Windows Analysis Report
DHL Page1.exe

Overview

General Information

Sample name: DHL Page1.exe
Analysis ID: 1501086
MD5: e563153089b05a25e30db0a73e196b10
SHA1: fb098be6dc900c18c83b53681cc0fd2c976fe638
SHA256: dbd76943d4c2efa432805b8458e970c2b6c6d76c16ff4d2a7d63df50ad0330af
Infos:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DHL Page1.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: DHL Page1.exe ReversingLabs: Detection: 13%
Source: DHL Page1.exe Virustotal: Detection: 13% Perma Link
Uses 32bit PE files
Source: DHL Page1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: DHL Page1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00406577 FindFirstFileW,FindClose, 0_2_00406577
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_0040287E FindFirstFileW, 0_2_0040287E
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00405A25 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405A25
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49842 -> 104.153.208.178:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ViaMYxizkt11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: peraarae.nlCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ViaMYxizkt11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: peraarae.nlCache-Control: no-cache
Source: wab.exe, 00000004.00000002.127076986570.0000000037BA9000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.00000000378E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.comTRUE/FALSE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127076986570.00000000378E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.comTRUE/FALSE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2"h equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127078477032.0000000038789000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127078477032.0000000038789000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: global traffic DNS traffic detected: DNS query: peraarae.nl
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: smtp.gmail.com
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/wr2/75r4ZyA3vA0.crl0
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/r1.crt0
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: DHL Page1.exe, 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmp, DHL Page1.exe, 00000000.00000000.121985944583.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/wr20%
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: wab.exe, 00000004.00000002.127066946181.0000000007A40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://peraarae.nl/ViaMYxizkt11.bin
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.gmail.com
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49843 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_004054D2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004054D2
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_0040346C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040346C
Creates files inside the system directory
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Windows\resources\0409 Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Windows\SysWOW64\Dogmefastes.lnk Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00406A4D 0_2_00406A4D
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00404D0F 0_2_00404D0F
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00407224 0_2_00407224
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_004741C8 4_2_004741C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_0047A978 4_2_0047A978
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_0047DA30 4_2_0047DA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_00474A98 4_2_00474A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_00473E80 4_2_00473E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_0047E750 4_2_0047E750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A565698 4_2_3A565698
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A5677D0 4_2_3A5677D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A560040 4_2_3A560040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A563C60 4_2_3A563C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A56E140 4_2_3A56E140
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A56D1F2 4_2_3A56D1F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A569640 4_2_3A569640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A564022 4_2_3A564022
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_3A560012 4_2_3A560012
PE / OLE file has an invalid certificate
Source: DHL Page1.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: DHL Page1.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: DHL Page1.exe, 00000000.00000000.121986016582.000000000049C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeksposeets overklipning.exeDVarFileInfo$ vs DHL Page1.exe
Uses 32bit PE files
Source: DHL Page1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@3/12@3/3
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_0040346C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040346C
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00404793 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404793
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk, 0_2_00402104
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Program Files (x86)\eudaemons.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Users\user\AppData\Local\Temp\nsw38A0.tmp Jump to behavior
Source: DHL Page1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL Page1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHL Page1.exe ReversingLabs: Detection: 13%
Source: DHL Page1.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\DHL Page1.exe File read: C:\Users\user\Desktop\DHL Page1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL Page1.exe "C:\Users\user\Desktop\DHL Page1.exe"
Source: C:\Users\user\Desktop\DHL Page1.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe"
Source: C:\Users\user\Desktop\DHL Page1.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: fontext.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: fms.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Milliluxes.lnk.0.dr LNK file: ..\..\..\Windows\Fonts\vlgerne\construction.Bes231
Source: Dogmefastes.lnk.0.dr LNK file: ..\..\Users\user\AppData\Local\Temp\uddannelsesfiler\Maaneraket.uds
Source: Milliluxes.lnk0.0.dr LNK file: ..\..\..\Windows\Fonts\vlgerne\construction.Bes231
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: DHL Page1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.123227921774.0000000007E0B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_00470C4F push ebx; retf 4_2_00470C52
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_00470C6D push edi; retf 4_2_00470C7A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4_2_00470CCB push edi; retf 4_2_00470C7A
Drops PE files
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL Page1.exe File created: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\DHL Page1.exe API/Special instruction interceptor: Address: 847E230
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 6C8E230
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 470000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 37770000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 37680000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 800 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHL Page1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL Page1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3252 Thread sleep count: 800 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00406577 FindFirstFileW,FindClose, 0_2_00406577
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_0040287E FindFirstFileW, 0_2_0040287E
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00405A25 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405A25
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wab.exe, 00000004.00000002.127055355924.000000000271C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: C:\Users\user\Desktop\DHL Page1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHL Page1.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow, 0_2_00401E43
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Enables debug privileges
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL Page1.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000 Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 47FD28 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL Page1.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe Code function: 0_2_00406256 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.127076986570.00000000377C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501086 Sample: DHL Page1.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 92 19 smtp.gmail.com 2->19 21 peraarae.nl 2->21 23 api.ipify.org 2->23 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected GuLoader 2->35 37 2 other signatures 2->37 7 DHL Page1.exe 5 56 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 17 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 7->17 dropped 39 Writes to foreign memory regions 7->39 11 wab.exe 15 8 7->11         started        signatures6 process7 dnsIp8 25 peraarae.nl 104.153.208.178, 49842, 80 VIRPUS Reserved 11->25 27 smtp.gmail.com 172.253.62.108, 49844, 587 GOOGLEUS United States 11->27 29 api.ipify.org 104.26.12.205, 443, 49843 CLOUDFLARENETUS United States 11->29 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file / registry access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
172.253.62.108
 smtp.gmail.com United States
15169 GOOGLEUS false
104.153.208.178
 peraarae.nl Reserved
32875 VIRPUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
smtp.gmail.com 172.253.62.108 true
peraarae.nl 104.153.208.178 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://peraarae.nl/ViaMYxizkt11.bin false
  • Avira URL Cloud: safe
 unknown