agenttesla | 4c7d6cf21cefb460a9c8cf9860b3a4baf11505c876e60b247e5b6ea85b46e8cb

Analysis

max time kernel
33s
max time network
37s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-v5.6-Lifetime-Editon-Cracked/CefSharp.exe
Size

10.8MB
MD5

acff16b9fae109888d772998b91ccca4
SHA1

b580c68d4d2bf3cc26393728337278f190d405f1
SHA256

5cae75e6d6a6b249b2d977158998aaa514b8c917c313b5a0609c7b90b075ae50
SHA512

557aadc06ca2a961ca44b6e4f46cbe412d605dab2092bee16118baaa8a4a02eecbd746ba615d0af9eddd38ed67d81ef44dd1313956a32a4798a4018d24377962
SSDEEP

196608:4gavfJVzbFUbwD5PVO47xgO2JC85cikjYA/cmiV7ZNt/ikyM:hIhBbFUcBVO47xg/C3P/eJVyM

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2728-59-0x000000001C3A0000-0x000000001C594000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

evbAF34.tmpxwormv5.exe

pid process

2400 evbAF34.tmp
2728 xwormv5.exe
Loads dropped DLL 1 IoCs

Processes:

CefSharp.exe

pid process

2556 CefSharp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

CefSharp.exe

description pid process target process

PID 2556 set thread context of 2400 2556 CefSharp.exe evbAF34.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2400	evbAF34.tmp
2728	xwormv5.exe

pid	process
2556	CefSharp.exe

description	pid	process	target process
PID 2556 set thread context of 2400	2556	CefSharp.exe	evbAF34.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xwormv5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	xwormv5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	xwormv5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	xwormv5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

evbAF34.tmp

pid process

2400 evbAF34.tmp
2400 evbAF34.tmp
2400 evbAF34.tmp
2400 evbAF34.tmp
2400 evbAF34.tmp

pid	process
2400	evbAF34.tmp
2400	evbAF34.tmp
2400	evbAF34.tmp
2400	evbAF34.tmp
2400	evbAF34.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

xwormv5.exe

pid	process
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe
2728	xwormv5.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

CefSharp.exeevbAF34.tmp

description	pid	process	target process
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2400	2556	CefSharp.exe	evbAF34.tmp
PID 2556 wrote to memory of 2728	2556	CefSharp.exe	xwormv5.exe
PID 2556 wrote to memory of 2728	2556	CefSharp.exe	xwormv5.exe
PID 2556 wrote to memory of 2728	2556	CefSharp.exe	xwormv5.exe
PID 2400 wrote to memory of 2872	2400	evbAF34.tmp	conhost.exe
PID 2400 wrote to memory of 2872	2400	evbAF34.tmp	conhost.exe
PID 2400 wrote to memory of 2872	2400	evbAF34.tmp	conhost.exe
PID 2400 wrote to memory of 2872	2400	evbAF34.tmp	conhost.exe

C:\Users\Admin\AppData\Local\Temp\XWorm-v5.6-Lifetime-Editon-Cracked\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-v5.6-Lifetime-Editon-Cracked\CefSharp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\evbAF34.tmp
  "C:\Users\Admin\AppData\Local\Temp\XWorm-v5.6-Lifetime-Editon-Cracked\xwormbin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\conhost.exe
    conhost.exe
    3⤵
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\XWorm-v5.6-Lifetime-Editon-Cracked\xwormv5.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm-v5.6-Lifetime-Editon-Cracked\xwormv5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of FindShellTrayWindow
  PID:2728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbAF34.tmp

Filesize
1KB

MD5
86d23632843c402a3a34828bb99317c9

SHA1
ee7082dcee56cb61d0cae037078efb2a4b32eaae

SHA256
eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

SHA512
9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

Download Submit
\??\c:\users\admin\appdata\local\temp\xworm-v5.6-lifetime-editon-cracked\xwormv5.exe

Filesize
14.9MB

MD5
6c59ff494f131d6e12eec38f2b0c4c55

SHA1
555c547cf314c867a71464b5b761c7f1d296df15

SHA256
19f9f28a04878d8a958835f5add563c1db48498309982afea1c2fd8a7ed8cc05

SHA512
f7a2d52aeea60d8d934bf042709bc3d00e224d0761480475609044dcd339e5927b546d51b2b23144074a70c76b64468a7b94246c254c63b5e5b1b44276cfd24f

Download Submit
memory/2400-47-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2400-13-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2400-42-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2400-51-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2400-52-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2400-28-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-37-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2400-38-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2400-11-0x0000000000430000-0x00000000004D3000-memory.dmp

Filesize
652KB

Download
memory/2400-25-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2556-0-0x0000000140000000-0x00000001400DE000-memory.dmp

Filesize
888KB

Download
memory/2556-45-0x00000000031E0000-0x0000000003821000-memory.dmp

Filesize
6.3MB

Download
memory/2556-17-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-24-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-39-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-35-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-32-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-40-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-2-0x0000000077371000-0x0000000077372000-memory.dmp

Filesize
4KB

Download
memory/2556-7-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-36-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-43-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-44-0x00000000031E0000-0x0000000003821000-memory.dmp

Filesize
6.3MB

Download
memory/2556-8-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-4-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-41-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-5-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-3-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-6-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-10-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-55-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-54-0x0000000140000000-0x00000001400DE000-memory.dmp

Filesize
888KB

Download
memory/2556-18-0x00000000031E0000-0x0000000003821000-memory.dmp

Filesize
6.3MB

Download
memory/2728-56-0x00000000013E0000-0x00000000022C8000-memory.dmp

Filesize
14.9MB

Download
memory/2728-59-0x000000001C3A0000-0x000000001C594000-memory.dmp

Filesize
2.0MB

Download
memory/2872-49-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/2872-57-0x0000000001A50000-0x0000000001A62000-memory.dmp

Filesize
72KB

Download
memory/2872-58-0x0000000001A70000-0x0000000001A78000-memory.dmp

Filesize
32KB

Download