General

  • Target

    SploitXE_BEta.rar

  • Size

    3.3MB

  • Sample

    240617-vhsf2swfke

  • MD5

    68f23738f5bf5e2612eb02d5e1526b8a

  • SHA1

    f59898686617dab7a596f5c452e4a38d90b90449

  • SHA256

    e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9

  • SHA512

    3897abe5798c11bbe8ca45c59c1a73d055313bc41b42ef7feba9a504f01d7fa155d4a7b26193c51cbb1ccc245305ad71f7c900dbee15316261d09f997119bcb2

  • SSDEEP

    98304:oEc3CcFLpIlSZfA9l0N4MRpJ7BwsE60b81jvO:+lVugOlCRpJ7BwsEGZm

Malware Config

Targets

    • Target

      SploitXE_BEta.rar

    • Size

      3.3MB

    • MD5

      68f23738f5bf5e2612eb02d5e1526b8a

    • SHA1

      f59898686617dab7a596f5c452e4a38d90b90449

    • SHA256

      e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9

    • SHA512

      3897abe5798c11bbe8ca45c59c1a73d055313bc41b42ef7feba9a504f01d7fa155d4a7b26193c51cbb1ccc245305ad71f7c900dbee15316261d09f997119bcb2

    • SSDEEP

      98304:oEc3CcFLpIlSZfA9l0N4MRpJ7BwsE60b81jvO:+lVugOlCRpJ7BwsEGZm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks