Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 16:15
Behavioral task
behavioral1
Sample
SploitXE Release/SploitXE.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SploitXE Release/SploitXE.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
SploitXE Release/setup.exe
Resource
win7-20240220-en
General
-
Target
SploitXE Release/SploitXE.exe
-
Size
59KB
-
MD5
8f53627c43fe6a510a9fc17a7a50c348
-
SHA1
813323918300c83c8878a043db0631b1d156f07a
-
SHA256
f8fd35f40cf45e0332813d5ac555663c6d041256120d6e0fd0300d7b677379e1
-
SHA512
f4e0f4e3cf8833b9caab846e16558b882905d2cf5d0f037aa15cbe818f33052236780aea4c5e84eafc61333e63decfe64c694f1536117d39001a2e39f8f58c11
-
SSDEEP
768:QUNFDR8oN3NmUqVLVbXrhsPWHrdRpfO4HjCMLpPd0:lR8oN3c3O0rdRpfO4DpLdd0
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-2-0x0000000004C40000-0x0000000004E54000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
fraps.exefraps.exefraps.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fraps.exefraps.exefraps.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe -
Executes dropped EXE 3 IoCs
Processes:
fraps.exefraps.exefraps.exepid process 3048 fraps.exe 2452 fraps.exe 3028 fraps.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fraps.exefraps.exefraps.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine fraps.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine fraps.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine fraps.exe -
Loads dropped DLL 8 IoCs
Processes:
setup.exefraps.exepid process 1584 setup.exe 1584 setup.exe 1584 setup.exe 1584 setup.exe 1584 setup.exe 1584 setup.exe 2452 fraps.exe 2452 fraps.exe -
Drops file in System32 directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Windows\system32\frapsv64.dll setup.exe File created C:\Windows\SysWOW64\frapsvid.dll setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
SploitXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SploitXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion SploitXE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SploitXE.exe -
Modifies registry class 4 IoCs
Processes:
fraps.exefraps.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} fraps.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rbxfpsunlocker.exepid process 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe 2600 rbxfpsunlocker.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rbxfpsunlocker.exefraps.exepid process 2600 rbxfpsunlocker.exe 2452 fraps.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
rbxfpsunlocker.exefraps.exepid process 2600 rbxfpsunlocker.exe 2452 fraps.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fraps.exepid process 2452 fraps.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SploitXE.exesetup.exedescription pid process target process PID 2264 wrote to memory of 2600 2264 SploitXE.exe rbxfpsunlocker.exe PID 2264 wrote to memory of 2600 2264 SploitXE.exe rbxfpsunlocker.exe PID 2264 wrote to memory of 2600 2264 SploitXE.exe rbxfpsunlocker.exe PID 2264 wrote to memory of 2600 2264 SploitXE.exe rbxfpsunlocker.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 2264 wrote to memory of 1584 2264 SploitXE.exe setup.exe PID 1584 wrote to memory of 3048 1584 setup.exe fraps.exe PID 1584 wrote to memory of 3048 1584 setup.exe fraps.exe PID 1584 wrote to memory of 3048 1584 setup.exe fraps.exe PID 1584 wrote to memory of 3048 1584 setup.exe fraps.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe" /exit3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3048
-
-
-
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2452
-
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies registry class
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5895c32a4eefd648d62e92201e4954cd2
SHA15d7753f95ab95176da45473eaa0d7de29ca02973
SHA2561376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74
SHA51276823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.5MB
MD50ff5b5161a78bf5721811779376db71d
SHA135308429117b514237d34bd8015bfe4efa8e7d55
SHA256da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204
-
Filesize
263KB
MD56328007efe11f2ad0a50f122367ce743
SHA13f48580a32d0c5cd2551dcbcbce885c9337ce044
SHA256e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f
SHA51267d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec
-
Filesize
6KB
MD513cc92f90a299f5b2b2f795d0d2e47dc
SHA1aa69ead8520876d232c6ed96021a4825e79f542f
SHA256eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3
-
Filesize
7KB
MD5a4173b381625f9f12aadb4e1cdaefdb8
SHA1cf1680c2bc970d5675adbf5e89292a97e6724713
SHA2567755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f