Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Sample Name: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Analysis ID: 1360
MD5: 8e2b177d2ab29c95f067559a029cf5e8
SHA1: f347fa229d51836344ab5bf89fa531e19aa5e324
SHA256: b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Virustotal: Detection: 31% Perma Link
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe ReversingLabs: Detection: 17%
Antivirus / Scanner detection for submitted sample
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Avira: detected

Compliance:

barindex
Uses 32bit PE files
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49806 -> 178.32.63.50:80
Uses dynamic DNS services
Source: unknown DNS query: name: septnet.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49807 -> 193.104.197.28:6577
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp String found in binary or memory: http://178.32.63.50/boss/Host_AKhLBP62.bin
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin:
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binF
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozil
Source: unknown DNS traffic detected: queries for: septnet.duckdns.org
Source: global traffic HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00403DD6 2_2_00403DD6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0040415B 2_2_0040415B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_023018E5 2_2_023018E5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230C119 2_2_0230C119
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230E165 2_2_0230E165
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230303C 2_2_0230303C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304419 2_2_02304419
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304245 2_2_02304245
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_023042B5 2_2_023042B5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304484 2_2_02304484
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230CED6 2_2_0230CED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_023036D9 2_2_023036D9
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230452C 2_2_0230452C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02303700 2_2_02303700
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304358 2_2_02304358
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02303BBC 2_2_02303BBC
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02303BBE 2_2_02303BBE
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02302F90 2_2_02302F90
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304195 2_2_02304195
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02302F9B 2_2_02302F9B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304184 2_2_02304184
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230DC5F NtProtectVirtualMemory, 2_2_0230DC5F
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230C119 NtAllocateVirtualMemory, 2_2_0230C119
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02307B69 NtWriteVirtualMemory, 2_2_02307B69
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02307BAC NtWriteVirtualMemory, 2_2_02307BAC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CED4E NtProtectVirtualMemory, 6_2_030CED4E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CEC4F Sleep,NtProtectVirtualMemory, 6_2_030CEC4F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CECBD Sleep,NtProtectVirtualMemory, 6_2_030CECBD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CED49 NtProtectVirtualMemory, 6_2_030CED49
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CED5C NtProtectVirtualMemory,NtProtectVirtualMemory, 6_2_030CED5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CEDB8 NtProtectVirtualMemory, 6_2_030CEDB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_030CEE3A NtProtectVirtualMemory, 6_2_030CEE3A
Sample file is different than original file name gathered from version info
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
PE file contains strange resources
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Virustotal: Detection: 31%
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe ReversingLabs: Detection: 17%
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\LABERT Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@3/1@1/2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\oILYSlqV

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00409455 push es; iretd 2_2_00409456
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00407E31 push ds; retf 2_2_00407E32
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_004072C1 push edx; retf 2_2_004072C2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00406294 push edx; retf 2_2_00406297
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00406D73 push es; retf 2_2_00406D76
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_004099EF push esp; iretd 2_2_004099F2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_00407BFF push FFFFFFA7h; iretd 2_2_00407C53
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02300390 push BDC367A8h; ret 2_2_02300383
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02307F80 push FFFFFFAFh; ret 2_2_02307F93
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02304F84 push esi; iretd 2_2_02304F87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\CIRKUSFORESTILLINGER.EXE\LABERTSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHALVNGEN7HTTP://178.32.63.50/MOSS/HOST_AKHLBP62.BINHTTP://178.32.63.50/BOSS/HOST_AKHLBP62.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880 Thread sleep count: 9976 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880 Thread sleep time: -49880s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 9976 delay: -5 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02303B3F rdtsc 2_2_02303B3F
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 9976 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe System information queried: ModuleInformation Jump to behavior
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000006.00000002.318236722320.00000000031E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=\Cirkusforestillinger.exe\LABERTSoftware\Microsoft\Windows\CurrentVersion\RunHalvngen7http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02303B3F rdtsc 2_2_02303B3F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02305833 mov eax, dword ptr fs:[00000030h] 2_2_02305833
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02305859 mov eax, dword ptr fs:[00000030h] 2_2_02305859
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_023088B5 mov eax, dword ptr fs:[00000030h] 2_2_023088B5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_023058BF mov eax, dword ptr fs:[00000030h] 2_2_023058BF
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230CED6 mov eax, dword ptr fs:[00000030h] 2_2_0230CED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230599C mov eax, dword ptr fs:[00000030h] 2_2_0230599C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230BDCB mov eax, dword ptr fs:[00000030h] 2_2_0230BDCB
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_02308A19 LdrInitializeThunk, 2_2_02308A19
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230E165 RtlAddVectoredExceptionHandler, 2_2_0230E165

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30C0000 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 2_2_0230CED6 LoadLibraryA,LogonUserA, 2_2_0230CED6
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' Jump to behavior
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360 Sample: DHL_Shipment_Notification_1... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 14 septnet.duckdns.org 2->14 20 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->20 22 Potential malicious icon found 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 4 other signatures 2->26 7 DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe 2->7         started        signatures3 process4 signatures5 28 Writes to foreign memory regions 7->28 30 Tries to detect Any.run 7->30 32 Hides threads from debuggers 7->32 10 ieinstal.exe 3 8 7->10         started        process6 dnsIp7 16 septnet.duckdns.org 193.104.197.28, 49807, 6577 TELIANETTeliaCarrierEU unknown 10->16 18 178.32.63.50, 49806, 80 OVHFR France 10->18 34 Tries to detect Any.run 10->34 36 Hides threads from debuggers 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.104.197.28
 septnet.duckdns.org unknown
1299 TELIANETTeliaCarrierEU true
178.32.63.50
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
septnet.duckdns.org 193.104.197.28 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://178.32.63.50/moss/Host_AKhLBP62.bin true
  • Avira URL Cloud: safe
 unknown