Loading ...

Play interactive tourEdit tour

Analysis Report DHL SOA.exe

Overview

General Information

Sample Name:DHL SOA.exe
Analysis ID:289120
MD5:64b87e9916964542d37ee247c8ebb07d
SHA1:9a1fbf2e70483196c1a8f3da38fac0307aa1d949
SHA256:bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL SOA.exe (PID: 6784 cmdline: 'C:\Users\user\Desktop\DHL SOA.exe' MD5: 64B87E9916964542D37EE247C8EBB07D)
    • DHL SOA.exe (PID: 6824 cmdline: C:\Users\user\Desktop\DHL SOA.exe MD5: 64B87E9916964542D37EE247C8EBB07D)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6988 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 7132 cmdline: /c del 'C:\Users\user\Desktop\DHL SOA.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183d9:$sqlite3step: 68 34 1C 7B E1
    • 0x184ec:$sqlite3step: 68 34 1C 7B E1
    • 0x18408:$sqlite3text: 68 38 2A 90 C5
    • 0x1852d:$sqlite3text: 68 38 2A 90 C5
    • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.DHL SOA.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.DHL SOA.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.DHL SOA.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183d9:$sqlite3step: 68 34 1C 7B E1
        • 0x184ec:$sqlite3step: 68 34 1C 7B E1
        • 0x18408:$sqlite3text: 68 38 2A 90 C5
        • 0x1852d:$sqlite3text: 68 38 2A 90 C5
        • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
        1.2.DHL SOA.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.DHL SOA.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL SOA.exeVirustotal: Detection: 30%Perma Link
          Source: DHL SOA.exeReversingLabs: Detection: 52%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: DHL SOA.exeJoe Sandbox ML: detected
          Source: 1.2.DHL SOA.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 4x nop then pop esi1_2_004172B9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi3_2_02C872B9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49743
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49744
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=4MtB3une20sg0tPk7E6W0hhli7UY9570VJkPIZWz/Q7YBsZi01UUKFeD3nWvOFXnEnKB&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.dltlogisticsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=vXvbDeDYtlSSUwYfJDDoCH2i/JtaCV1sBw3Ce2BYhrD0+1xe35WkDAIJCrFnBIjvU6Yv&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.distillexplorer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=xtEFsAMFi6SLqtdIkw8FOoE9UAtwBsY4kMxgIEr8dRFsSG9rRtdwfwTQy3wsfNL5y4Pp&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.shipu278.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=AF/SH1uB22vOzH4q8KqgP7YDT9FGs+UKXf9e84FemZ8lUfl9TSCtnyz52yeAHwJJVKAv&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.numou.internationalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 157.230.103.136 157.230.103.136
          Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
          Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=4MtB3une20sg0tPk7E6W0hhli7UY9570VJkPIZWz/Q7YBsZi01UUKFeD3nWvOFXnEnKB&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.dltlogisticsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=vXvbDeDYtlSSUwYfJDDoCH2i/JtaCV1sBw3Ce2BYhrD0+1xe35WkDAIJCrFnBIjvU6Yv&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.distillexplorer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=xtEFsAMFi6SLqtdIkw8FOoE9UAtwBsY4kMxgIEr8dRFsSG9rRtdwfwTQy3wsfNL5y4Pp&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.shipu278.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cmg/?9rd8vz3=AF/SH1uB22vOzH4q8KqgP7YDT9FGs+UKXf9e84FemZ8lUfl9TSCtnyz52yeAHwJJVKAv&oZ6=p4sp-V3XHjhxU4I0 HTTP/1.1Host: www.numou.internationalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dltlogisticsllc.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Wed, 23 Sep 2020 13:35:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-48v9mLZIWXBV7TcE0dBsZg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AdsLandingUi/cspreport;worker-src 'self'Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunkedConnection: closeData Raw: 36 36 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 38 76 39 6d 4c 5a 49 57 58 42 56 37 54 63 45 30 64 42 73 5a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 3b 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 70 72 65 7b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 77 72 61 70 3b 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e Data Ascii: 662<!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="48v9mLZIWXBV7TcE0dBsZg">*{margin:0;padding:0}html,code
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://aetos.it.teithe.gr/~vpanag/ip.php
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://aetos.it.teithe.gr/~vpanag/netbackgammon/update.php?v=
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.224098583.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: DHL SOA.exe, 00000000.00000002.206375067.00000000016BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419D30 NtCreateFile,1_2_00419D30
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419DE0 NtReadFile,1_2_00419DE0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419E60 NtClose,1_2_00419E60
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419F10 NtAllocateVirtualMemory,1_2_00419F10
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419CEA NtCreateFile,1_2_00419CEA
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419D85 NtCreateFile,1_2_00419D85
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00419F0A NtAllocateVirtualMemory,1_2_00419F0A
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B699A0 NtCreateSection,LdrInitializeThunk,1_2_01B699A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01B69910
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B698F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_01B698F0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01B69860
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69840 NtDelayExecution,LdrInitializeThunk,1_2_01B69840
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69A20 NtResumeThread,LdrInitializeThunk,1_2_01B69A20
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01B69A00
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69A50 NtCreateFile,LdrInitializeThunk,1_2_01B69A50
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B695D0 NtClose,LdrInitializeThunk,1_2_01B695D0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69540 NtReadFile,LdrInitializeThunk,1_2_01B69540
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B697A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_01B697A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69780 NtMapViewOfSection,LdrInitializeThunk,1_2_01B69780
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69710 NtQueryInformationToken,LdrInitializeThunk,1_2_01B69710
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B696E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_01B696E0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01B69660
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B699D0 NtCreateProcessEx,1_2_01B699D0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69950 NtQueueApcThread,1_2_01B69950
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B698A0 NtWriteVirtualMemory,1_2_01B698A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69820 NtEnumerateKey,1_2_01B69820
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B6B040 NtSuspendThread,1_2_01B6B040
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B6A3B0 NtGetContextThread,1_2_01B6A3B0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69B00 NtSetValueKey,1_2_01B69B00
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69A80 NtOpenDirectoryObject,1_2_01B69A80
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69A10 NtQuerySection,1_2_01B69A10
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B695F0 NtQueryInformationFile,1_2_01B695F0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B6AD30 NtSetContextThread,1_2_01B6AD30
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69520 NtWaitForSingleObject,1_2_01B69520
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69560 NtWriteFile,1_2_01B69560
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69FE0 NtCreateMutant,1_2_01B69FE0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69730 NtQueryVirtualMemory,1_2_01B69730
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B6A710 NtOpenProcessToken,1_2_01B6A710
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B6A770 NtOpenThread,1_2_01B6A770
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69770 NtSetInformationFile,1_2_01B69770
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69760 NtOpenProcess,1_2_01B69760
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B696D0 NtCreateKey,1_2_01B696D0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69610 NtEnumerateValueKey,1_2_01B69610
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69670 NtQueryInformationProcess,1_2_01B69670
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B69650 NtQueryValueKey,1_2_01B69650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99860 NtQuerySystemInformation,LdrInitializeThunk,3_2_04B99860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99840 NtDelayExecution,LdrInitializeThunk,3_2_04B99840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B999A0 NtCreateSection,LdrInitializeThunk,3_2_04B999A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B995D0 NtClose,LdrInitializeThunk,3_2_04B995D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_04B99910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99540 NtReadFile,LdrInitializeThunk,3_2_04B99540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B996E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04B996E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B996D0 NtCreateKey,LdrInitializeThunk,3_2_04B996D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04B99660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99A50 NtCreateFile,LdrInitializeThunk,3_2_04B99A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99650 NtQueryValueKey,LdrInitializeThunk,3_2_04B99650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99780 NtMapViewOfSection,LdrInitializeThunk,3_2_04B99780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99FE0 NtCreateMutant,LdrInitializeThunk,3_2_04B99FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99710 NtQueryInformationToken,LdrInitializeThunk,3_2_04B99710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B998A0 NtWriteVirtualMemory,3_2_04B998A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B998F0 NtReadVirtualMemory,3_2_04B998F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99820 NtEnumerateKey,3_2_04B99820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B9B040 NtSuspendThread,3_2_04B9B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B995F0 NtQueryInformationFile,3_2_04B995F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B999D0 NtCreateProcessEx,3_2_04B999D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B9AD30 NtSetContextThread,3_2_04B9AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99520 NtWaitForSingleObject,3_2_04B99520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99560 NtWriteFile,3_2_04B99560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99950 NtQueueApcThread,3_2_04B99950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99A80 NtOpenDirectoryObject,3_2_04B99A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99A20 NtResumeThread,3_2_04B99A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99610 NtEnumerateValueKey,3_2_04B99610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99A10 NtQuerySection,3_2_04B99A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99A00 NtProtectVirtualMemory,3_2_04B99A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99670 NtQueryInformationProcess,3_2_04B99670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B9A3B0 NtGetContextThread,3_2_04B9A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B997A0 NtUnmapViewOfSection,3_2_04B997A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99730 NtQueryVirtualMemory,3_2_04B99730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B9A710 NtOpenProcessToken,3_2_04B9A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99B00 NtSetValueKey,3_2_04B99B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99770 NtSetInformationFile,3_2_04B99770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B9A770 NtOpenThread,3_2_04B9A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B99760 NtOpenProcess,3_2_04B99760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89E60 NtClose,3_2_02C89E60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89F10 NtAllocateVirtualMemory,3_2_02C89F10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89DE0 NtReadFile,3_2_02C89DE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89D30 NtCreateFile,3_2_02C89D30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89F0A NtAllocateVirtualMemory,3_2_02C89F0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89CEA NtCreateFile,3_2_02C89CEA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C89D85 NtCreateFile,3_2_02C89D85
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AE0080_2_031AE008
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AF0680_2_031AF068
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AE5900_2_031AE590
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AF3080_2_031AF308
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AD3500_2_031AD350
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AD3600_2_031AD360
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AF2FA0_2_031AF2FA
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AF05A0_2_031AF05A
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031A10800_2_031A1080
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AE7B80_2_031AE7B8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AE7A90_2_031AE7A9
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AA6980_2_031AA698
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AA6A80_2_031AA6A8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AE5800_2_031AE580
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031A2A680_2_031A2A68
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AD9580_2_031AD958
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031AD9A00_2_031AD9A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_031ADFCC0_2_031ADFCC
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032322610_2_03232261
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032304D10_2_032304D1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0323CC900_2_0323CC90
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032310A00_2_032310A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032359380_2_03235938
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032318E90_2_032318E9
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032340C80_2_032340C8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032340D80_2_032340D8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_03234F510_2_03234F51
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_03234C300_2_03234C30
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_03234C400_2_03234C40
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032352C10_2_032352C1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032352D00_2_032352D0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0323103A0_2_0323103A
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032354E10_2_032354E1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032354F00_2_032354F0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0627B7000_2_0627B700
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0627ADE00_2_0627ADE0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_062764C80_2_062764C8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_062764D80_2_062764D8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06275B090_2_06275B09
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06275B180_2_06275B18
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_062700060_2_06270006
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_062700400_2_06270040
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041E1961_2_0041E196
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CF731_2_0041CF73
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CF761_2_0041CF76
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B441201_2_01B44120
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B2F9001_2_01B2F900
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B520A01_2_01B520A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF20A81_2_01BF20A8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B3B0901_2_01B3B090
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF28EC1_2_01BF28EC
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BFE8241_2_01BFE824
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BE10021_2_01BE1002
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B5EBB01_2_01B5EBB0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BEDBD21_2_01BEDBD2
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF2B281_2_01BF2B28
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF22AE1_2_01BF22AE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B525811_2_01B52581
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B3D5E01_2_01B3D5E0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF25DD1_2_01BF25DD
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B20D201_2_01B20D20
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF2D071_2_01BF2D07
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF1D551_2_01BF1D55
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B3841F1_2_01B3841F
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BED4661_2_01BED466
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF1FF11_2_01BF1FF1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BFDFCE1_2_01BFDFCE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BF2EF71_2_01BF2EF7
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B46E301_2_01B46E30
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BED6161_2_01BED616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B820A03_2_04B820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B6B0903_2_04B6B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C220A83_2_04C220A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B6841F3_2_04B6841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C110023_2_04C11002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B825813_2_04B82581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B6D5E03_2_04B6D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B50D203_2_04B50D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C21D553_2_04C21D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B741203_2_04B74120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B5F9003_2_04B5F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C22D073_2_04C22D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C22EF73_2_04C22EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C222AE3_2_04C222AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B76E303_2_04B76E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04B8EBB03_2_04B8EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C21FF13_2_04C21FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04C22B283_2_04C22B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8E1963_2_02C8E196
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C79E303_2_02C79E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C72FB03_2_02C72FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8CF763_2_02C8CF76
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C72D903_2_02C72D90
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: String function: 01B2B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04B5B150 appears 35 times
          Source: DHL SOA.exe, 00000000.00000002.208451165.0000000005D20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL SOA.exe
          Source: DHL SOA.exe, 00000000.00000002.205988537.000000000101A000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1aps.exe< vs DHL SOA.exe
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs DHL SOA.exe
          Source: DHL SOA.exe, 00000000.00000002.208868239.0000000006140000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs DHL SOA.exe
          Source: DHL SOA.exe, 00000000.00000002.206375067.00000000016BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL SOA.exe
          Source: DHL SOA.exe, 00000001.00000002.238780458.00000000016B9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs DHL SOA.exe
          Source: DHL SOA.exe, 00000001.00000000.205032791.0000000000FCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1aps.exe< vs DHL SOA.exe
          Source: DHL SOA.exe, 00000001.00000002.238938650.0000000001C1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL SOA.exe
          Source: DHL SOA.exeBinary or memory string: OriginalFilename1aps.exe< vs DHL SOA.exe
          Source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.238733953.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.467262366.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.238691588.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.466800843.0000000000900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.238374851.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.207051709.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DHL SOA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DHL SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: DHL SOA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/3
          Source: C:\Users\user\Desktop\DHL SOA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL SOA.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
          Source: DHL SOA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL SOA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: DHL SOA.exeVirustotal: Detection: 30%
          Source: DHL SOA.exeReversingLabs: Detection: 52%
          Source: unknownProcess created: C:\Users\user\Desktop\DHL SOA.exe 'C:\Users\user\Desktop\DHL SOA.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\DHL SOA.exe C:\Users\user\Desktop\DHL SOA.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DHL SOA.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess created: C:\Users\user\Desktop\DHL SOA.exe C:\Users\user\Desktop\DHL SOA.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DHL SOA.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: DHL SOA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL SOA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: DHL SOA.exe, 00000001.00000002.238770785.00000000016B0000.00000040.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: DHL SOA.exe, 00000001.00000002.238770785.00000000016B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: DHL SOA.exe, 00000001.00000002.238938650.0000000001C1F000.00000040.00000001.sdmp, cmmon32.exe, 00000003.00000002.468513189.0000000004B30000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DHL SOA.exe, cmmon32.exe
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_032309E9 push ds; retf 0_2_032309F2
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06274EE1 push es; iretd 0_2_06274EF8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06274F21 push es; retf 0_2_06274F38
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06274F39 push es; retf 0_2_06274F40
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06274F06 push es; retf 0_2_06274F08
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_06277A34 push 8405F3C3h; ret 0_2_06277A39
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0627A2CD push es; iretd 0_2_0627A2D0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 0_2_0627537D push es; ret 0_2_06275384
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00412A04 push eax; ret 1_2_00412A05
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00416BA3 push es; iretd 1_2_00416BA4
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00416C88 push ds; iretd 1_2_00416C8C
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041663E push edi; ret 1_2_0041663F
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CED2 push eax; ret 1_2_0041CED8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CEDB push eax; ret 1_2_0041CF42
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CE85 push eax; ret 1_2_0041CED8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0041CF3C push eax; ret 1_2_0041CF42
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_004167B1 push esi; ret 1_2_004167B2
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B7D0D1 push ecx; ret 1_2_01B7D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_04BAD0D1 push ecx; ret 3_2_04BAD0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C82A04 push eax; ret 3_2_02C82A05
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C86BA3 push es; iretd 3_2_02C86BA4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8CEDB push eax; ret 3_2_02C8CF42
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8CED2 push eax; ret 3_2_02C8CED8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8CE85 push eax; ret 3_2_02C8CED8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8663E push edi; ret 3_2_02C8663F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C867B1 push esi; ret 3_2_02C867B2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C8CF3C push eax; ret 3_2_02C8CF42
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 3_2_02C86C88 push ds; iretd 3_2_02C86C8C
          Source: initial sampleStatic PE information: section name: .text entropy: 7.34374848055

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xEF
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.206812852.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL SOA.exe PID: 6784, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\DHL SOA.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL SOA.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002C798E4 second address: 0000000002C798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002C79B4E second address: 0000000002C79B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\DHL SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exe TID: 6788Thread sleep time: -52403s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exe TID: 6804Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5716Thread sleep count: 38 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5716Thread sleep time: -76000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6992Thread sleep time: -75000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000002.478670752.0000000005775000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.219607481.00000000056CA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.223450781.00000000078D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.219504390.0000000005644000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000002.00000000.219607481.00000000056CA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.219504390.0000000005644000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000002.00000000.220714275.0000000006414000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$%
          Source: explorer.exe, 00000002.00000000.217916090.00000000043E9000.00000004.00000001.sdmpBinary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: explorer.exe, 00000002.00000000.219607481.00000000056CA000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.223450781.00000000078D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.223450781.00000000078D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000002.00000000.219607481.00000000056CA000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: DHL SOA.exe, 00000000.00000002.206780302.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.223450781.00000000078D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_0040ACC0 LdrLoadDll,1_2_0040ACC0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BA51BE mov eax, dword ptr fs:[00000030h]1_2_01BA51BE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BA51BE mov eax, dword ptr fs:[00000030h]1_2_01BA51BE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BA51BE mov eax, dword ptr fs:[00000030h]1_2_01BA51BE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BA51BE mov eax, dword ptr fs:[00000030h]1_2_01BA51BE
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B561A0 mov eax, dword ptr fs:[00000030h]1_2_01B561A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B561A0 mov eax, dword ptr fs:[00000030h]1_2_01B561A0
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BA69A6 mov eax, dword ptr fs:[00000030h]1_2_01BA69A6
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B52990 mov eax, dword ptr fs:[00000030h]1_2_01B52990
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B5A185 mov eax, dword ptr fs:[00000030h]1_2_01B5A185
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B4C182 mov eax, dword ptr fs:[00000030h]1_2_01B4C182
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01BB41E8 mov eax, dword ptr fs:[00000030h]1_2_01BB41E8
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B2B1E1 mov eax, dword ptr fs:[00000030h]1_2_01B2B1E1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B2B1E1 mov eax, dword ptr fs:[00000030h]1_2_01B2B1E1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B2B1E1 mov eax, dword ptr fs:[00000030h]1_2_01B2B1E1
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B5513A mov eax, dword ptr fs:[00000030h]1_2_01B5513A
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B5513A mov eax, dword ptr fs:[00000030h]1_2_01B5513A
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B44120 mov eax, dword ptr fs:[00000030h]1_2_01B44120
          Source: C:\Users\user\Desktop\DHL SOA.exeCode function: 1_2_01B44120 mov eax, dword ptr fs:[00000030h]1_2_01B44120