Overview

overview

10

Static

static

10

tool/Guna.UI2.dll

windows7-x64

1

tool/Guna.UI2.dll

windows10-2004-x64

1

tool/armdo...or.exe

windows7-x64

8

tool/armdo...or.exe

windows10-2004-x64

10

Resubmissions

11-09-2024 00:01

240911-aa691stare 10

10-09-2024 23:54

240910-3ya6ps1fjn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tool.zip

  • Size

    1.0MB

  • Sample

    240911-aa691stare

  • MD5

    1da7c6b4f9b60799dc9fd5d589d97f72

  • SHA1

    1e08ee39733f09326bb60ebcb0a4f7b12ff1843b

  • SHA256

    39508b75635805ff4fa5eaf8c7aa926529b66ae52f08460d41d8d960e75385e3

  • SHA512

    6232bd7dc478b92633237dbdd93e44b56dce410f0e1e852532580bf024490e19854bcb3f80b5641692000173e045845b31bc8bd7c79dc7bfa6c1baa6e4fab006

  • SSDEEP

    24576:i4PaE+vYG5FIghxbbYzB3HF6sqiLUVU/hI8WHT6Y93:RPe3IghxbMzD6sqiLUVPHT6Y93

Score
10/10
agentteslaxwormdiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:41594

internal-bachelor.gl.at.ply.gg:41594
Mutex

JgIYtyxyvTKZt7Bf

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Targets

    • Target

      tool/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    behavioral1behavioral2

    • Target

      tool/armdot deobfuscator.exe

    • Size

      275KB

    • MD5

      2bce10bc9bf1c5e013965c7a60deae05

    • SHA1

      7efa1765b1842f4ce9e746c26c7d8394ad7820ce

    • SHA256

      5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01

    • SHA512

      fbfadeb3f983cc76478864de82952ce34cb7543743a3421151827c5a8226d24ddff2409f71230dfc4bbfad441cea9a148a11a31c16e3890cd5a0797fe4a9e7c0

    • SSDEEP

      6144:IwDHUsnM9rwQCz8vRtKT2OyD0Ek+c9NWtO5MxRxLJcNfZ:IAjMnZtgbyD0wyWtOcJeZ

    Score
    10/10
    discoveryexecutionagentteslaxwormkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks