General
-
Target
Rootkit.exe
-
Size
5.2MB
-
Sample
240630-qhlahsybnd
-
MD5
bb3ad62baa943e12858845f450b52d45
-
SHA1
106833ebedf630c67848569b953b58d734bfbc4f
-
SHA256
696493dcbdadaac33f562d957dcbdcad65993bbbdafa020dd910c797873ebb9d
-
SHA512
a84fb4ace43c878df83c39a8058dd336583ac81225760aad031b04e0039bfde356eae23af689f6e62030da4fd55690f29d80fbf5eaf1bc7cbeac47be559e987c
-
SSDEEP
98304:uIHjlOot0eJu8/Zh84XB5D3DPJNNlQwGPth3rhV6Po0gpFvjM:XpOodumZhjBVDBNN65tZ9BHr
Static task
static1
Malware Config
Extracted
xworm
session-chief.gl.at.ply.gg:36125
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Targets
-
-
Target
Rootkit.exe
-
Size
5.2MB
-
MD5
bb3ad62baa943e12858845f450b52d45
-
SHA1
106833ebedf630c67848569b953b58d734bfbc4f
-
SHA256
696493dcbdadaac33f562d957dcbdcad65993bbbdafa020dd910c797873ebb9d
-
SHA512
a84fb4ace43c878df83c39a8058dd336583ac81225760aad031b04e0039bfde356eae23af689f6e62030da4fd55690f29d80fbf5eaf1bc7cbeac47be559e987c
-
SSDEEP
98304:uIHjlOot0eJu8/Zh84XB5D3DPJNNlQwGPth3rhV6Po0gpFvjM:XpOodumZhjBVDBNN65tZ9BHr
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
AgentTesla payload
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-