Edit tour
Windows
Analysis Report
Statement of Account PDF.bat.exe
Overview
General Information
Detection
AgentTesla, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- Statement of Account PDF.bat.exe (PID: 6984 cmdline:
"C:\Users\ user\Deskt op\Stateme nt of Acco unt PDF.ba t.exe" MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - powershell.exe (PID: 7156 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\Des ktop\State ment of Ac count PDF. bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3120 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\gDdsxau Phk.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 7532 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - schtasks.exe (PID: 7080 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\gDds xauPhk" /X ML "C:\Use rs\user\Ap pData\Loca l\Temp\tmp 690.tmp" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Statement of Account PDF.bat.exe (PID: 7252 cmdline:
"C:\Users\ user\Deskt op\Stateme nt of Acco unt PDF.ba t.exe" MD5: 8DB4915BA4E6BB27CB249554A18A9F4C)
- gDdsxauPhk.exe (PID: 7440 cmdline:
C:\Users\u ser\AppDat a\Roaming\ gDdsxauPhk .exe MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - schtasks.exe (PID: 7668 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\gDds xauPhk" /X ML "C:\Use rs\user\Ap pData\Loca l\Temp\tmp 216B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gDdsxauPhk.exe (PID: 7712 cmdline:
"C:\Users\ user\AppDa ta\Roaming \gDdsxauPh k.exe" MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - gDdsxauPhk.exe (PID: 7720 cmdline:
"C:\Users\ user\AppDa ta\Roaming \gDdsxauPh k.exe" MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - WerFault.exe (PID: 7796 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 440 -s 181 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- BjTxJte.exe (PID: 8032 cmdline:
"C:\Users\ user\AppDa ta\Roaming \BjTxJte\B jTxJte.exe " MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - schtasks.exe (PID: 7096 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\gDds xauPhk" /X ML "C:\Use rs\user\Ap pData\Loca l\Temp\tmp 44D2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - BjTxJte.exe (PID: 7220 cmdline:
"C:\Users\ user\AppDa ta\Roaming \BjTxJte\B jTxJte.exe " MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - WerFault.exe (PID: 7192 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 032 -s 182 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- BjTxJte.exe (PID: 7400 cmdline:
"C:\Users\ user\AppDa ta\Roaming \BjTxJte\B jTxJte.exe " MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - schtasks.exe (PID: 7708 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\gDds xauPhk" /X ML "C:\Use rs\user\Ap pData\Loca l\Temp\tmp 6598.tmp" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - BjTxJte.exe (PID: 7752 cmdline:
"C:\Users\ user\AppDa ta\Roaming \BjTxJte\B jTxJte.exe " MD5: 8DB4915BA4E6BB27CB249554A18A9F4C) - WerFault.exe (PID: 7936 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 400 -s 178 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fascia-arch.com", "Username": "brian@fascia-arch.com", "Password": "HERbertstown1987"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 35 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 38 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: |