Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
Analysis ID:381836
MD5:d9b97229c1ffefb60c6c1abe86eeb720
SHA1:da1a7ae1a7a9ac98b024955ce4317522a5bdf744
SHA256:066cd9770911c86ad9b050f137ca0684413929fbd84a0cfb22013aa534d24523
Tags:DHLexe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:99
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe (PID: 6416 cmdline: 'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe' MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • schtasks.exe (PID: 6928 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe (PID: 6976 cmdline: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
      • schtasks.exe (PID: 7012 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5304 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5792 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
  • dhcpmon.exe (PID: 6304 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • schtasks.exe (PID: 6952 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7124 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • dhcpmon.exe (PID: 7160 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "30fa397e-f04b-4185-b75b-392a4f17", "Group": "QUOTATION", "Domain1": "46.183.220.61", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4qRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x6943b:$a: NanoCore
      • 0x69494:$a: NanoCore
      • 0x694d1:$a: NanoCore
      • 0x6954a:$a: NanoCore
      • 0x6949d:$b: ClientPlugin
      • 0x694da:$b: ClientPlugin
      • 0x69dd8:$b: ClientPlugin
      • 0x69de5:$b: ClientPlugin
      • 0x5f593:$e: KeepAlive
      • 0x69925:$g: LogClientMessage
      • 0x698a5:$i: get_Connected
      • 0x59871:$j: #=q
      • 0x598a1:$j: #=q
      • 0x598dd:$j: #=q
      • 0x59905:$j: #=q
      • 0x59935:$j: #=q
      • 0x59965:$j: #=q
      • 0x59995:$j: #=q
      • 0x599c5:$j: #=q
      • 0x599e1:$j: #=q
      • 0x59a11:$j: #=q
      0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          27.2.dhcpmon.exe.3f805cc.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xd9ad:$x1: NanoCore.ClientPluginHost
          • 0xd9da:$x2: IClientNetworkHost
          Click to see the 32 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, ProcessId: 6976, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe' , ParentImage: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, ParentProcessId: 6416, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', ProcessId: 6928

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "30fa397e-f04b-4185-b75b-392a4f17", "Group": "QUOTATION", "Domain1": "46.183.220.61", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4qRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeVirustotal: Detection: 15%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\kySsoQgxcHO.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeJoe Sandbox ML: detected
          Source: 27.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_00C19550
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_00C19541
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then jmp 078C5906h12_2_078C54E8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then jmp 078C5906h12_2_078C54D8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh16_2_076A8C00
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh16_2_076A8BC8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh16_2_076A8BF0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h17_2_02F98818
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h17_2_02F988CC
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h17_2_02F98808

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: 46.183.220.61
          Source: global trafficTCP traffic: 192.168.2.6:49724 -> 46.183.220.61:4488
          Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: dhcpmon.exe, 00000010.00000003.415029902.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
          Source: dhcpmon.exe, 00000010.00000003.411494947.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comL
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita4
          Source: dhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comita
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml
          Source: dhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlique
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comr
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: dhcpmon.exe, 00000010.00000003.421492950.0000000006211000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
          Source: dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378100903.000000000084B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: dhcpmon.exe, 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000<