agenttesla

Resubmissions

11-09-2024 08:55

240911-kvr1yasgla 10

11-09-2024 08:53

240911-ktswva1hpj 10

Sharing

Copy URL

Twitter E-mail

General

Target

tool.zip
Size

1.0MB
Sample

240911-kvr1yasgla
MD5

1da7c6b4f9b60799dc9fd5d589d97f72
SHA1

1e08ee39733f09326bb60ebcb0a4f7b12ff1843b
SHA256

39508b75635805ff4fa5eaf8c7aa926529b66ae52f08460d41d8d960e75385e3
SHA512

6232bd7dc478b92633237dbdd93e44b56dce410f0e1e852532580bf024490e19854bcb3f80b5641692000173e045845b31bc8bd7c79dc7bfa6c1baa6e4fab006
SSDEEP

24576:i4PaE+vYG5FIghxbbYzB3HF6sqiLUVU/hI8WHT6Y93:RPe3IghxbMzD6sqiLUVPHT6Y93

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:41594

internal-bachelor.gl.at.ply.gg:41594

Mutex

JgIYtyxyvTKZt7Bf

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  tool.zip
- Size
  
  1.0MB
- MD5
  
  1da7c6b4f9b60799dc9fd5d589d97f72
- SHA1
  
  1e08ee39733f09326bb60ebcb0a4f7b12ff1843b
- SHA256
  
  39508b75635805ff4fa5eaf8c7aa926529b66ae52f08460d41d8d960e75385e3
- SHA512
  
  6232bd7dc478b92633237dbdd93e44b56dce410f0e1e852532580bf024490e19854bcb3f80b5641692000173e045845b31bc8bd7c79dc7bfa6c1baa6e4fab006
- SSDEEP
  
  24576:i4PaE+vYG5FIghxbbYzB3HF6sqiLUVU/hI8WHT6Y93:RPe3IghxbMzD6sqiLUVPHT6Y93
Score

1^/10
behavioral1 behavioral2
- Target
  
  tool/Armdot Deobf.exe.config
- Size
  
  189B
- MD5
  
  9dbad5517b46f41dbb0d8780b20ab87e
- SHA1
  
  ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
- SHA256
  
  47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
- SHA512
  
  43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  tool/Armdot Deobf.pdb
- Size
  
  41KB
- MD5
  
  b3adcf27f70b57983d9ccfe60c923e3a
- SHA1
  
  bb238b90a2e7e622c3a8cc5ed13172e94d2dec22
- SHA256
  
  28c32f5e535c16ce7ed99c3babb326ce1747200510ef5f0da60f1f6579120cdf
- SHA512
  
  3d12aef199183732d609e6ae11d736e7ac9c73808ff710d08be6ca9c9e2b73c6eaf80888750a0432fecf399bc0553d3be75752710fc26bfbaf2be2343dd8fd81
- SSDEEP
  
  384:iul+Ql+mIJd204EybE07ScnWLKy2GG7oY44410IJd2/74:iul+Ql+mIJd20OAG5c0IJd2/7
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  tool/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  c19e9e6a4bc1b668d19505a0437e7f7e
- SHA1
  
  73be712aef4baa6e9dabfc237b5c039f62a847fa
- SHA256
  
  9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
- SHA512
  
  b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
- SSDEEP
  
  49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score

1^/10
behavioral7 behavioral8
- Target
  
  tool/armdot deobfuscator.exe
- Size
  
  275KB
- MD5
  
  2bce10bc9bf1c5e013965c7a60deae05
- SHA1
  
  7efa1765b1842f4ce9e746c26c7d8394ad7820ce
- SHA256
  
  5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01
- SHA512
  
  fbfadeb3f983cc76478864de82952ce34cb7543743a3421151827c5a8226d24ddff2409f71230dfc4bbfad441cea9a148a11a31c16e3890cd5a0797fe4a9e7c0
- SSDEEP
  
  6144:IwDHUsnM9rwQCz8vRtKT2OyD0Ek+c9NWtO5MxRxLJcNfZ:IAjMnZtgbyD0wyWtOcJeZ
Score

10^/10

agenttesla xworm discovery execution keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9