xworm | download[.]exe | Triage

Sharing

General

Target

download.exe
Size

328KB
MD5

d61526463472da19dd8869f484a8f4ef
SHA1

20514ac586fb6847057be18ecf00b84cda7e948f
SHA256

65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
SHA512

925089713ea4877de9300c0998eabcef4850af08ea6e7a12704e92736928461e54a8fa8cb56c3c910ca334e5395a5497f38715237970f4f70532a26405cd3fee
SSDEEP

3072:7+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4TQTnDrGdQo9bFxYo9OtVa2M:7+2Lmlx1JldSVxbBF643yOdxBDrGVbHR

Score

10^/10

xworm agenttesla

Malware Config

Signatures

Agenttesla family
agenttesla
Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

sample family_xworm
Xworm family
xworm
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

download.exe

Files

download.exe
.exe windows:4 windows x86 arch:x86

009023b6b22e202aa54365d2270f6f95

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
FreeResource
CloseHandle
WriteFile
CreateFileA
MoveFileExA
GetTempFileNameA
GetTempPathA
LockResource
LoadResource
SizeofResource
FindResourceA
GetModuleHandleA
GetStartupInfoA

shell32

ShellExecuteA

msvcrt

sprintf
_exit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_XcptFilter

Sections

.text
Size: 4KB - Virtual size: 796B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 822B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 312KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ