General

  • Target

    SploitXE_Release.rar

  • Size

    3.3MB

  • Sample

    240618-tqez9averr

  • MD5

    205f456e3c5b13c05098c964a3f653e1

  • SHA1

    f9423d7ee8bff3d1f2fe196f8d25f91e0a6ec885

  • SHA256

    347d4a35a5c99443dc26be1d36b93c308817808cc775ca15b1760243f0979d14

  • SHA512

    802668e47d283991b4dbadc86d17ba8bbdcdf453fa4147b2632f6797272746a9037e29705fa77773b13f99e4a9202e4a9ca0f851ec8ca109abba8423c016e2ec

  • SSDEEP

    98304:UEc3CcFJpNlSZfA9l0N4MRpJ7BwsE60b81jvT:ylfrgOlCRpJ7BwsEGZL

Malware Config

Targets

    • Target

      SploitXE Release/SploitXE.exe

    • Size

      59KB

    • MD5

      8f53627c43fe6a510a9fc17a7a50c348

    • SHA1

      813323918300c83c8878a043db0631b1d156f07a

    • SHA256

      f8fd35f40cf45e0332813d5ac555663c6d041256120d6e0fd0300d7b677379e1

    • SHA512

      f4e0f4e3cf8833b9caab846e16558b882905d2cf5d0f037aa15cbe818f33052236780aea4c5e84eafc61333e63decfe64c694f1536117d39001a2e39f8f58c11

    • SSDEEP

      768:QUNFDR8oN3NmUqVLVbXrhsPWHrdRpfO4HjCMLpPd0:lR8oN3c3O0rdRpfO4DpLdd0

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      SploitXE Release/setup.exe

    • Size

      2.4MB

    • MD5

      d1be561690e1d91e515faf9581cf81a6

    • SHA1

      9fed9a02c3845ca78bd72319bbfcf5140e64a36a

    • SHA256

      7213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0

    • SHA512

      919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5

    • SSDEEP

      49152:Ytavs+rX1wXzrf7XC4yY86lG8mFMRkoma4ftd0B8K4QH9SsmHFDTWU:Yn+j1wHzyb38mORkdtdCzdSsmHRTn

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks