wab.exe
- File Path:
C:\Program Files\Windows Mail\wab.exe - Description: Windows Contacts
Hashes
| Type | Hash |
|---|---|
| MD5 | 1763CB1756D4DF101F71DBC360C875E1 |
| SHA1 | 18C6BFD2A0A20B1C94546746FB316B0C7C2E39CD |
| SHA256 | B0BDB7AF4B4E1C735791D5874691345D8D8F78149380E970B5F53F75C580FFEB |
| SHA384 | 858B8EF1423D219E5DBCFBBC37E30CA00AB5AC6552B71B92C416023B134CC4A85E112E343051E72E18C11CDCFF6778A7 |
| SHA512 | D0AD93FA8952A40D8708E3CB024606CC5C7B18092F67EFB1B1B1FE736D055C13A24EBFCB2AF6C7353C7459B0AD9710EBBC8E13795B8E2645843C724DF724824C |
| SSDEEP | 12288:r4Tx5KRZ18xtSP+szdcIugOO50MMEMOkP:lmxtSP+sJ+O5FWPP |
| IMP | EBE0CE83B3C5863ACCA11795857482FC |
| PESHA1 | 6D179B8465A7C5F72A568E9261598A959FD889E3 |
| PE256 | 5647B1A3D21649258B0CDEE36D5B9056BAA599BF022C1D5768B26CCAC618D978 |
Runtime Data
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Program Files\Common Files\system\en-US\wab32res.dll.mui | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files\Common Files\System\wab32.dll |
| C:\Program Files\Common Files\System\wab32res.dll |
| C:\Program Files\Windows Mail\wab.exe |
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\SYSTEM32\CRYPTDLG.dll |
| C:\Windows\System32\cryptsp.dll |
| C:\Windows\SYSTEM32\CRYPTUI.dll |
| C:\Windows\system32\dwmapi.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\imagehlp.dll |
| C:\Windows\System32\IMM32.DLL |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\MSASN1.dll |
| C:\Windows\System32\MSCTF.dll |
| C:\Windows\SYSTEM32\msftedit.dll |
| C:\Windows\SYSTEM32\MSIMG32.dll |
| C:\Windows\SYSTEM32\MSOERT2.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\powrprof.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\shlwapi.dll |
| C:\Windows\SYSTEM32\SspiCli.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\uxtheme.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\windows.storage.dll |
| C:\Windows\SYSTEM32\WININET.dll |
| C:\Windows\System32\WINTRUST.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\comctl32.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: WAB.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/b0bdb7af4b4e1c735791d5874691345d8d8f78149380e970b5f53f75c580ffeb/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Program Files (x86)\Windows Mail\wab.exe | 97 |
Possible Misuse
The following table contains possible examples of wab.exe being misused. While wab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | registry_event_wab_dllpath_reg_change.yml | title: Execution DLL of Choice Using WAB.EXE |
DRL 1.0 |
| sigma | registry_event_wab_dllpath_reg_change.yml | description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. |
DRL 1.0 |
| sigma | registry_event_wab_dllpath_reg_change.yml | - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ |
DRL 1.0 |
| LOLBAS | Wab.yml | Name: Wab.exe |
|
| LOLBAS | Wab.yml | - Command: wab.exe |
|
| LOLBAS | Wab.yml | - Path: C:\Program Files\Windows Mail\wab.exe |
|
| LOLBAS | Wab.yml | - Path: C:\Program Files (x86)\Windows Mail\wab.exe |
|
| LOLBAS | Wab.yml | - IOC: WAB.exe should normally never be used |
|
| LOLBAS | Wab.yml | - Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ |
MIT License. Copyright (c) 2020-2021 Strontic.