agenttesla | 12ab088edbfb59bbbaebc5e636464515eba57e7df716c4cca4a4f7cc5397173a

Analysis

max time kernel
120s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_DATA_SHEET#PO8738763.scr
Size

2.2MB
MD5

31cbb0ad4fbff526978c68212a36fb90
SHA1

d5cbdd8f03037a73dd40c0819498c969ae5b9102
SHA256

1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
SHA512

3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5
SSDEEP

49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

195.10.205.94:7725

Mutex

rliv2fMggtmcxYMM

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2968-3-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2604 powershell.exe
2488 powershell.exe
2980 powershell.exe
2568 powershell.exe

pid	process
2604	powershell.exe
2488	powershell.exe
2980	powershell.exe
2568	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AddInProcess32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	AddInProcess32.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
10 ip-api.com
6 api.ipify.org
7 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER_DATA_SHEET#PO8738763.scr

description pid process target process

PID 2228 set thread context of 2968 2228 ORDER_DATA_SHEET#PO8738763.scr AddInProcess32.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AddInProcess32.exe

pid process

2968 AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exe

pid process

2488 powershell.exe
2980 powershell.exe
2568 powershell.exe
2604 powershell.exe
2968 AddInProcess32.exe
2968 AddInProcess32.exe
2968 AddInProcess32.exe
2968 AddInProcess32.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

AddInProcess32.exe

pid process

2968 AddInProcess32.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org
10	ip-api.com
6	api.ipify.org
7	api.ipify.org

description	pid	process	target process
PID 2228 set thread context of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe

pid	process
2968	AddInProcess32.exe

pid	process
2488	powershell.exe
2980	powershell.exe
2568	powershell.exe
2604	powershell.exe
2968	AddInProcess32.exe
2968	AddInProcess32.exe
2968	AddInProcess32.exe
2968	AddInProcess32.exe

pid	process
2968	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2968	AddInProcess32.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AddInProcess32.exe

pid process

2968 AddInProcess32.exe
2968 AddInProcess32.exe

pid	process
2968	AddInProcess32.exe
2968	AddInProcess32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ORDER_DATA_SHEET#PO8738763.scrAddInProcess32.exe

description	pid	process	target process
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2228 wrote to memory of 2968	2228	ORDER_DATA_SHEET#PO8738763.scr	AddInProcess32.exe
PID 2968 wrote to memory of 2488	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2488	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2488	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2488	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2568	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2568	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2568	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2568	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2604	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2604	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2604	2968	AddInProcess32.exe	powershell.exe
PID 2968 wrote to memory of 2604	2968	AddInProcess32.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ORDER_DATA_SHEET#PO8738763.scr
"C:\Users\Admin\AppData\Local\Temp\ORDER_DATA_SHEET#PO8738763.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AddInProcess32.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9c4929bb4e32ae40d1ef3cc71d06d602

SHA1
b08e3fb176b42cbe43b55e816134ccf889355a2c

SHA256
dd0c03493133c09f7e2788dc1a3634517597535e7bd7c2c2ec5a51ab8cf729f2

SHA512
2002192aef9655e5aaa6cf60d2979817b4f2c7ba69e02befe469cd4a044e825637b8782e099c2979528bc765dcd025616d14407b076eb43fc309cc03e45fba4c

Download Submit
memory/2968-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-6-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2968-25-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-26-0x0000000000660000-0x00000000006A4000-memory.dmp

Filesize
272KB

Download
memory/2968-27-0x0000000002150000-0x0000000002192000-memory.dmp

Filesize
264KB

Download
memory/2968-28-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2968-29-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2968-30-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download