-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-23-0x000000001B540000-0x000000001B68E000-memory.dmp

Filesize
1.3MB

Download
memory/2752-24-0x00000000021D0000-0x00000000021E4000-memory.dmp

Filesize
80KB

Download
memory/2752-25-0x000000001B9E0000-0x000000001BBF6000-memory.dmp

Filesize
2.1MB

Download
memory/2752-21-0x0000000000B00000-0x0000000000DC6000-memory.dmp

Filesize
2.8MB

Download
memory/2968-13-0x0000000000B40000-0x0000000000B5A000-memory.dmp

Filesize
104KB

Download
memory/2972-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x00000000003A0000-0x0000000000690000-memory.dmp

Filesize
2.9MB

Download