Analysis Report DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

Overview

General Information

Sample Name: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Analysis ID: 383934
MD5: 4701cd2e882f4745eca39dc1373ad1b0
SHA1: 3243aed4263da9abde5fa22a5b3220f2a54529b5
SHA256: e3beff629214f8c0517959944ebad8ec53bfd74988bf1a369d36fa12c9d5e58c
Tags: AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42dc8d2.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "rakris@thinnartede.comQGzh%!$2smtp.thinnartede.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Roaming\Files.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Virustotal: Detection: 25% Perma Link
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.713524411.000000000706E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.713524411.000000000706E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06F247D0
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06F28720
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06F247C6
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06F28710
Source: Files.exe, 0000000E.00000002.759642265.0000000000EB0000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Files.exe, 0000000D.00000002.756339384.00000000026E9000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.759674045.0000000000ED5000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Files.exe, 0000000D.00000002.756339384.00000000026E9000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760548196.0000000002B4E000.00000004.00000001.sdmp String found in binary or memory: http://dual-a-0001.a-msedge.net
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.673966468.0000000007533000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.757949365.0000000007532000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%&O
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.738366476.000000000752C000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g&;
Source: Files.exe, 0000000D.00000002.756339384.00000000026E9000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.759674045.0000000000ED5000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Files.exe, 0000000D.00000002.756339384.00000000026E9000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.759674045.0000000000ED5000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.742081909.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.756240025.00000000026A4000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760204933.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: Files.exe, 0000000D.00000002.756282758.00000000026B6000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760481010.0000000002B1B000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.742081909.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.756240025.00000000026A4000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760204933.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.742081909.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.755980445.00000000024F1000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760204933.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: Files.exe, 0000000D.00000002.756240025.00000000026A4000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.760204933.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com4Rk
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.745890665.00000000041CC000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
.NET source code contains very large array initializations
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: Files.exe.0.dr, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.d60000.0.unpack, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: 13.0.Files.exe.70000.0.unpack, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: 13.2.Files.exe.70000.0.unpack, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: 14.2.Files.exe.600000.0.unpack, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Source: 14.0.Files.exe.600000.0.unpack, x6J/Zq2.cs Large array initialization: .cctor: array initializer size 2488
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06F262F8 0_2_06F262F8
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06F262E9 0_2_06F262E9
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06F25118 0_2_06F25118
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06F25108 0_2_06F25108
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_0098DEB0 13_2_0098DEB0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00989740 13_2_00989740
Sample file is different than original file name gathered from version info
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.756891567.000000000707D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBEBL.exeP vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.758485015.0000000007B30000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.754878240.0000000006260000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.713524411.000000000706E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.745534987.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.745890665.00000000041CC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUgYWuMBsCepqOxxeouVzamaNGqW.exe4 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.756289482.0000000006BD0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.756617767.0000000006F50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.756617767.0000000006F50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Binary or memory string: OriginalFilenameBEBL.exeP vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Uses 32bit PE files
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: classification engine Classification label: mal92.troj.evad.winEXE@9/5@0/1
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_01
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Virustotal: Detection: 25%
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.713524411.000000000706E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.713524411.000000000706E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_00D6325A push cs; retf 0_2_00D6325B
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_00D62B64 push esi; ret 0_2_00D62B67
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_00D62738 push ecx; ret 0_2_00D62805
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06F227E0 pushad ; retf 0_2_06F227ED
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00072738 push ecx; ret 13_2_00072805
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_0007325A push cs; retf 13_2_0007325B
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00072B64 push esi; ret 13_2_00072B67
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_00602B64 push esi; ret 14_2_00602B67
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_0060325A push cs; retf 14_2_0060325B
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_00602738 push ecx; ret 14_2_00602805

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Window / User API: threadDelayed 1210 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Window / User API: threadDelayed 8570 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 7128 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 6316 Thread sleep count: 1210 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 6316 Thread sleep count: 8570 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 3660 Thread sleep count: 199 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 3984 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 3436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6660 Thread sleep count: 207 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6660 Thread sleep count: 162 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5740 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 4972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.754878240.0000000006260000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.763483124.0000000005AD0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.754878240.0000000006260000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.763483124.0000000005AD0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.754878240.0000000006260000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.763483124.0000000005AD0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Files.exe, 0000000E.00000002.759613461.0000000000E92000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.754878240.0000000006260000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.763483124.0000000005AD0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.745890665.00000000041CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746816444.0000000004392000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.745670892.000000000411D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 6916, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.411d7f0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42dc8d2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4281ce2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4392092.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4392092.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42270e2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42dc8d2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.411d7f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4281ce2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42270e2.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.745890665.00000000041CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746816444.0000000004392000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.745670892.000000000411D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 6916, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.411d7f0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42dc8d2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4281ce2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4392092.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4392092.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42270e2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42dc8d2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.411d7f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.4281ce2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.42270e2.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383934 Sample: DHL_Express_Shipment_Invoic... Startdate: 08/04/2021 Architecture: WINDOWS Score: 92 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 3 other signatures 2->38 7 DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 15 7 2->7         started        11 Files.exe 14 3 2->11         started        process3 file4 22 C:\Users\user\AppData\Roaming\Files.exe, PE32 7->22 dropped 24 C:\Users\user\...\Files.exe:Zone.Identifier, ASCII 7->24 dropped 26 DHL_Express_Shipme...4700456XXXX.exe.log, ASCII 7->26 dropped 28 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->28 dropped 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->40 13 cmd.exe 1 7->13         started        15 Files.exe 2 7->15         started        42 Multi AV Scanner detection for dropped file 11->42 44 Machine Learning detection for dropped file 11->44 signatures5 process6 dnsIp7 18 conhost.exe 13->18         started        20 reg.exe 1 1 13->20         started        30 192.168.2.1 unknown unknown 15->30 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1