Analysis
-
max time kernel
20s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7-20240215-en
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
693KB
-
MD5
c63d59194d1f0735dacda6ae00f46420
-
SHA1
1132adb51c8f80ce6b453c7d8c4399af579d5175
-
SHA256
ce6cf51607a2fd0b3aa61c066d0adf7d659418c4cd78ef8824a46f89e639867b
-
SHA512
ccae4b5d7bb389872bc162e6c2d00f280b2537db53c2dd1fe7f55142552dc792bba1bfbef21182ba4355e3f2b473447d70e654403b385b55c7496111ac4178b7
-
SSDEEP
12288:hTo2iNStcYl0SNGZSUKnBnn0kk9HSkqHcSxk9qNk2Q4PaUOvYbnjcueIGujE11/h:hTo1McNoGZS5CbHS9Hcz9qN3QIOQbnjO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2548 powershell.exe 2712 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
STATEMENT OF ACCOUNT.exepid Process 2916 STATEMENT OF ACCOUNT.exe 2916 STATEMENT OF ACCOUNT.exe 2916 STATEMENT OF ACCOUNT.exe 2916 STATEMENT OF ACCOUNT.exe 2916 STATEMENT OF ACCOUNT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid Process Token: SeDebugPrivilege 2916 STATEMENT OF ACCOUNT.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid Process procid_target PID 2916 wrote to memory of 2548 2916 STATEMENT OF ACCOUNT.exe 28 PID 2916 wrote to memory of 2548 2916 STATEMENT OF ACCOUNT.exe 28 PID 2916 wrote to memory of 2548 2916 STATEMENT OF ACCOUNT.exe 28 PID 2916 wrote to memory of 2548 2916 STATEMENT OF ACCOUNT.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IyoNJg.exe"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IyoNJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp"2⤵
- Creates scheduled task(s)
PID:2872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52bec82bce75aadb2fc03713a77a42a68
SHA129e8122620faead94697f6a97a1fe18b52eb959e
SHA256e73c243304d5c2e4a1c18a6be504f89a9e8edeff77f6f6d294e6a668a96420cf
SHA512ef235ac68c0e384b47e343e89c825f54856835de727ee7d0c66a48422229db901917d8adeaf66ea990a1c6944884e11dcee0487066de4a8fc94a2d3668643377
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IX1WC3G6QDD4NQAWJIBJ.temp
Filesize7KB
MD516164c5e765d764910463b162cd6f488
SHA10ab61ce3391d56aeb1a82c78c616430f1f4381cc
SHA25685b0d4212940a0d6f88741623771f33b6072404423c456986f25f78ab094e442
SHA5128c0030f4ffcc4191bec4e2c2dfb99238062e30df42dd1528ec0c5cb1a54445ec2b0fecd7b7dd1ff962db17a15e02dcbf200ec86cb3b32afddd29ea19b748b460