Windows Analysis Report DHL_119040 ontvangstbewijs,pdf.exe

Overview

General Information

Sample Name: DHL_119040 ontvangstbewijs,pdf.exe
Analysis ID: 528504
MD5: a9b63c434e205092b3373e35c051a04a
SHA1: 1b8d4e51f63e23b881159d168b5c0e70012c7e6c
SHA256: 3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
Multi AV Scanner detection for domain / URL
Source: mgbless.in Virustotal: Detection: 5% Perma Link
Source: www.mgbless.in Virustotal: Detection: 7% Perma Link
Source: http://www.mgbless.in Virustotal: Detection: 7% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.223.93.105 104.223.93.105
Source: Joe Sandbox View IP Address: 104.223.93.105 104.223.93.105
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /mac/inc/0bb73b6c7ade1a.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 368Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /mac/inc/0bb73b6c7ade1a.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 370Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /mac/inc/0bb73b6c7ade1a.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 380Expect: 100-continue
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: http://lmeJrA.com
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567156721.00000000028D9000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567483642.00000000029AF000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567260931.0000000002902000.00000004.00000001.sdmp String found in binary or memory: http://mgbless.in
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309960102.000000000293B000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567106742.00000000028BC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567156721.00000000028D9000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567483642.00000000029AF000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567260931.0000000002902000.00000004.00000001.sdmp String found in binary or memory: http://www.mgbless.in
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567237496.00000000028F9000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567106742.00000000028BC000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000003.346874952.0000000000C23000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in/
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567106742.00000000028BC000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php127.0.0.1POST
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567106742.00000000028BC000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in4
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567483642.00000000029AF000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.567260931.0000000002902000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.inD8
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.310307492.000000000387D000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000000.305861427.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown HTTP traffic detected: POST /mac/inc/0bb73b6c7ade1a.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 368Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: www.mgbless.in
Source: unknown HTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.3:49747 version: TLS 1.2

System Summary:

barindex
.NET source code contains very large array initializations
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b03A0F30Cu002d135Du002d465Du002d890Au002d43EFC19CAB91u007d/E21F461Cu002dB8FDu002d40BBu002dACBAu002d17BB57CD05CC.cs Large array initialization: .cctor: array initializer size 11846
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b03A0F30Cu002d135Du002d465Du002d890Au002d43EFC19CAB91u007d/E21F461Cu002dB8FDu002d40BBu002dACBAu002d17BB57CD05CC.cs Large array initialization: .cctor: array initializer size 11846
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b03A0F30Cu002d135Du002d465Du002d890Au002d43EFC19CAB91u007d/E21F461Cu002dB8FDu002d40BBu002dACBAu002d17BB57CD05CC.cs Large array initialization: .cctor: array initializer size 11846
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b03A0F30Cu002d135Du002d465Du002d890Au002d43EFC19CAB91u007d/E21F461Cu002dB8FDu002d40BBu002dACBAu002d17BB57CD05CC.cs Large array initialization: .cctor: array initializer size 11846
Uses 32bit PE files
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_004B5C24 1_2_004B5C24
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_00D98250 1_2_00D98250
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_00D9D2F8 1_2_00D9D2F8
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_05075AA0 1_2_05075AA0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_05075AB0 1_2_05075AB0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00505C24 4_2_00505C24
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C721A8 4_2_00C721A8
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C70D68 4_2_00C70D68
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C756E8 4_2_00C756E8
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7B7A0 4_2_00C7B7A0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7C5B8 4_2_00C7C5B8
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C74A50 4_2_00C74A50
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7C668 4_2_00C7C668
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C8C080 4_2_00C8C080
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C82618 4_2_00C82618
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C81FF0 4_2_00C81FF0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C82F6D 4_2_00C82F6D
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C8AB78 4_2_00C8AB78
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C8A1C0 4_2_00C8A1C0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C8E930 4_2_00C8E930
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_026846A0 4_2_026846A0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_026845B0 4_2_026845B0
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_0268DA00 4_2_0268DA00
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7E438 4_2_00C7E438
Sample file is different than original file name gathered from version info
Source: DHL_119040 ontvangstbewijs,pdf.exe Binary or memory string: OriginalFilename vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309034785.00000000004B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIsJitIntrins.exe. vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309960102.000000000293B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamerrNOpTKQfXOboHdQAJfuZzXWwnBGhmltNFVw.exe4 vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.310307492.000000000387D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamerrNOpTKQfXOboHdQAJfuZzXWwnBGhmltNFVw.exe4 vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.310307492.000000000387D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.313255265.0000000005CA0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.312491538.0000000005810000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe Binary or memory string: OriginalFilename vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000000.304523646.0000000000502000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIsJitIntrins.exe. vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.565220129.0000000000938000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000000.306861982.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamerrNOpTKQfXOboHdQAJfuZzXWwnBGhmltNFVw.exe4 vs DHL_119040 ontvangstbewijs,pdf.exe
Source: DHL_119040 ontvangstbewijs,pdf.exe Binary or memory string: OriginalFilenameIsJitIntrins.exe. vs DHL_119040 ontvangstbewijs,pdf.exe
PE file contains strange resources
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe:Zone.Identifier Jump to behavior
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe "C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe"
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process created: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process created: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_119040 ontvangstbewijs,pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@6/2
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: /IsJitIntrins;component/views/addbook.xaml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: views/addbook.baml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: views/addcustomer.baml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: /IsJitIntrins;component/views/addcustomer.xaml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: /IsJitIntrins;component/views/addbook.xaml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: views/addbook.baml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: views/addcustomer.baml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: /IsJitIntrins;component/views/addcustomer.xaml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: U/IsJitIntrins;component/views/addbook.xamlk/IsJitIntrins;component/views/borrowfrombookview.xamla/IsJitIntrins;component/views/borrowingview.xaml[/IsJitIntrins;component/views/changebook.xamlc/IsJitIntrins;component/views/changecustomer.xaml_/IsJitIntrins;component/views/customerview.xamlc/IsJitIntrins;component/views/deletecustomer.xamlY/IsJitIntrins;component/views/errorview.xaml]/IsJitIntrins;component/views/smallextras.xaml]/IsJitIntrins;component/views/addcustomer.xaml
Source: DHL_119040 ontvangstbewijs,pdf.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_119040 ontvangstbewijs,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: DHL_119040 ontvangstbewijs,pdf.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL_119040 ontvangstbewijs,pdf.exe.4b0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.4b0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.500000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.11.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.500000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_004B9347 push ds; ret 1_2_004B934C
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_004B9361 push ds; retf 1_2_004B9364
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 1_2_004B92F5 push ds; ret 1_2_004B9340
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00509347 push ds; ret 4_2_0050934C
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_005092F5 push ds; ret 4_2_00509340
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00509361 push ds; retf 4_2_00509364
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7C260 push eax; retf 4_2_00C7C489
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C7C3B3 push eax; retf 4_2_00C7C489
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C87E3F push edi; retn 0000h 4_2_00C87E41
Source: initial sample Static PE information: section name: .text entropy: 7.8827247031
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.28d8f58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.296b68c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.309960102.000000000293B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 4532, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309960102.000000000293B000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309960102.000000000293B000.00000004.00000001.sdmp, DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5208 Thread sleep count: 1131 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5208 Thread sleep count: 1478 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 4592 Thread sleep time: -39145s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239511s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -239030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -238216s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -237953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -237703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -237141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -236547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -236250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -236047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 5268 Thread sleep time: -235903s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 4344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 1068 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 1432 Thread sleep count: 3086 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe TID: 1432 Thread sleep count: 6732 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239734 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239625 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239511 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239406 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239297 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239141 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239030 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238922 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238671 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238562 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238437 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238328 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238216 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237953 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237703 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237141 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236547 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236250 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236047 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 235903 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Window / User API: threadDelayed 1131 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Window / User API: threadDelayed 1478 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Window / User API: threadDelayed 3086 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Window / User API: threadDelayed 6732 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 39145 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239734 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239625 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239511 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239406 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239297 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239141 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 239030 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238922 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238671 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238562 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238437 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238328 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 238216 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237953 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237703 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 237141 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236547 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236250 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 236047 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 235903 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000001.00000002.309824480.0000000002871000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Code function: 4_2_00C8F118 LdrInitializeThunk, 4_2_00C8F118
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Process created: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Jump to behavior
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566529351.0000000001230000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566529351.0000000001230000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566529351.0000000001230000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DHL_119040 ontvangstbewijs,pdf.exe, 00000004.00000002.566529351.0000000001230000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.39a2278.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.396ca58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.39a2278.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.396ca58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.305861427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.306305831.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.306831919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.307479462.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.564785123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.310307492.000000000387D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.567348132.0000000002960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 6736, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 6736, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHL_119040 ontvangstbewijs,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.39a2278.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.DHL_119040 ontvangstbewijs,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.396ca58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.39a2278.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_119040 ontvangstbewijs,pdf.exe.396ca58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.305861427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.306305831.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.306831919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.307479462.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.564785123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.310307492.000000000387D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.566852760.0000000002811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.567348132.0000000002960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_119040 ontvangstbewijs,pdf.exe PID: 6736, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528504 Sample: DHL_119040 ontvangstbewijs,... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 18 Multi AV Scanner detection for domain / URL 2->18 20 Found malware configuration 2->20 22 Yara detected AgentTesla 2->22 24 6 other signatures 2->24 6 DHL_119040 ontvangstbewijs,pdf.exe 3 2->6         started        process3 process4 8 DHL_119040 ontvangstbewijs,pdf.exe 15 2 6->8         started        dnsIp5 12 mgbless.in 104.223.93.105, 443, 49747, 49819 ASN-QUADRANET-GLOBALUS United States 8->12 14 www.mgbless.in 8->14 16 192.168.2.1 unknown unknown 8->16 26 Tries to steal Mail credentials (via file / registry access) 8->26 28 Tries to harvest and steal browser information (history, passwords, etc) 8->28 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.223.93.105
 mgbless.in United States
8100 ASN-QUADRANET-GLOBALUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
mgbless.in 104.223.93.105 true
www.mgbless.in unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php true
  • Avira URL Cloud: safe
 unknown