Overview

overview

10

Static

static

10

Xworm-V5.6...es.vbs

windows11-21h2-x64

1

Xworm-V5.6....6.exe

windows11-21h2-x64

10

Resubmissions

01-07-2024 05:42

240701-gd99ea1clq 10

Analysis

  • max time kernel
    18s
  • max time network
    22s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xworm-V5.6/XWorm V5.6.exe

  • Size

    13.1MB

  • MD5

    5db4c8e052f3454e0f6ba19ee175f578

  • SHA1

    32a727273944af1fb07634735ba75f0a017f7d58

  • SHA256

    7efddbf0825853ea834ce3c763fa9828aa72cb4844e8a98c4b79eb832a138a0b

  • SHA512

    0d1aa64daf4abb3f895c79c6c4deb6ffc91321fc597a96269ff621bb29376e2fed240dabe6f925c0063acbb794a686572d199cdcf35d70704a2b6c0bb5e428c7

  • SSDEEP

    196608:6S/BAe1d4ihvy85JhhYc3BSL1kehn4inje:6MyIhhkRka4i

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\XWorm V5.6.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3400
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1240
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
      1⤵
        PID:992

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3400-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3400-1-0x000001DB5ED80000-0x000001DB5FAAA000-memory.dmp
        Filesize

        13.2MB

        Download
      • memory/3400-2-0x000001DB7A4C0000-0x000001DB7A6B4000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3400-3-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3400-4-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3400-5-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3400-6-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3400-7-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3400-8-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3400-12-0x000001DB03920000-0x000001DB0393E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3400-13-0x000001DB03940000-0x000001DB0394B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/3400-9-0x000001DB03890000-0x000001DB038D6000-memory.dmp
        Filesize

        280KB

        Download
      • memory/3400-11-0x000001DB03910000-0x000001DB0391D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/3400-10-0x000001DB038E0000-0x000001DB038E9000-memory.dmp
        Filesize

        36KB

        Download