Analysis Report Recibo de entrega de DHL.exe

Overview

General Information

Sample Name:	Recibo de entrega de DHL.exe
Analysis ID:	358255
MD5:	335a69ee25155d53f6df46c020aa90cd
SHA1:	cbecea1d93ff376b6a7f5ea72c191d4020372344
SHA256:	66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
Tags:	DHLESPexegeo
Infos:
Most interesting Screenshot:

Detection

404Keylogger AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large strings

.NET source code references suspicious native API functions

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: Recibo de entrega de DHL.exe.2912.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "moin.ansari@sapgroup.com.pk", "ByHost: ": "mail.sapgroup.com.pk:587", "Password: ": "", "From: ": "moin.ansari@sapgroup.com.pk"}

Multi AV Scanner detection for submitted file

Source: Recibo de entrega de DHL.exe	Virustotal: Detection: 31%			Perma Link
Source: Recibo de entrega de DHL.exe	ReversingLabs: Detection: 12%

Machine Learning detection for sample

Source: Recibo de entrega de DHL.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Compliance:

Uses 32bit PE files

Source: Recibo de entrega de DHL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Recibo de entrega de DHL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox View	IP Address: 95.215.225.23 95.215.225.23

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Recibo de entrega de DHL.exe, 00000005.00000002.906675983.0000000002DDD000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org41k
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905948918.0000000001189000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.sapgroup.com.pk
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://sapgroup.com.pk
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Recibo de entrega de DHL.exe	String found in binary or memory: http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd
Source: Recibo de entrega de DHL.exe, 00000000.00000003.642797524.0000000006118000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640725684.000000000611B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Recibo de entrega de DHL.exe, 00000000.00000003.640696140.000000000611B000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640811691.000000000611B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnT
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/1
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643616679.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nl-nj
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/xt
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://myip.dnsomatic.com9====
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_login.php
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.php
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_post.php
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected 404Keylogger

Source: Yara match	File source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

Source: Recibo de entrega de DHL.exe, Form1.cs	Long String: Length: 13656
Source: 0.0.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 0.2.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 4.2.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 4.0.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 5.0.Recibo de entrega de DHL.exe.9f0000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 5.2.Recibo de entrega de DHL.exe.9f0000.1.unpack, Form1.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_00A0ADD9	0_2_00A0ADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_02CBC148	0_2_02CBC148
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_02CBA758	0_2_02CBA758
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_05895FB8	0_2_05895FB8
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 4_2_0031ADD9	4_2_0031ADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_009FADD9	5_2_009FADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BA2728	5_2_02BA2728
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAB4B8	5_2_02BAB4B8
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAD4F0	5_2_02BAD4F0
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BABD88	5_2_02BABD88
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAB170	5_2_02BAB170
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BA6FA0	5_2_02BA6FA0

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.667225265.0000000007720000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.659157889.0000000000A5E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000004.00000002.656059575.000000000036E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905582160.0000000000A4E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905614308.0000000000BE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905770245.0000000000F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905508557.000000000041E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe

Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe 'C:\Users\user\Desktop\Recibo de entrega de DHL.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Jump to behavior

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_00A07F72 push 00000000h; iretd	0_2_00A07FBC
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 4_2_00317F72 push 00000000h; iretd	4_2_00317FBC
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_009F7F72 push 00000000h; iretd	5_2_009F7FBC

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.2d79518.1.raw.unpack, type: UNPACKEDPE

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Window / User API: threadDelayed 544			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Window / User API: threadDelayed 4143			Jump to behavior

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7012	Thread sleep time: -101883s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604	Thread sleep count: 544 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604	Thread sleep count: 4143 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process token adjusted: Debug			Jump to behavior

Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ???WW?????????????????????????W?W????????????.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ?W?W???????WW???W???W??????WyW????uy????????u.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Analysis Report Recibo de entrega de DHL.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.113.70	unknown	United States		33517	DYNDNSUS	false
95.215.225.23	unknown	United Kingdom		9009	M247GB	true

Name	IP	Active
sapgroup.com.pk	95.215.225.23	true
checkip.dyndns.com	131.186.113.70	true
checkip.dyndns.org	unknown	unknown
mail.sapgroup.com.pk	unknown	unknown

ID:	358255
Product:	CloudBasic
Start time:	11:00:21
Start date:	25.02.2021
Sample:	Recibo de entrega de DHL.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	335a69ee25155d53f6df46c020aa90cd
SHA1:	cbecea1d93ff376b6a7f5ea72c191d4020372344
SHA256:	66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Recibo de entrega de DHL.exe.log	ASCII text, with CRLF line terminators	B9E8D9BC061D6715808BB3A28CECBA2B	6F18CD63C12AEC962D089F215658FD5BE1789BC3	716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
C:\Users\user\Documents\Results.txt	ASCII text, with CRLF line terminators	70ADC435E0D206FE7953E8045B4F01B2	836F13823BB9B17CFBBD5D475E45312DBAB0B2F1	B89EB51318C18F9AC5253D3AEE6DB79F0520F835CAC3F96D8513D6F59D5EDE5C