General
-
Target
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22
-
Size
2.2MB
-
Sample
240630-bfeydsvbrq
-
MD5
8fbc66f8e471ea88bde0648950e5eb44
-
SHA1
53095c22fe27fa02d44849a69a0ecd6bb3c7c8a6
-
SHA256
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22
-
SHA512
276613f678ce0d82f9596179971c4df9c9b63ab39e9bafc1c7c5933d0ce79288b3858a5f449c62b6ac2b00cbf121aad7bb557f8cf31e8bf02bd1fbfb91465c90
-
SSDEEP
49152:7F50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUGeaw1G6NOmfFN1Qe:vroA7PfqfFN1l
Static task
static1
Behavioral task
behavioral1
Sample
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
195.10.205.94:7725
MFyyhElqIq6yrYiQ
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Targets
-
-
Target
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22
-
Size
2.2MB
-
MD5
8fbc66f8e471ea88bde0648950e5eb44
-
SHA1
53095c22fe27fa02d44849a69a0ecd6bb3c7c8a6
-
SHA256
dfef62852d83dc4fe7f7b49ae622819e9dcd0684f98c5ccf00c6c5bbdbfd6d22
-
SHA512
276613f678ce0d82f9596179971c4df9c9b63ab39e9bafc1c7c5933d0ce79288b3858a5f449c62b6ac2b00cbf121aad7bb557f8cf31e8bf02bd1fbfb91465c90
-
SSDEEP
49152:7F50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUGeaw1G6NOmfFN1Qe:vroA7PfqfFN1l
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-