Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:DHL SHIPMENT NOTIFICATION 1146789443.bat (renamed file extension from bat to exe)
Analysis ID:626594


AgentTesla, AveMaria, UACMe
Range:0 - 100


Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Increases the number of concurrent connection per server for Internet Explorer
Tries to harvest and steal ftp login credentials
Contains functionality to hide user accounts
Modifies the hosts file
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)


  • System is w10x64
  • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" MD5: F883D433FAB3B7AE0C25625E75A03B38)
    • powershell.exe (PID: 6492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6568 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 5556 cmdline: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe MD5: F883D433FAB3B7AE0C25625E75A03B38)
      • INVESTORORIGIN.exe (PID: 6928 cmdline: "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe" MD5: 138E534107A536F319734BFD7A23C8A3)
        • WerFault.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • INVESTORORIGN.exe (PID: 6872 cmdline: "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe" MD5: 68FE2DCF9C615A4A55AAA75A11E1F8F0)
  • cleanup
{"C2 url": "", "port": 1198}
{"Exfil Mode": "SMTP", "Username": "ikesend@exportersglobe.com", "Password": "MnmPsqBteq4_", "Host": "mail.exportersglobe.com"}
C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
      • 0x32f79:$s10: logins
      • 0x329e0:$s11: credential
      • 0x2ef98:$g1: get_Clipboard
      • 0x2efa6:$g2: get_Keyboard
      • 0x2efb3:$g3: get_Password
      • 0x302b3:$g4: get_CtrlKeyDown
      • 0x302c3:$g5: get_ShiftKeyDown
      • 0x302d4:$g6: get_AltKeyDown
      C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x191f0:$c1: Elevation:Administrator!new:
      Click to see the 7 entries
      0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security