Malware Analysis Report

2024-11-13 14:21

Sample ID 240617-vhsf2swfke
Target SploitXE_BEta.rar
SHA256 e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9
Tags
agenttesla discovery evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9

Threat Level: Known bad

The file SploitXE_BEta.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery evasion keylogger spyware stealer trojan

Agenttesla family

AgentTesla payload

AgentTesla

Identifies VirtualBox via ACPI registry values (likely anti-VM)

AgentTesla payload

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 16:59

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 16:59

Reported

2024-06-17 17:00

Platform

win7-20240508-en

Max time kernel

23s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar"

Network

N/A

Files

memory/1596-30-0x000007FEFABF0000-0x000007FEFAC24000-memory.dmp

memory/1596-29-0x000000013FEC0000-0x000000013FFB8000-memory.dmp

memory/1596-32-0x000007FEF7EA0000-0x000007FEF7EB8000-memory.dmp

memory/1596-33-0x000007FEF70E0000-0x000007FEF70F7000-memory.dmp

memory/1596-34-0x000007FEF70C0000-0x000007FEF70D1000-memory.dmp

memory/1596-35-0x000007FEF70A0000-0x000007FEF70B7000-memory.dmp

memory/1596-36-0x000007FEF7080000-0x000007FEF7091000-memory.dmp

memory/1596-37-0x000007FEF7060000-0x000007FEF707D000-memory.dmp

memory/1596-31-0x000007FEF5E30000-0x000007FEF60E6000-memory.dmp

memory/1596-38-0x000007FEF7040000-0x000007FEF7051000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 16:59

Reported

2024-06-17 17:02

Platform

win10v2004-20240508-en

Max time kernel

115s

Max time network

89s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Fraps\fraps.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\frapsvid.dll C:\Users\Admin\Desktop\SploitXE BEta\setup.exe N/A
File created C:\Windows\system32\frapsv64.dll C:\Users\Admin\Desktop\SploitXE BEta\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\Taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23745:84:7zEvent19068

C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe

"C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe"

C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe

"C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe"

C:\Users\Admin\Desktop\SploitXE BEta\setup.exe

"C:\Users\Admin\Desktop\SploitXE BEta\setup.exe"

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe" /exit

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp

Files

C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe

MD5 8f53627c43fe6a510a9fc17a7a50c348
SHA1 813323918300c83c8878a043db0631b1d156f07a
SHA256 f8fd35f40cf45e0332813d5ac555663c6d041256120d6e0fd0300d7b677379e1
SHA512 f4e0f4e3cf8833b9caab846e16558b882905d2cf5d0f037aa15cbe818f33052236780aea4c5e84eafc61333e63decfe64c694f1536117d39001a2e39f8f58c11

C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe.config

MD5 9dbad5517b46f41dbb0d8780b20ab87e
SHA1 ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
SHA256 47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
SHA512 43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

memory/4672-15-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/4672-16-0x0000000005B00000-0x00000000060A4000-memory.dmp

memory/4672-17-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/4672-18-0x0000000005710000-0x000000000571A000-memory.dmp

C:\Users\Admin\Desktop\SploitXE BEta\Guna.UI2.dll

MD5 c19e9e6a4bc1b668d19505a0437e7f7e
SHA1 73be712aef4baa6e9dabfc237b5c039f62a847fa
SHA256 9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512 b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

memory/4672-22-0x00000000060B0000-0x00000000062C4000-memory.dmp

C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe

MD5 09d083f0e2c1e8a3561209902333ad8f
SHA1 d9692d3aba34a39aeb9e53cb3d25562b94e2e597
SHA256 83dfcb08ea4aa1b857d952a8a177db775d1a7e9cfc30b528848a4a29c8dbf0b9
SHA512 c71371263cacc4872a4bf621614940f08c9436062683be5de921ae6e509079e25ea380623e8945d40858819a664bd76590defb2a89949e8e5666190f1024ca6b

C:\Users\Admin\Desktop\SploitXE BEta\setup.exe

MD5 d1be561690e1d91e515faf9581cf81a6
SHA1 9fed9a02c3845ca78bd72319bbfcf5140e64a36a
SHA256 7213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0
SHA512 919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5

C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\StartMenu.dll

MD5 a4173b381625f9f12aadb4e1cdaefdb8
SHA1 cf1680c2bc970d5675adbf5e89292a97e6724713
SHA256 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512 fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Fraps\fraps.exe

MD5 0ff5b5161a78bf5721811779376db71d
SHA1 35308429117b514237d34bd8015bfe4efa8e7d55
SHA256 da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512 d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204

memory/3192-73-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/3192-75-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2068-78-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-76-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-77-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-88-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-87-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-86-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-85-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-84-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-83-0x0000000006190000-0x0000000006191000-memory.dmp

memory/2068-82-0x0000000006190000-0x0000000006191000-memory.dmp