Analysis Report Statement of Account.exe

Overview

General Information

Sample Name: Statement of Account.exe
Analysis ID: 339079
MD5: 8d7144cdca415dbdf39548d460a8866b
SHA1: 7a37f9f0728708811235437d69fb74579548f758
SHA256: fa769a960a22d4ce289da152e5535fa6f9e610d8796aeb907bacf3157c1270b5
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: MSBuild.exe.5456.3.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "yJr2pyY5i7vE9", "URL: ": "http://cV9LNZgDQeR7CK6z.org", "To: ": "sales2@chestronic.com", "ByHost: ": "mail.chestronic.com:587", "Password: ": "d4aqvGyl40aQf", "From: ": "sales2@chestronic.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\eRwRffX.exe ReversingLabs: Detection: 11%
Multi AV Scanner detection for submitted file
Source: Statement of Account.exe Virustotal: Detection: 25% Perma Link
Source: Statement of Account.exe ReversingLabs: Detection: 11%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eRwRffX.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Statement of Account.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Statement of Account.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05BCD3B8
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05BCD3A8

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://cV9LNZgDQeR7CK6z.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 23.254.244.17:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.254.244.17 23.254.244.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTWINDSUS HOSTWINDSUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 23.254.244.17:587
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.129.2
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 186.64.119.165
Source: unknown TCP traffic detected without corresponding DNS query: 186.64.119.165
Source: unknown TCP traffic detected without corresponding DNS query: 186.64.119.165
Source: unknown DNS traffic detected: queries for: mail.chestronic.com
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000003.00000002.578383711.0000000003691000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.575713024.000000000343C000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.578974533.00000000036FC000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.579011179.0000000003701000.00000004.00000001.sdmp String found in binary or memory: http://cV9LNZgDQeR7CK6z.org
Source: MSBuild.exe, 00000003.00000002.578692738.00000000036D2000.00000004.00000001.sdmp String found in binary or memory: http://chestronic.com
Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSBuild.exe, 00000003.00000002.588294433.0000000006600000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 00000003.00000003.450505714.000000000661F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: MSBuild.exe, 00000003.00000002.578692738.00000000036D2000.00000004.00000001.sdmp String found in binary or memory: http://mail.chestronic.com
Source: MSBuild.exe, 00000003.00000003.450505714.000000000661F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: http://sjSmfS.com
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org/
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary:

barindex
.NET source code contains very large array initializations
Source: 3.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b813AF9DBu002dC4A7u002d4B2Fu002d98F6u002d3508F744762Bu007d/u0037328D8C2u002d20A6u002d4200u002dB595u002d1EBAC5029632.cs Large array initialization: .cctor: array initializer size 11993
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_005E9013 0_2_005E9013
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BCDD78 0_2_05BCDD78
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC0D80 0_2_05BC0D80
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC2D1A 0_2_05BC2D1A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC0D73 0_2_05BC0D73
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC71D0 0_2_05BC71D0
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC0B28 0_2_05BC0B28
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_05BC0B18 0_2_05BC0B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018A2D50 3_2_018A2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018A1FE0 3_2_018A1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018A2618 3_2_018A2618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018ABC90 3_2_018ABC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018AB6B2 3_2_018AB6B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B4DE0 3_2_018B4DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B8148 3_2_018B8148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B1CA8 3_2_018B1CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B0040 3_2_018B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018BAF10 3_2_018BAF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B62B8 3_2_018B62B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B2228 3_2_018B2228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B5984 3_2_018B5984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B15A0 3_2_018B15A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B30E8 3_2_018B30E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B0006 3_2_018B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018B4470 3_2_018B4470
Sample file is different than original file name gathered from version info
Source: Statement of Account.exe Binary or memory string: OriginalFilename vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWknSFDcbckSWaOKzgGLUFEXl.exe4 vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.231640208.0000000005080000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.232246201.0000000006330000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.232246201.0000000006330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.232115938.0000000006230000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.226939426.00000000005E2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSessionInfo.exe@ vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs Statement of Account.exe
Source: Statement of Account.exe Binary or memory string: OriginalFilenameSessionInfo.exe@ vs Statement of Account.exe
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/5@4/1
Source: C:\Users\user\Desktop\Statement of Account.exe File created: C:\Users\user\AppData\Roaming\eRwRffX.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
Source: C:\Users\user\Desktop\Statement of Account.exe Mutant created: \Sessions\1\BaseNamedObjects\txcGGIvvQlUaQhzxlSOZtTiNWGi
Source: C:\Users\user\Desktop\Statement of Account.exe File created: C:\Users\user\AppData\Local\Temp\tmpBACF.tmp Jump to behavior
Source: Statement of Account.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Statement of Account.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Statement of Account.exe Virustotal: Detection: 25%
Source: Statement of Account.exe ReversingLabs: Detection: 11%
Source: C:\Users\user\Desktop\Statement of Account.exe File read: C:\Users\user\Desktop\Statement of Account.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Statement of Account.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Statement of Account.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Statement of Account.exe, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eRwRffX.exe.0.dr, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Statement of Account.exe.5e0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Statement of Account.exe.5e0000.0.unpack, LoaderInformation.cs .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018A7E3F push edi; retn 0000h 3_2_018A7E41
Source: initial sample Static PE information: section name: .text entropy: 7.28753546565
Source: initial sample Static PE information: section name: .text entropy: 7.28753546565

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Statement of Account.exe File created: C:\Users\user\AppData\Roaming\eRwRffX.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Statement of Account.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Statement of Account.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 6578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3280 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5704 Thread sleep time: -53656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe TID: 1968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4112 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5364 Thread sleep count: 6578 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5364 Thread sleep count: 3280 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: MSBuild.exe, 00000003.00000003.424749334.0000000006619000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Statement of Account.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 137E008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Statement of Account.exe Queries volume information: C:\Users\user\Desktop\Statement of Account.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339079 Sample: Statement of Account.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 11 other signatures 2->37 7 Statement of Account.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\eRwRffX.exe, PE32 7->19 dropped 21 C:\Users\user\...\eRwRffX.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpBACF.tmp, XML 7->23 dropped 25 C:\Users\...\Statement of Account.exe.log, ASCII 7->25 dropped 39 Writes to foreign memory regions 7->39 41 Injects a PE file into a foreign processes 7->41 11 MSBuild.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 chestronic.com 23.254.244.17, 49749, 49750, 587 HOSTWINDSUS United States 11->27 29 mail.chestronic.com 11->29 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 3 other signatures 11->49 17 conhost.exe 15->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.254.244.17
unknown United States
54290 HOSTWINDSUS true

Contacted Domains

Name IP Active
chestronic.com 23.254.244.17 true
mail.chestronic.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cV9LNZgDQeR7CK6z.org true
  • Avira URL Cloud: safe
unknown