agenttesla | 628619bc0cc92b18ec67bd63c723b9aec1e50ab5ed8bfdd069e40d02fba9b1f3

General

Target

XWorm V5.2.zip
Size

41.4MB
Sample

240909-s9tr3swemj
MD5

01733c1fa0c27122fd3e90bab66585c8
SHA1

9659e9eb70ceff2065a77d55573684e5a08bc644
SHA256

628619bc0cc92b18ec67bd63c723b9aec1e50ab5ed8bfdd069e40d02fba9b1f3
SHA512

322cb997570de0ce6b36b6ede3fe1db5a90f3bc83506efe71dd3ddc5c0752aa31ce53702b5867dddf18aceb7a72decd8ef785e64c8fe3c74a3c5c30f6e82bf8d
SSDEEP

786432:m7WDxFi5bQy5IWieaMWY+23ILk+CGr0n3o49wqAk1QMAYaR5uAhfe05BLviLbLN/:mAFi5bnuVMWY54IX3R9wiBN0jzCdPtzJ

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Targets

- Target
  
  XWorm V5.2.exe
- Size
  
  37.7MB
- MD5
  
  4d2fe88411ca382a705f7de70505f8ee
- SHA1
  
  992be069e1123ea68a414ce462f2b7a0e5c39563
- SHA256
  
  1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551
- SHA512
  
  8df4399dc43b854fd72764b426146044799aaea80a07dbecf4d28941b957af1b480ade452fd020912c37b54280a057f02be19c10812f59ab3b8f2d45c0a82b43
- SSDEEP
  
  786432:V3on1HvSzxAMNwFZArYsHPv697OZYV797:VYn1HvSpNwXmvYJX
Score

9^/10

collection credential_access defense_evasion discovery execution persistence spyware stealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2
- Target
  
  XWorm.exe
- Size
  
  9.1MB
- MD5
  
  76b8dd1cc4d42ceb68720da77fa05dab
- SHA1
  
  4594f0a2b104257123b72587226e0694ed410803
- SHA256
  
  7eacc3500da7eeebe2936d120ac8dbc56de6f1100b0ae77b13da5ee0850af4fb
- SHA512
  
  5d72ea084d0b611566eb7fc35e6994c5bfd475813739ca9f5909206c081179d94faf59f707c52f9cf60de44cd1a86a6796c5ed1fd51f20db2c31abec3b9d964e
- SSDEEP
  
  3072:5BZK4Q137x/2bSinOvaYA2ewhLapuvpAsZOyMqmyBeYVYm:zZlQ137xebFVc/GWGwqqm1
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4