agenttesla | 775d1aedd10e9b235c016071c063b31f03c30e5ec665b45bab20c91f9f7f2e24

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MythoxCheats.exe
Size

3.9MB
MD5

0a237b5441585a97c5be411c8c255fb4
SHA1

5996a18a2702b37a4a90a2e5a5a36bb2ea468b0c
SHA256

775d1aedd10e9b235c016071c063b31f03c30e5ec665b45bab20c91f9f7f2e24
SHA512

8201ffd7fd7351f20788bd96388a7e2073d368f380ada45ccb3aa574ac1f2fd7f1a3d6568096734cc0e7bc9cadda42b2d6253b0872fd8d43e0f4ae43a4739402
SSDEEP

98304:b4FY5aHCXBgMsW9fYfdGpZ8WPfotjICkvunySH:06Q8iM/9lqCfoxz

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:28019

chilhoek-28019.portmap.host:28019

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7460505018:AAGtMNP89kfVCbpYBPLkO5O4JcFb8YqssUk

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ea-5.dat	family_xworm
behavioral1/memory/2060-9-0x0000000000C40000-0x0000000000C5A000-memory.dmp	family_xworm
behavioral1/files/0x0008000000016dd0-12.dat	family_xworm
behavioral1/memory/2332-13-0x0000000001230000-0x0000000001248000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1668-25-0x000000001B9B0000-0x000000001BBC6000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
584	powershell.exe
2008	powershell.exe
2736	powershell.exe
1400	powershell.exe
2108	powershell.exe
2100	powershell.exe
2412	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe

Executes dropped EXE 3 IoCs

pid	Process
2060	XClient (1).exe
2332	WindowsSecurity.exe
1668	NovaManagerInstaller.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NovaManagerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NovaManagerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NovaManagerInstaller.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
584	powershell.exe
2008	powershell.exe
1400	powershell.exe
2736	powershell.exe
2108	powershell.exe
2100	powershell.exe
2412	powershell.exe
1736	powershell.exe
2060	XClient (1).exe
2332	WindowsSecurity.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	XClient (1).exe
Token: SeDebugPrivilege	2332	WindowsSecurity.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2060	XClient (1).exe
Token: SeDebugPrivilege	2332	WindowsSecurity.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	XClient (1).exe
2332	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2060	540	MythoxCheats.exe	31
PID 540 wrote to memory of 2060	540	MythoxCheats.exe	31
PID 540 wrote to memory of 2060	540	MythoxCheats.exe	31
PID 540 wrote to memory of 2332	540	MythoxCheats.exe	32
PID 540 wrote to memory of 2332	540	MythoxCheats.exe	32
PID 540 wrote to memory of 2332	540	MythoxCheats.exe	32
PID 540 wrote to memory of 1668	540	MythoxCheats.exe	33
PID 540 wrote to memory of 1668	540	MythoxCheats.exe	33
PID 540 wrote to memory of 1668	540	MythoxCheats.exe	33
PID 2060 wrote to memory of 584	2060	XClient (1).exe	35
PID 2060 wrote to memory of 584	2060	XClient (1).exe	35
PID 2060 wrote to memory of 584	2060	XClient (1).exe	35
PID 2060 wrote to memory of 2008	2060	XClient (1).exe	37
PID 2060 wrote to memory of 2008	2060	XClient (1).exe	37
PID 2060 wrote to memory of 2008	2060	XClient (1).exe	37
PID 2060 wrote to memory of 1400	2060	XClient (1).exe	39
PID 2060 wrote to memory of 1400	2060	XClient (1).exe	39
PID 2060 wrote to memory of 1400	2060	XClient (1).exe	39
PID 2332 wrote to memory of 2736	2332	WindowsSecurity.exe	41
PID 2332 wrote to memory of 2736	2332	WindowsSecurity.exe	41
PID 2332 wrote to memory of 2736	2332	WindowsSecurity.exe	41
PID 2332 wrote to memory of 2108	2332	WindowsSecurity.exe	43
PID 2332 wrote to memory of 2108	2332	WindowsSecurity.exe	43
PID 2332 wrote to memory of 2108	2332	WindowsSecurity.exe	43
PID 2060 wrote to memory of 2100	2060	XClient (1).exe	44
PID 2060 wrote to memory of 2100	2060	XClient (1).exe	44
PID 2060 wrote to memory of 2100	2060	XClient (1).exe	44
PID 2332 wrote to memory of 2412	2332	WindowsSecurity.exe	47
PID 2332 wrote to memory of 2412	2332	WindowsSecurity.exe	47
PID 2332 wrote to memory of 2412	2332	WindowsSecurity.exe	47
PID 2332 wrote to memory of 1736	2332	WindowsSecurity.exe	49
PID 2332 wrote to memory of 1736	2332	WindowsSecurity.exe	49
PID 2332 wrote to memory of 1736	2332	WindowsSecurity.exe	49

C:\Users\Admin\AppData\Local\Temp\MythoxCheats.exe
"C:\Users\Admin\AppData\Local\Temp\MythoxCheats.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Roaming\XClient (1).exe
  "C:\Users\Admin\AppData\Roaming\XClient (1).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient (1).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient (1).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X6V3XBJNHANTV8NDEU7O.temp

Filesize
7KB

MD5
2dd4082ba464c877d2c6d00934dc40ed

SHA1
4ed3acde8b5d17dfa857ab5cf50be568df7d16cb

SHA256
d2350b545beb9f1af4af3d9db4716e8a926fa0ec5a27879632449fa5eda21e5e

SHA512
0d35325d27659d4e8a7c900e9d5c59b4a18006f4d1105cb5ea002ae47aa542392888d50f81c4da4b077b2883ca0a85ea255086f95cd19ad15e91f72dd05bde15

Download Submit
C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe

Filesize
3.8MB

MD5
4d0438297aedcf3351e2399ee7b9a034

SHA1
6b37d1a0f585c6b056b98196c13662a588d3f5e6

SHA256
fe4845b2f864fa1f62d04e185237aa7434d031072e601a1b5e3acee09dc66e91

SHA512
60d85bf1ad55302ab94baa30137a00eff52d08faaffe18f0a098998d11fd79cfd4ad4bc220f2565b076bd44022ae44532cc78035d46dc8bddbf6f461ab16c5a0

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient (1).exe

Filesize
81KB

MD5
c1b7e4e3a25be04cc93a44017bd58298

SHA1
b40e7d99a41bd49172cd23470ccb4387b3351942

SHA256
9f36f62ffb252f041490ccf9faf344e03a7987a566cc399f0be06e4e5e60fbcb

SHA512
4192250e78e0a3440e2b5d1b7782566a55d96fa8a68877ff8869f617ce3095374289c78ea3d200082fb91efb8fcbce8fea946fcfea08cef05265a2c3512f99cf

Download Submit
memory/540-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/540-1-0x0000000000970000-0x0000000000D62000-memory.dmp

Filesize
3.9MB

Download
memory/584-30-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/584-31-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1668-22-0x000000001B760000-0x000000001B8AE000-memory.dmp

Filesize
1.3MB

Download
memory/1668-24-0x0000000000A70000-0x0000000000A84000-memory.dmp

Filesize
80KB

Download
memory/1668-25-0x000000001B9B0000-0x000000001BBC6000-memory.dmp

Filesize
2.1MB

Download
memory/1668-21-0x0000000001390000-0x0000000001758000-memory.dmp

Filesize
3.8MB

Download
memory/2008-37-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2008-38-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2060-23-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-9-0x0000000000C40000-0x0000000000C5A000-memory.dmp

Filesize
104KB

Download
memory/2060-79-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-13-0x0000000001230000-0x0000000001248000-memory.dmp

Filesize
96KB

Download