Analysis Report DHL_Shipment_Notification#5436637389_22_FEB.exe

Overview

General Information

Sample Name:	DHL_Shipment_Notification#5436637389_22_FEB.exe
Analysis ID:	355962
MD5:	6660a5670795be34d107d51a5323a6f3
SHA1:	ccfcbc36c22530b58bb6f35707667f658923c9bf
SHA256:	6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75
Tags:	GuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

ReversingLabs: Detection: 14%

Compliance:

Uses 32bit PE files

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 165.22.240.4:443

Source: unknown

DNS traffic detected: queries for: waeorat-71.tk

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/805672355845111821/813267825312661544/nWLXPcDe252.bin
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159594852.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://waeorat-71.tk/admin/nWLXPcDe252.bin
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159594852.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://waeorat-71.tk/admin/nWLXPcDe252.binhttps://cdn.discordapp.com/attachments/805672355845111821

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056719A NtProtectVirtualMemory,	17_2_0056719A
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00564453 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,Sleep,	17_2_00564453
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056059C EnumWindows,NtSetInformationThread,	17_2_0056059C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00562016 NtSetInformationThread,	17_2_00562016
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005610CD NtProtectVirtualMemory,	17_2_005610CD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005610FD NtProtectVirtualMemory,	17_2_005610FD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005610E9 NtProtectVirtualMemory,	17_2_005610E9
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005610BD NtProtectVirtualMemory,	17_2_005610BD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005610AD NtProtectVirtualMemory,	17_2_005610AD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00560246 NtSetInformationThread,	17_2_00560246
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005655EC NtSetInformationThread,	17_2_005655EC
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00566645 NtSetInformationThread,	17_2_00566645
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056064D NtSetInformationThread,	17_2_0056064D
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00560607 NtSetInformationThread,	17_2_00560607
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056062D NtSetInformationThread,	17_2_0056062D
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005606D5 NtSetInformationThread,	17_2_005606D5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005676CD NtProtectVirtualMemory,	17_2_005676CD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005606F5 NtSetInformationThread,	17_2_005606F5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00565693 NtSetInformationThread,	17_2_00565693
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00565745 NtSetInformationThread,	17_2_00565745
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005657EE NtSetInformationThread,	17_2_005657EE
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056397D NtSetInformationThread,	17_2_0056397D
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00562FED NtSetInformationThread,	17_2_00562FED

PE file contains strange resources

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000000.00000000.636727770.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWAB.EXE vs DHL_Shipment_Notification#5436637389_22_FEB.exe
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1162732129.000000001DD80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs DHL_Shipment_Notification#5436637389_22_FEB.exe
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000000.996681854.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWAB.EXE vs DHL_Shipment_Notification#5436637389_22_FEB.exe
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe	Binary or memory string: OriginalFilenameWAB.EXE vs DHL_Shipment_Notification#5436637389_22_FEB.exe

Uses 32bit PE files

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/0@1/1

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

File created: C:\Users\user\AppData\Local\Temp\~DF591F2071FB6AD237.TMP

Jump to behavior

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe'
Source: unknown	Process created: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe'

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: DHL_Shipment_Notification#5436637389_22_FEB.exe PID: 2092, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: DHL_Shipment_Notification#5436637389_22_FEB.exe PID: 2092, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056500E pushfd ; retf		17_2_00565015
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005651A6 push ss; iretd		17_2_005651A7

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 0000000000500223 second address: 0000000000500223 instructions:
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 00000000005003EA second address: 00000000005003EA instructions:
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000050646C second address: 000000000050646C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCFFCB33B88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FCFFCB33B43h 0x0000002e jmp 00007FCFFCB33B92h 0x00000030 cmp ch, 0000003Bh 0x00000033 jmp 00007FCFFCB33B92h 0x00000035 cmp ah, ch 0x00000037 call 00007FCFFCB33BDBh 0x0000003c call 00007FCFFCB33B98h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000050325D second address: 000000000050325D instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 0000000000500223 second address: 0000000000500223 instructions:
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 00000000005003EA second address: 00000000005003EA instructions:
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000050646C second address: 000000000050646C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCFFCB33B88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FCFFCB33B43h 0x0000002e jmp 00007FCFFCB33B92h 0x00000030 cmp ch, 0000003Bh 0x00000033 jmp 00007FCFFCB33B92h 0x00000035 cmp ah, ch 0x00000037 call 00007FCFFCB33BDBh 0x0000003c call 00007FCFFCB33B98h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000050648C second address: 000000000050648C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCFFCB366EDh 0x0000001d popad 0x0000001e call 00007FCFFCB3617Dh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000050325D second address: 000000000050325D instructions:
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	RDTSC instruction interceptor: First address: 000000000056648C second address: 000000000056648C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCFFCB366EDh 0x0000001d popad 0x0000001e call 00007FCFFCB3617Dh 0x00000023 lfence 0x00000026 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Code function: 17_2_00564453 rdtsc

17_2_00564453

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Last function: Thread delayed

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Code function: 17_2_00564453 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,?

17_2_00564453

Hides threads from debuggers

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Code function: 17_2_00564453 rdtsc

17_2_00564453

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Code function: 17_2_00564229 LdrInitializeThunk,

17_2_00564229

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00562016 mov eax, dword ptr fs:[00000030h]	17_2_00562016
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005626D3 mov eax, dword ptr fs:[00000030h]	17_2_005626D3
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056268A mov eax, dword ptr fs:[00000030h]	17_2_0056268A
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056583A mov eax, dword ptr fs:[00000030h]	17_2_0056583A
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056295A mov eax, dword ptr fs:[00000030h]	17_2_0056295A
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00563958 mov eax, dword ptr fs:[00000030h]	17_2_00563958
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_0056298D mov eax, dword ptr fs:[00000030h]	17_2_0056298D
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_005629AD mov eax, dword ptr fs:[00000030h]	17_2_005629AD
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00566B77 mov eax, dword ptr fs:[00000030h]	17_2_00566B77
Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe	Code function: 17_2_00565FF1 mov eax, dword ptr fs:[00000030h]	17_2_00565FF1

HIPS / PFW / Operating System Protection Evasion:

Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159756548.0000000000E60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159756548.0000000000E60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159756548.0000000000E60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: DHL_Shipment_Notification#5436637389_22_FEB.exe, 00000011.00000002.1159756548.0000000000E60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification#5436637389_22_FEB.exe

Code function: 17_2_00566055 cpuid

17_2_00566055

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
165.22.240.4	unknown	United States		14061	DIGITALOCEAN-ASNUS	false

Contacted Domains

Name	IP	Active
waeorat-71.tk	165.22.240.4	true

ID:	355962
Product:	CloudBasic
Start time:	10:07:27
Start date:	22.02.2021
Sample:	DHL_Shipment_Notification#5436637389_22_FEB.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6660a5670795be34d107d51a5323a6f3
SHA1:	ccfcbc36c22530b58bb6f35707667f658923c9bf
SHA256:	6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report DHL_Shipment_Notification#5436637389_22_FEB.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains