Loading ...

Play interactive tourEdit tour

Analysis Report PARCEL DETAILS#U00b7pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:226014
Start date:28.04.2020
Start time:19:58:45
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PARCEL DETAILS#U00b7pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/2@610/0
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 97.9% (good quality ratio 92.9%)
  • Quality average: 73.6%
  • Quality standard deviation: 30.1%
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 7
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 23.210.248.85, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection112Masquerading1Credential Dumping2Virtualization/Sandbox Evasion2Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing2Credentials in Registry2Process Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Local System2Automated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection112Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: PARCEL DETAILS#U00b7pdf.exeAvira: detection malicious, Label: HEUR/AGEN.1037377
Multi AV Scanner detection for submitted fileShow sources
Source: PARCEL DETAILS#U00b7pdf.exeVirustotal: Detection: 71%Perma Link
Source: PARCEL DETAILS#U00b7pdf.exeReversingLabs: Detection: 90%
Machine Learning detection for sampleShow sources
Source: PARCEL DETAILS#U00b7pdf.exeJoe Sandbox ML: detected

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: myapplicationsdownload.download replaycode: Name error (3)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: myapplicationsdownload.download
Urls found in memory or binary dataShow sources
Source: PARCEL DETAILS#U00b7pdf.exe, PARCEL DETAILS#U00b7pdf.exe, 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_0040549C2_2_0040549C
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_004029D42_2_004029D4
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_1_0040549C2_1_0040549C
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_1_004029D42_1_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: String function: 00404B22 appears 54 times
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: String function: 00412093 appears 40 times
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: String function: 0041219C appears 90 times
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: String function: 00405B6F appears 84 times
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: String function: 00404BEE appears 56 times
PE file contains executable resources (Code or Archives)Show sources
Source: PARCEL DETAILS#U00b7pdf.exeStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PARCEL DETAILS#U00b7pdf.exeStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
PE file contains strange resourcesShow sources
Source: PARCEL DETAILS#U00b7pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/2@610/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,#8,#2,#8,#8,#2,#8,#6,#6,CoUninitialize,2_2_0040434D
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: PARCEL DETAILS#U00b7pdf.exeVirustotal: Detection: 71%
Source: PARCEL DETAILS#U00b7pdf.exeReversingLabs: Detection: 90%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe 'C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe 'C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe'
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess created: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe 'C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe' Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeUnpacked PE file: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeUnpacked PE file: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PARCEL DETAILS#U00b7pdf.exe PID: 4604, type: MEMORY
Source: Yara matchFile source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AD4
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AFC

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe TID: 3680Thread sleep count: 296 > 30Jump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe TID: 3680Thread sleep time: -17760000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe TID: 3680Thread sleep time: -60000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess queried: DebugObjectHandleJump to behavior
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]2_1_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: 2_2_00402B7C GetProcessHeap,HeapAlloc,2_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeProcess created: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe 'C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: PARCEL DETAILS#U00b7pdf.exe, 00000002.00000002.1550062934.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: PARCEL DETAILS#U00b7pdf.exe, 00000002.00000002.1550062934.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: PARCEL DETAILS#U00b7pdf.exe, 00000002.00000002.1550062934.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: PARCEL DETAILS#U00b7pdf.exe, 00000002.00000002.1550062934.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PARCEL DETAILS#U00b7pdf.exe PID: 4604, type: MEMORY
Source: Yara matchFile source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\key4.dbJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: PopPassword2_2_0040D069
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: SmtpPassword2_2_0040D069
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: PopPassword2_1_0040D069
Source: C:\Users\user\Desktop\PARCEL DETAILS#U00b7pdf.exeCode function: SmtpPassword2_1_0040D069

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
19:59:34API Interceptor302x Sleep call for process: PARCEL DETAILS#U00b7pdf.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PARCEL DETAILS#U00b7pdf.exe71%VirustotalBrowse
PARCEL DETAILS#U00b7pdf.exe90%ReversingLabsWin32.Trojan.Fareit
PARCEL DETAILS#U00b7pdf.exe100%AviraHEUR/AGEN.1037377
PARCEL DETAILS#U00b7pdf.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack100%AviraHEUR/AGEN.1037377Download File
2.0.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack100%AviraHEUR/AGEN.1037377Download File
2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
myapplicationsdownload.download4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.ibsensoftware.com/3%VirustotalBrowse
http://www.ibsensoftware.com/0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
    00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x13bff:$des3: 68 03 66 00 00
      • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000002.00000002.1548868128.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
      • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
      • 0x153fc:$a2: last_compatible_version
      00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x13bff:$des3: 68 03 66 00 00
          • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          00000002.00000001.1174275298.0000000000400000.00000040.00020000.sdmpLoki_1Loki Payloadkevoreilly
          • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x153fc:$a2: last_compatible_version
          Process Memory Space: PARCEL DETAILS#U00b7pdf.exe PID: 4604JoeSecurity_LokibotYara detected LokibotJoe Security
            Process Memory Space: PARCEL DETAILS#U00b7pdf.exe PID: 4604JoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                  • 0x13bff:$des3: 68 03 66 00 00
                  • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                  • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                  2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
                  • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                  • 0x153fc:$a2: last_compatible_version
                  2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                    2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                      2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                        2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                          2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                          • 0x12fff:$des3: 68 03 66 00 00
                          • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                          • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                          2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                          • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                          • 0x13ffc:$a2: last_compatible_version
                          2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                          • 0x13bff:$des3: 68 03 66 00 00
                          • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                          • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                          2.2.PARCEL DETAILS#U00b7pdf.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
                          • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                          • 0x153fc:$a2: last_compatible_version
                          2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                            2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                              2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                              • 0x12fff:$des3: 68 03 66 00 00
                              • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                              • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                              2.1.PARCEL DETAILS#U00b7pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                              • 0x13ffc:$a2: last_compatible_version

                              Sigma Overview

                              No Sigma rule has matched

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.