Analysis Report DHL_document11022020680908006.exe

Overview

General Information

Sample Name:	DHL_document11022020680908006.exe
Analysis ID:	385270
MD5:	68d63479e5a11048e6bc1eaa242f8c7b
SHA1:	8637b7ec04a9ff11b8fc6d99a51f911aaad5a889
SHA256:	0bc287a98874b2ba0b818013c4026180a2e210a65d0800a169dde7ad7725277b
Tags:	CHNDHLexeFormbookgeo
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bendhighswimming.com/crdi/"], "decoy": ["propertyjumpstartwebinar.com", "boc-vip.club", "polestarnyc.com", "travelonlinebiz.com", "bukovynaent.com", "bestfashoin.com", "miniindiastore.com", "wehatebillgates.com", "holmescountyjusticecourt.com", "colectivorenovemosjuntos.com", "houstowarehouse.com", "aocsw.com", "sml-uniform.com", "bandanasaint.com", "petposhdeluxe.com", "ezcscpawq.com", "ladiesoption.club", "refixu.com", "selfwrrrth.com", "rovietry.com", "enaoc.com", "karyolaw.com", "diversitymarketingtx.net", "browsersentenderbanco.net", "samtheshepherd.com", "nash-arbitrazh.com", "gampang-kerja.tech", "ereplacementparrts.com", "eventmidasbuy14.com", "sia-rikvel.com", "top2016.net", "686638.com", "ton.blue", "desktower.net", "dbykq020.com", "stack30.com", "tiendasfotoprix.com", "kylesmaier.com", "ekmantsang.com", "jumlasx.xyz", "qingqingyuyin.com", "cdnsubs.xyz", "maxamoose.com", "huelling.com", "xn--bjrnnstet-z2a8q.online", "betale-posten.com", "lalatendu.info", "nochipmanicure.net", "bichat.website", "washington32reds.com", "centrodesaludcrecer.com", "phihoteldeimedaglioni.com", "kilmalliefarms.com", "icecreamsocialwp.com", "mac-makeup.club", "elzooz.com", "iqomw.com", "bestattorneycle.com", "startonsocial.com", "purensoessentials.com", "therealyolandafay.com", "feildwolf.com", "nativesupps.com", "nbatimeout.com"]}

Multi AV Scanner detection for submitted file

Source: DHL_document11022020680908006.exe

ReversingLabs: Detection: 25%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: DHL_document11022020680908006.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: DHL_document11022020680908006.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: DHL_document11022020680908006.exe, 00000006.00000002.259975111.0000000001880000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: DHL_document11022020680908006.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_011B78E8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_011B789F

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.bendhighswimming.com/crdi/

Source: DHL_document11022020680908006.exe, 00000000.00000003.233610834.000000000120D000.00000004.00000001.sdmp	String found in binary or memory: http://en.wQ
Source: DHL_document11022020680908006.exe, 00000000.00000003.234631685.0000000005B7B000.00000004.00000001.sdmp, DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_document11022020680908006.exe, 00000000.00000003.236661880.0000000005B70000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com?
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_document11022020680908006.exe, 00000000.00000003.240077453.0000000005B69000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers-
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_document11022020680908006.exe, 00000000.00000003.240581343.0000000005B6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersY
Source: DHL_document11022020680908006.exe, 00000000.00000002.270290969.0000000005B60000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: DHL_document11022020680908006.exe, 00000000.00000003.234241493.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL_document11022020680908006.exe, 00000000.00000003.234336459.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: DHL_document11022020680908006.exe, 00000000.00000003.236076294.0000000005B9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_document11022020680908006.exe, 00000000.00000003.236076294.0000000005B9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_document11022020680908006.exe, 00000000.00000003.236076294.0000000005B9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-g&
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL_document11022020680908006.exe, 00000000.00000003.237443454.0000000005B64000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: DHL_document11022020680908006.exe, 00000000.00000003.237443454.0000000005B64000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: DHL_document11022020680908006.exe, 00000000.00000003.237443454.0000000005B64000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/iva
Source: DHL_document11022020680908006.exe, 00000000.00000003.237443454.0000000005B64000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: DHL_document11022020680908006.exe, 00000000.00000003.237443454.0000000005B64000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
Source: DHL_document11022020680908006.exe, 00000000.00000003.234241493.0000000005B7B000.00000004.00000001.sdmp, DHL_document11022020680908006.exe, 00000000.00000003.233917646.0000000005B81000.00000004.00000001.sdmp, DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_document11022020680908006.exe, 00000000.00000003.234241493.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com5
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL_document11022020680908006.exe, 00000000.00000003.235507174.0000000005B69000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_document11022020680908006.exe, 00000000.00000003.235507174.0000000005B69000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krntact
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL_document11022020680908006.exe, 00000000.00000003.234631685.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comU
Source: DHL_document11022020680908006.exe, 00000000.00000003.234707922.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comh
Source: DHL_document11022020680908006.exe, 00000000.00000003.234663283.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.coml
Source: DHL_document11022020680908006.exe, 00000000.00000003.234631685.0000000005B7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comnh
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_document11022020680908006.exe, 00000000.00000002.270383669.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL_document11022020680908006.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041A060 NtClose,	6_2_0041A060
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041A110 NtAllocateVirtualMemory,	6_2_0041A110
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00419F30 NtCreateFile,	6_2_00419F30
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00419FE0 NtReadFile,	6_2_00419FE0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041A05A NtClose,	6_2_0041A05A
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041A10C NtAllocateVirtualMemory,	6_2_0041A10C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00419FDA NtReadFile,	6_2_00419FDA
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_018E9860
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_018E96E0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_018E9660
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E99A0 NtCreateSection,	6_2_018E99A0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E99D0 NtCreateProcessEx,	6_2_018E99D0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9910 NtAdjustPrivilegesToken,	6_2_018E9910
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9950 NtQueueApcThread,	6_2_018E9950
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E98A0 NtWriteVirtualMemory,	6_2_018E98A0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E98F0 NtReadVirtualMemory,	6_2_018E98F0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9820 NtEnumerateKey,	6_2_018E9820
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018EB040 NtSuspendThread,	6_2_018EB040
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9840 NtDelayExecution,	6_2_018E9840
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018EA3B0 NtGetContextThread,	6_2_018EA3B0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9B00 NtSetValueKey,	6_2_018E9B00
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9A80 NtOpenDirectoryObject,	6_2_018E9A80
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9A00 NtProtectVirtualMemory,	6_2_018E9A00
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9A10 NtQuerySection,	6_2_018E9A10
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9A20 NtResumeThread,	6_2_018E9A20
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E9A50 NtCreateFile,	6_2_018E9A50
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E95D0 NtClose,	6_2_018E95D0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018E95F0 NtQueryInformationFile,	6_2_018E95F0

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_00714D16	0_2_00714D16
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_0071869D	0_2_0071869D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B8168	0_2_011B8168
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B0960	0_2_011B0960
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B13B0	0_2_011B13B0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B1A6B	0_2_011B1A6B
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B55FC	0_2_011B55FC
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B6CC8	0_2_011B6CC8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B0915	0_2_011B0915
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B5038	0_2_011B5038
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B4DF0	0_2_011B4DF0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B55F0	0_2_011B55F0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B540F	0_2_011B540F
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B6CBF	0_2_011B6CBF
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B2E08	0_2_011B2E08
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B5638	0_2_011B5638
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B5647	0_2_011B5647
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B6EE9	0_2_011B6EE9
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_02ABC428	0_2_02ABC428
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_02AB9890	0_2_02AB9890
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_002F4D16	3_2_002F4D16
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_002F869D	3_2_002F869D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_00254D16	4_2_00254D16
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_0025869D	4_2_0025869D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00401029	6_2_00401029
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D173	6_2_0041D173
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041E3E6	6_2_0041E3E6
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041DBBB	6_2_0041DBBB
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D589	6_2_0041D589
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00409E40	6_2_00409E40
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00409E3B	6_2_00409E3B
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041DFAA	6_2_0041DFAA
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00DE4D16	6_2_00DE4D16
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00DE869D	6_2_00DE869D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018C2990	6_2_018C2990
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018C99BF	6_2_018C99BF
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018AF900	6_2_018AF900
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018C4120	6_2_018C4120
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018BB090	6_2_018BB090
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018D20A0	6_2_018D20A0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019720A8	6_2_019720A8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019728EC	6_2_019728EC
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018A6800	6_2_018A6800
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_01961002	6_2_01961002
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0197E824	6_2_0197E824
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018CA830	6_2_018CA830
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018D138B	6_2_018D138B
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018CEB9A	6_2_018CEB9A
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0194EB8A	6_2_0194EB8A
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018DEBB0	6_2_018DEBB0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0196DBD2	6_2_0196DBD2
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019603DA	6_2_019603DA
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018DABD8	6_2_018DABD8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018F8BE8	6_2_018F8BE8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019523E3	6_2_019523E3
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018CA309	6_2_018CA309
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0196231B	6_2_0196231B
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_01972B28	6_2_01972B28
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018CAB40	6_2_018CAB40
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0194CB4F	6_2_0194CB4F
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018C3360	6_2_018C3360
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019722AE	6_2_019722AE
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019732A9	6_2_019732A9
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0196E2C5	6_2_0196E2C5
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_01964AEF	6_2_01964AEF
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018CB236	6_2_018CB236
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0195FA2B	6_2_0195FA2B
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018D2581	6_2_018D2581
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_01962D82	6_2_01962D82
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018D65A0	6_2_018D65A0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_019725DD	6_2_019725DD
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_018BD5E0	6_2_018BD5E0
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_01972D07	6_2_01972D07

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: String function: 018AB150 appears 88 times
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: String function: 01935720 appears 47 times

Sample file is different than original file name gathered from version info

Source: DHL_document11022020680908006.exe, 00000000.00000002.272033610.00000000077C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000000.00000000.231107081.00000000007C6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResolveEventHandler.exe> vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000000.00000002.271515431.0000000007150000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000003.00000002.255099385.00000000003A6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResolveEventHandler.exe> vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000004.00000000.255948475.0000000000306000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResolveEventHandler.exe> vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000006.00000002.259562052.0000000000E96000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResolveEventHandler.exe> vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe, 00000006.00000002.260362622.0000000001B2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_document11022020680908006.exe
Source: DHL_document11022020680908006.exe	Binary or memory string: OriginalFilenameResolveEventHandler.exe> vs DHL_document11022020680908006.exe

Uses 32bit PE files

Source: DHL_document11022020680908006.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.260561462.0000000003C98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.259139360.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.DHL_document11022020680908006.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.DHL_document11022020680908006.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: DHL_document11022020680908006.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@0/0

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_document11022020680908006.exe.log

Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe 'C:\Users\user\Desktop\DHL_document11022020680908006.exe'
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908006.exe C:\Users\user\Desktop\DHL_document11022020680908006.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_007BB088 push eax; ret	0_2_007BB08C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_007BA258 push edi; iretd	0_2_007BA259
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_007B8F6B push FFFFFFFEh; retf	0_2_007B8F6D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_007B8B14 pushfd ; iretd	0_2_007B8B17
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_007BA30F push ebx; retf	0_2_007BA310
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 0_2_011B4590 push FFFFFFA0h; iretd	0_2_011B4597
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_0039B088 push eax; ret	3_2_0039B08C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_0039A258 push edi; iretd	3_2_0039A259
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_00398B14 pushfd ; iretd	3_2_00398B17
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_0039A30F push ebx; retf	3_2_0039A310
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 3_2_00398F6B push FFFFFFFEh; retf	3_2_00398F6D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_002FB088 push eax; ret	4_2_002FB08C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_002FA258 push edi; iretd	4_2_002FA259
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_002FA30F push ebx; retf	4_2_002FA310
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_002F8B14 pushfd ; iretd	4_2_002F8B17
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 4_2_002F8F6B push FFFFFFFEh; retf	4_2_002F8F6D
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041C875 push ss; retf	6_2_0041C87C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041C811 push ss; retf	6_2_0041C87C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D0D2 push eax; ret	6_2_0041D0D8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D0DB push eax; ret	6_2_0041D142
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D085 push eax; ret	6_2_0041D0D8
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041D13C push eax; ret	6_2_0041D142
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_0041A1C6 pushfd ; iretd	6_2_0041A1CB
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00419AC6 push edx; ret	6_2_00419ACA
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00407B28 push FFFFFFC4h; ret	6_2_00407B2A
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00416B8B push cs; iretd	6_2_00416B93
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00E8B088 push eax; ret	6_2_00E8B08C
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00E8A258 push edi; iretd	6_2_00E8A259
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00E8A30F push ebx; retf	6_2_00E8A310
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00E88B14 pushfd ; iretd	6_2_00E88B17
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Code function: 6_2_00E88F6B push FFFFFFFEh; retf	6_2_00E88F6D

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_document11022020680908006.exe PID: 240, type: MEMORY

Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe TID: 5292	Thread sleep time: -103301s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe TID: 5288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe TID: 2248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Thread delayed: delay time: 103301	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908006.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: DHL_document11022020680908006.exe, 00000000.00000002.259818471.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

ID:	385270
Product:	CloudBasic
Start time:	09:22:23
Start date:	12.04.2021
Sample:	DHL_document11022020680908006.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	68d63479e5a11048e6bc1eaa242f8c7b
SHA1:	8637b7ec04a9ff11b8fc6d99a51f911aaad5a889
SHA256:	0bc287a98874b2ba0b818013c4026180a2e210a65d0800a169dde7ad7725277b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report DHL_document11022020680908006.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs