Malware Analysis Report

2024-11-15 06:26

Sample ID 240618-tqez9averr
Target SploitXE_Release.rar
SHA256 347d4a35a5c99443dc26be1d36b93c308817808cc775ca15b1760243f0979d14
Tags
agenttesla evasion keylogger spyware stealer trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

347d4a35a5c99443dc26be1d36b93c308817808cc775ca15b1760243f0979d14

Threat Level: Known bad

The file SploitXE_Release.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla evasion keylogger spyware stealer trojan discovery

AgentTesla

AgentTesla payload

Agenttesla family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

AgentTesla payload

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Drops desktop.ini file(s)

Drops file in System32 directory

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 16:15

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 16:15

Reported

2024-06-18 16:18

Platform

win7-20231129-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Fraps\fraps.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\frapsv64.dll C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A
File created C:\Windows\SysWOW64\frapsvid.dll C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} C:\Fraps\fraps.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe
PID 2264 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe
PID 2264 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe
PID 2264 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 2264 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
PID 1584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 1584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 1584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 1584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe"

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe" /exit

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe"

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2264-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

memory/2264-1-0x00000000008B0000-0x00000000008C6000-memory.dmp

memory/2264-2-0x0000000004C40000-0x0000000004E54000-memory.dmp

memory/2264-3-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2264-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2264-5-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

memory/2264-6-0x0000000073FD0000-0x00000000746BE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar5546.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2264-66-0x0000000073FD0000-0x00000000746BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\StartMenu.dll

MD5 a4173b381625f9f12aadb4e1cdaefdb8
SHA1 cf1680c2bc970d5675adbf5e89292a97e6724713
SHA256 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512 fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Fraps\fraps.exe

MD5 0ff5b5161a78bf5721811779376db71d
SHA1 35308429117b514237d34bd8015bfe4efa8e7d55
SHA256 da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512 d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204

memory/1584-104-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

memory/3048-115-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/1584-114-0x0000000003EC0000-0x00000000046C3000-memory.dmp

memory/3048-117-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-126-0x0000000000400000-0x0000000000C03000-memory.dmp

\Fraps\fraps32.dll

MD5 6328007efe11f2ad0a50f122367ce743
SHA1 3f48580a32d0c5cd2551dcbcbce885c9337ce044
SHA256 e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f
SHA512 67d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec

C:\Fraps\FRAPSLCD.DLL

MD5 895c32a4eefd648d62e92201e4954cd2
SHA1 5d7753f95ab95176da45473eaa0d7de29ca02973
SHA256 1376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74
SHA512 76823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35

memory/2452-131-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/3028-133-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-140-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-141-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-139-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-138-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-137-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-136-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-135-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-134-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/3028-143-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-144-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-145-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-146-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-150-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-149-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-148-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-147-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/2452-151-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-152-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-153-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2452-154-0x0000000000400000-0x0000000000C03000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 16:15

Reported

2024-06-18 16:18

Platform

win10v2004-20240508-en

Max time kernel

114s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"

Network

Files

memory/4788-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/4788-1-0x0000000000A80000-0x0000000000A96000-memory.dmp

memory/4788-2-0x00000000059F0000-0x0000000005F94000-memory.dmp

memory/4788-3-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/4788-4-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/4788-5-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4788-6-0x0000000005780000-0x0000000005994000-memory.dmp

memory/4788-7-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4788-8-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/4788-9-0x0000000074E60000-0x0000000075610000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 16:15

Reported

2024-06-18 16:18

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoF20.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 16:15

Reported

2024-06-18 16:18

Platform

win10v2004-20240508-en

Max time kernel

96s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Fraps\fraps.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Fraps\fraps.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Fraps\fraps.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Fraps\fraps.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Fraps\fraps.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\frapsvid.dll C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A
File created C:\Windows\system32\frapsv64.dll C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps64.dat N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.avi C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} C:\Fraps\fraps.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{C71814BA-7287-45A7-84E2-64E1664CAB3D} C:\Windows\system32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Fraps\fraps.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps64.dat N/A
N/A N/A C:\Fraps\fraps64.dat N/A
N/A N/A C:\Fraps\fraps64.dat N/A
N/A N/A C:\Fraps\fraps64.dat N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A
N/A N/A C:\Fraps\fraps.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 1180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 1180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe C:\Fraps\fraps.exe
PID 3264 wrote to memory of 1016 N/A C:\Fraps\fraps.exe C:\Fraps\fraps64.dat
PID 3264 wrote to memory of 1016 N/A C:\Fraps\fraps.exe C:\Fraps\fraps64.dat

Processes

C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe

"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe" /exit

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Fraps\fraps.exe

"C:\Fraps\fraps.exe"

C:\Fraps\fraps64.dat

"C:\Fraps\fraps64.dat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\StartMenu.dll

MD5 a4173b381625f9f12aadb4e1cdaefdb8
SHA1 cf1680c2bc970d5675adbf5e89292a97e6724713
SHA256 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512 fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Fraps\fraps.exe

MD5 0ff5b5161a78bf5721811779376db71d
SHA1 35308429117b514237d34bd8015bfe4efa8e7d55
SHA256 da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512 d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204

memory/2084-45-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2084-46-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/2084-54-0x0000000000401000-0x0000000000419000-memory.dmp

memory/2084-53-0x0000000004D20000-0x0000000004D21000-memory.dmp

memory/2084-52-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/2084-51-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/2084-50-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/2084-49-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/2084-48-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/2084-47-0x0000000004D30000-0x0000000004D31000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

memory/3264-77-0x0000000000400000-0x0000000000C03000-memory.dmp

C:\Fraps\frapslcd.dll

MD5 895c32a4eefd648d62e92201e4954cd2
SHA1 5d7753f95ab95176da45473eaa0d7de29ca02973
SHA256 1376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74
SHA512 76823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35

C:\Fraps\fraps32.dll

MD5 6328007efe11f2ad0a50f122367ce743
SHA1 3f48580a32d0c5cd2551dcbcbce885c9337ce044
SHA256 e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f
SHA512 67d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec

C:\Fraps\fraps64.dat

MD5 79856998086dec03fa34a614708ae1e2
SHA1 f858dd68780063527953aeccdcbfc955b3ea2cb9
SHA256 a62a9241f3bf39176956d6fa45cec7a9aae12908c7156e4b533b81d35e902a9e
SHA512 ca63ea0f8f269b957efa65faf4c836133c93cbe38b76f5c0117bdb3e9a1719ef1b1943a9a3f2f7e51e31e08fdc0a02b24233baaa12aa6087112db9b4b7bb7f48

C:\Fraps\fraps64.dll

MD5 5fd7bee98d14dacdf2f206dad278a621
SHA1 03181ad2c9ff23f679f4276ed6c34bdcc7a7282c
SHA256 6acebecb8934508832a44fdd92823e8026ea4878c81e6eb18ae03eaa7b5b5c6f
SHA512 12886a63450ed203dad5f4e485ae8cb0bad97e2d4ab76e136c37e4679f2fd83918786dd5c2c3b593766835447c9d4e320f8d82161281c097c5b852b741c13f56

memory/3264-90-0x0000000000400000-0x0000000000C03000-memory.dmp

memory/3264-91-0x0000000000400000-0x0000000000C03000-memory.dmp