Attack chain leads to XWORM and AGENTTESLA — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | b799f955-325d-4f13-a633-201280af3327 |
| Fingerprint | 1c042937adbdf6d3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 10, 2023, midnight |
| Added to db | Nov. 20, 2023, 12:58 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Attack chain leads to XWORM and AGENTTESLA |
| Title | Attack chain leads to XWORM and AGENTTESLA — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 67/3/25 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 30 | www.mediafire.com |
|
| Details | Domain | 1 | rtfdumpy.py |
|
| Details | Domain | 9 | olevba.py |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 3 | billielishhui.blogspot.com |
|
| Details | Domain | 285 | microsoft.net |
|
| Details | File | 9 | details.docx |
|
| Details | File | 1 | p2.rtf |
|
| Details | File | 1 | rtfdumpy.py |
|
| Details | File | 9 | olevba.py |
|
| Details | File | 1 | 7000m.txt |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 1 | c:\programdata\minminons\miguan.js |
|
| Details | File | 6 | atom.xml |
|
| Details | File | 72 | regsvcs.exe |
|
| Details | File | 149 | msbuild.exe |
|
| Details | sha256 | 1 | afbef8e590105e16bbd87bd726f4a3391cd6a4489f7a4255ba78a3af761ad2f0 |
|
| Details | sha256 | 2 | bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2 |
|
| Details | sha256 | 1 | cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc |
|
| Details | sha256 | 1 | 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4 |
|
| Details | Url | 1 | https://www.mediafire.com/file/xnqxmqlcj51501d/7000m.txt/file |
|
| Details | Url | 3 | https://billielishhui.blogspot.com/atom.xml |
|
| Details | Url | 1 | https://discord.com/api/webhooks/1089956337733087274/uyna_d8ns1z9nz3b1mgp0xxygq-785klgifeazsrz3tjd5fvojxa927f7buttzbnt6zk |
|
| Details | Yara rule | 1 | rule Windows_Trojan_Xworm_732e6c12 {
meta:
author = "Elastic Security"
id = "732e6c12-9ee0-4d04-a6e4-9eef874e2716"
fingerprint = "afbef8e590105e16bbd87bd726f4a3391cd6a4489f7a4255ba78a3af761ad2f0"
creation_date = "2023-04-03"
last_modified = "2023-04-03"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "Xworm"
threat_name = "Windows.Trojan.Xworm"
source = "Manual"
maturity = "Diagnostic"
reference_sample = "bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2"
scan_type = "File, Memory"
severity = 100
strings:
$str1 = "startsp" ascii wide fullword
$str2 = "injRun" ascii wide fullword
$str3 = "getinfo" ascii wide fullword
$str4 = "Xinfo" ascii wide fullword
$str5 = "openhide" ascii wide fullword
$str6 = "WScript.Shell" ascii wide fullword
$str7 = "hidefolderfile" ascii wide fullword
condition:
all of them
} |