Loading ...

Play interactive tourEdit tour

Analysis Report Statement of Account.exe

Overview

General Information

Sample Name:Statement of Account.exe
Analysis ID:339079
MD5:8d7144cdca415dbdf39548d460a8866b
SHA1:7a37f9f0728708811235437d69fb74579548f758
SHA256:fa769a960a22d4ce289da152e5535fa6f9e610d8796aeb907bacf3157c1270b5
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Statement of Account.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 8D7144CDCA415DBDF39548D460A8866B)
    • schtasks.exe (PID: 4640 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 5456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "yJr2pyY5i7vE9", "URL: ": "http://cV9LNZgDQeR7CK6z.org", "To: ": "sales2@chestronic.com", "ByHost: ": "mail.chestronic.com:587", "Password: ": "d4aqvGyl40aQf", "From: ": "sales2@chestronic.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: MSBuild connects to smtp portShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.254.244.17, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5456, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49749
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Statement of Account.exe' , ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 3980, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp', ProcessId: 4640

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: MSBuild.exe.5456.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "yJr2pyY5i7vE9", "URL: ": "http://cV9LNZgDQeR7CK6z.org", "To: ": "sales2@chestronic.com", "ByHost: ": "mail.chestronic.com:587", "Password: ": "d4aqvGyl40aQf", "From: ": "sales2@chestronic.com"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\eRwRffX.exeReversingLabs: Detection: 11%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Statement of Account.exeVirustotal: Detection: 25%Perma Link
              Source: Statement of Account.exeReversingLabs: Detection: 11%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\eRwRffX.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Statement of Account.exeJoe Sandbox ML: detected
              Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: Statement of Account.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: Statement of Account.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05BCD3B8
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05BCD3A8

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://cV9LNZgDQeR7CK6z.org
              Source: global trafficTCP traffic: 192.168.2.3:49749 -> 23.254.244.17:587
              Source: Joe Sandbox ViewIP Address: 23.254.244.17 23.254.244.17
              Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
              Source: global trafficTCP traffic: 192.168.2.3:49749 -> 23.254.244.17:587
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
              Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.2
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
              Source: unknownTCP traffic detected without corresponding DNS query: 186.64.119.165
              Source: unknownTCP traffic detected without corresponding DNS query: 186.64.119.165
              Source: unknownTCP traffic detected without corresponding DNS query: 186.64.119.165
              Source: unknownDNS traffic detected: queries for: mail.chestronic.com
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: MSBuild.exe, 00000003.00000002.578383711.0000000003691000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.575713024.000000000343C000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.578974533.00000000036FC000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.579011179.0000000003701000.00000004.00000001.sdmpString found in binary or memory: http://cV9LNZgDQeR7CK6z.org
              Source: MSBuild.exe, 00000003.00000002.578692738.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: http://chestronic.com
              Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: MSBuild.exe, 00000003.00000002.588294433.0000000006600000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: MSBuild.exe, 00000003.00000003.450505714.000000000661F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: MSBuild.exe, 00000003.00000002.578692738.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: http://mail.chestronic.com
              Source: MSBuild.exe, 00000003.00000003.450505714.000000000661F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: http://sjSmfS.com
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: MSBuild.exe, 00000003.00000002.578757614.00000000036D8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: MSBuild.exe, 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 3.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b813AF9DBu002dC4A7u002d4B2Fu002d98F6u002d3508F744762Bu007d/u0037328D8C2u002d20A6u002d4200u002dB595u002d1EBAC5029632.csLarge array initialization: .cctor: array initializer size 11993
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_005E90130_2_005E9013
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BCDD780_2_05BCDD78
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC0D800_2_05BC0D80
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC2D1A0_2_05BC2D1A
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC0D730_2_05BC0D73
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC71D00_2_05BC71D0
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC0B280_2_05BC0B28
              Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_05BC0B180_2_05BC0B18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018A2D503_2_018A2D50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018A1FE03_2_018A1FE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018A26183_2_018A2618
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018ABC903_2_018ABC90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018AB6B23_2_018AB6B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B4DE03_2_018B4DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B81483_2_018B8148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B1CA83_2_018B1CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B00403_2_018B0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018BAF103_2_018BAF10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B62B83_2_018B62B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B22283_2_018B2228
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B59843_2_018B5984
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B15A03_2_018B15A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B30E83_2_018B30E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B00063_2_018B0006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018B44703_2_018B4470
              Source: Statement of Account.exeBinary or memory string: OriginalFilename vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWknSFDcbckSWaOKzgGLUFEXl.exe4 vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.231640208.0000000005080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.232246201.0000000006330000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.232246201.0000000006330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.232115938.0000000006230000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.226939426.00000000005E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSessionInfo.exe@ vs Statement of Account.exe
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs Statement of Account.exe
              Source: Statement of Account.exeBinary or memory string: OriginalFilenameSessionInfo.exe@ vs Statement of Account.exe
              Source: Statement of Account.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@4/1
              Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\eRwRffX.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
              Source: C:\Users\user\Desktop\Statement of Account.exeMutant created: \Sessions\1\BaseNamedObjects\txcGGIvvQlUaQhzxlSOZtTiNWGi
              Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBACF.tmpJump to behavior
              Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Statement of Account.exeVirustotal: Detection: 25%
              Source: Statement of Account.exeReversingLabs: Detection: 11%
              Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\Statement of Account.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Statement of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Statement of Account.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: Statement of Account.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: eRwRffX.exe.0.dr, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.Statement of Account.exe.5e0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.Statement of Account.exe.5e0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_018A7E3F push edi; retn 0000h3_2_018A7E41
              Source: initial sampleStatic PE information: section name: .text entropy: 7.28753546565
              Source: initial sampleStatic PE information: section name: .text entropy: 7.28753546565
              Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\eRwRffX.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\Statement of Account.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3280Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5704Thread sleep time: -53656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5500Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exe TID: 1968Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4112Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5364Thread sleep count: 6578 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5364Thread sleep count: 3280 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: MSBuild.exe, 00000003.00000003.424749334.0000000006619000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Statement of Account.exe, 00000000.00000002.227700296.0000000002B01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: MSBuild.exe, 00000003.00000002.588194103.0000000006510000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 137E008Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eRwRffX' /XML 'C:\Users\user\AppData\Local\Temp\tmpBACF.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
              Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: MSBuild.exe, 00000003.00000002.574382068.0000000001D60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Users\user\Desktop\Statement of Account.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
              Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.230197757.0000000003B5F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.575561117.0000000003401000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.570956453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 3980, type: MEMORY
              Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection212Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSSecurity Software Discovery321Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info