Loading ...

Play interactive tourEdit tour

Analysis Report DHL FILE 987634732.exe

Overview

General Information

Sample Name:DHL FILE 987634732.exe
Analysis ID:298712
MD5:e0baf9bdf0dad14ad47cc9925d9dec54
SHA1:f9e779ee047619c7c7e04bd3b093ef1d1e3fb11f
SHA256:0194b73382942a33d0aa2fcdcb40de137ce6d1b732ad852291dc26c60f291ea8
Tags:DHLexeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore AveMaria MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected MailPassView
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL FILE 987634732.exe (PID: 4080 cmdline: 'C:\Users\user\Desktop\DHL FILE 987634732.exe' MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
    • schtasks.exe (PID: 5416 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmpD00E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL FILE 987634732.exe (PID: 1152 cmdline: {path} MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
      • schtasks.exe (PID: 5824 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEB08.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5292 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF49F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 1760 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\syvqyqfs.2qa' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5324 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\lrjt1jbm.hzx' MD5: B3A917344F5610BEEC562556F11300FA)
  • DHL FILE 987634732.exe (PID: 5636 cmdline: 'C:\Users\user\Desktop\DHL FILE 987634732.exe' 0 MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
    • schtasks.exe (PID: 7128 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmp1F47.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3576 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
    • schtasks.exe (PID: 1332 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmp216A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6628 cmdline: {path} MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
  • dhcpmon.exe (PID: 6300 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
    • schtasks.exe (PID: 7056 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmp44A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7120 cmdline: {path} MD5: E0BAF9BDF0DAD14AD47CC9925D9DEC54)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.105"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.503363135.0000000005B40000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
00000003.00000002.503363135.0000000005B40000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
00000019.00000002.335793760.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.335793760.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000019.00000002.335793760.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    Click to see the 95 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.DHL FILE 987634732.exe.7450000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    3.2.DHL FILE 987634732.exe.7450000.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    3.2.DHL FILE 987634732.exe.5970000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    3.2.DHL FILE 987634732.exe.5970000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    3.2.DHL FILE 987634732.exe.5970000.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 67 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL FILE 987634732.exe, ProcessId: 1152, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmpD00E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmpD00E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL FILE 987634732.exe' , ParentImage: C:\Users\user\Desktop\DHL FILE 987634732.exe, ParentProcessId: 4080, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lLzXOsDxtfSt' /XML 'C:\Users\user\AppData\Local\Temp\tmpD00E.tmp', ProcessId: 5416

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: DHL FILE 987634732.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\lLzXOsDxtfSt.exeAvira: detection malicious, Label: TR/Kryptik.fspaa
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Kryptik.fspaa
      Found malware configurationShow sources
      Source: dhcpmon.exe.7120.22.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.105"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 25%
      Source: C:\Users\user\AppData\Roaming\lLzXOsDxtfSt.exeReversingLabs: Detection: 25%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DHL FILE 987634732.exeReversingLabs: Detection: 25%
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: Process Memory Space: DHL FILE 987634732.exe PID: 1152, type: MEMORY
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.335793760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.334881109.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.339131011.0000000003DF9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.361980229.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255392192.0000000004293000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.337135642.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.360785557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.352306539.0000000003779000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255182094.0000000004029000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.500884342.0000000004191000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.338674545.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.328763751.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.361888593.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.336268137.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.502914825.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.495671576.0000000003191000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.325945230.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.483108714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DHL FILE 987634732.exe PID: 5416, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6628, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DHL FILE 987634732.exe PID: 1152, type: MEMORY
      Source: Yara matchFile source: 3.2.DHL FILE 987634732.exe.5970000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.DHL FILE 987634732.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.DHL FILE 987634732.exe.5970000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.DHL FILE 987634732.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\lLzXOsDxtfSt.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: DHL FILE 987634732.exeJoe Sandbox ML: detected
      Source: 30.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 25.2.DHL FILE 987634732.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.2.DHL FILE 987634732.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 22.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\DHL FILE 987634732.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_06B6B040
      Source: C:\Users\user\Desktop\DHL FILE 987634732.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07521F58
      Source: C:\Users\user\Desktop\DHL FILE 987634732.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07521F48
      Source: C:\Users\user\Desktop\DHL FILE 987634732.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07521FBE

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 79.134.225.105:3575
      Source: global trafficTCP traffic: 192.168.2.3:49734 -> 79.134.225.105:3575
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: DHL FILE 987634732.exe, 00000003.00000002.501678562.00000000047D7000.00000004.00000001.sdmp, vbc.exe, 0000001D.00000002.344918901.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: DHL FILE 987634732.exe, 00000003.00000002.501678562.00000000047D7000.00000004.00000001.sdmp, vbc.exe, 0000001D.00000002.344918901.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: vbc.exe, 0000001D.00000003.344390890.00000000052EC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
      Source: vbc.exe, 0000001D.00000003.344390890.00000000052EC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: officezafar.hopto.org
      Source: DHL FILE 987634732.exe, 00000003.00000002.501678562.00000000047D7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DHL FILE 987634732.exe, 00000003.00000002.501305874.000000000447F000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DHL FILE 987634732.exe, 00000003.00000002.501678562.00000000047D7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: DHL FILE 987634732.exe, 00000000.00000002.247342972.0000000003567000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.323084627.0000000003427000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.343822420.0000000002771000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.321320030.0000000002EF9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: vbc.exe, 0000001D.00000002.348596154.0000000005001000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: vbc.exe, 0000001A.00000002.335266653.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.344918901.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.345624687.00000000008F4000.00000004.00000010.sdmp, lrjt1jbm.hzx.29.dr, syvqyqfs.2qa.26.drString found in binary or memory: http://www.nirsoft.net/
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DHL FILE 987634732.exe, 00000000.00000002.260653381.00000000071E2000.00000004.00000001.sdmp, DHL FILE 987634732.exe, 0000000A.00000002.348950638.0000000005FB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.355649425.00000000056D0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.343357118.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vbc.exe, 0000001D.00000002.348596154.0000000005001000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
      Source: vbc.exe, 0000001D.00000002.348596154.0000000005001000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
      Source: DHL FILE 987634732.exe, 00000003.00000002.500884342.0000000004191000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: Process Memory Space: DHL FILE 987634732.exe PID: 1152, type: MEMORY
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.335793760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.334881109.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.339131011.0000000003DF9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.361980229.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255392192.0000000004293000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.337135642.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.360785557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.352306539.0000000003779000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255182094.0000000004029000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.500884342.0000000004191000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.338674545.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.328763751.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.361888593.0000000002A31000.00000004.00000001.sdmp, type: MEMORY