Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Waybill receipt.exe

Overview

General Information

Sample Name:DHL Waybill receipt.exe
Analysis ID:532850
MD5:fccf07d7a10aff74cedc0e93fbe77f90
SHA1:8e7d667885cdc3646d46c3a72ee13451c86cbd4d
SHA256:854fdbaa39b3da5ed2d094c57511d14dc97c392358da47e42fbbd7b2d03101d2
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Waybill receipt.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\DHL Waybill receipt.exe" MD5: FCCF07D7A10AFF74CEDC0E93FBE77F90)
    • DHL Waybill receipt.exe (PID: 3276 cmdline: C:\Users\user\Desktop\DHL Waybill receipt.exe MD5: FCCF07D7A10AFF74CEDC0E93FBE77F90)
    • DHL Waybill receipt.exe (PID: 3688 cmdline: C:\Users\user\Desktop\DHL Waybill receipt.exe MD5: FCCF07D7A10AFF74CEDC0E93FBE77F90)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "john.ramos@unitedappliencesgroup.com", "Password": "fYmh*3R6#+sv", "Host": "smtp.unitedappliencesgroup.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.249607108.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.249607108.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000000.251632964.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000000.251632964.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.DHL Waybill receipt.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.DHL Waybill receipt.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.DHL Waybill receipt.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.DHL Waybill receipt.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.0.DHL Waybill receipt.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.DHL Waybill receipt.exe.3d934e0.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "john.ramos@unitedappliencesgroup.com", "Password": "fYmh*3R6#+sv", "Host": "smtp.unitedappliencesgroup.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Waybill receipt.exeReversingLabs: Detection: 31%
                      Source: 3.2.DHL Waybill receipt.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.DHL Waybill receipt.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.DHL Waybill receipt.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.DHL Waybill receipt.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.DHL Waybill receipt.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.DHL Waybill receipt.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: DHL Waybill receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Waybill receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49855 -> 208.91.199.223:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: global trafficTCP traffic: 192.168.2.5:49855 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.5:49855 -> 208.91.199.223:587
                      Source: DHL Waybill receipt.exe, 00000003.00000002.515087639.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: DHL Waybill receipt.exe, 00000003.00000002.515087639.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: DHL Waybill receipt.exe, 00000003.00000002.515087639.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://KjvtHQ.com
                      Source: DHL Waybill receipt.exe, 00000003.00000002.516134139.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://smtp.unitedappliencesgroup.com
                      Source: DHL Waybill receipt.exe, 00000003.00000002.516134139.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: DHL Waybill receipt.exe, 00000003.00000002.516134139.00000000032E1000.00000004.00000001.sdmp, DHL Waybill receipt.exe, 00000003.00000002.516100681.00000000032DB000.00000004.00000001.sdmp, DHL Waybill receipt.exe, 00000003.00000003.469252817.0000000001144000.00000004.00000001.sdmp, DHL Waybill receipt.exe, 00000003.00000002.516067178.00000000032D7000.00000004.00000001.sdmpString found in binary or memory: https://YDMv4fA4ajY4A2Rc.net
                      Source: DHL Waybill receipt.exe, 00000000.00000002.257252389.0000000003A99000.00000004.00000001.sdmp, DHL Waybill receipt.exe, 00000003.00000000.249607108.0000000000402000.00000040.00000001.sdmp, DHL Waybill receipt.exe, 00000003.00000000.251632964.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: DHL Waybill receipt.exe, 00000003.00000002.515087639.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.unitedappliencesgroup.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\DHL Waybill receipt.exeJump to behavior
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01320918 SetWindowsHookExW 0000000D,00000000,?,?3_2_01320918
                      Source: DHL Waybill receipt.exe, 00000000.00000002.253890872.0000000000E48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Waybill receipt.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.DHL Waybill receipt.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD602F5ECu002d6DD9u002d402Au002dB460u002d68BF51135F0Du007d/F334B3FCu002dA0E0u002d4A3Cu002d97FFu002dD31A2D202388.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 3.0.DHL Waybill receipt.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bD602F5ECu002d6DD9u002d402Au002dB460u002d68BF51135F0Du007d/F334B3FCu002dA0E0u002d4A3Cu002d97FFu002dD31A2D202388.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 3.0.DHL Waybill receipt.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bD602F5ECu002d6DD9u002d402Au002dB460u002d68BF51135F0Du007d/F334B3FCu002dA0E0u002d4A3Cu002d97FFu002dD31A2D202388.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 3.0.DHL Waybill receipt.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bD602F5ECu002d6DD9u002d402Au002dB460u002d68BF51135F0Du007d/F334B3FCu002dA0E0u002d4A3Cu002d97FFu002dD31A2D202388.csLarge array initialization: .cctor: array initializer size 11963
                      Source: DHL Waybill receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_0106E76A0_2_0106E76A
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_0106E7780_2_0106E778
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_0106BDC40_2_0106BDC4
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FA4F500_2_04FA4F50
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FAE0B80_2_04FAE0B8
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FAC1D80_2_04FAC1D8
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FAE1D00_2_04FAE1D0
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FAC1C80_2_04FAC1C8
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FA4E880_2_04FA4E88
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_04FA4F410_2_04FA4F41
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_006920500_2_00692050
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 1_2_001D20501_2_001D2050
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0132E0183_2_0132E018
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013200063_2_01320006
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01320F503_2_01320F50
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013295903_2_01329590
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013385B03_2_013385B0
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013300403_2_01330040
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0133DBB83_2_0133DBB8
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01334A343_2_01334A34
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0133A12F3_2_0133A12F
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0133A1B23_2_0133A1B2
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013323983_2_01332398
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0133A2503_2_0133A250
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013491AC3_2_013491AC
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_013468503_2_01346850
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134E2683_2_0134E268
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01345AF03_2_01345AF0
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134D5093_2_0134D509
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134D5D23_2_0134D5D2
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134D4713_2_0134D471
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01349CB13_2_01349CB1
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134AB023_2_0134AB02
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01344B513_2_01344B51
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01344B9D3_2_01344B9D
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01344BE93_2_01344BE9
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_00B020503_2_00B02050
                      Source: DHL Waybill receipt.exeBinary or memory string: OriginalFilename vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameurHctEuzUbYyBfycprxPlEqnVuAMRHMF.exe4 vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.257252389.0000000003A99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.257252389.0000000003A99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameurHctEuzUbYyBfycprxPlEqnVuAMRHMF.exe4 vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.258205731.0000000005BF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000000.00000002.253890872.0000000000E48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exeBinary or memory string: OriginalFilename vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exeBinary or memory string: OriginalFilename vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000003.00000000.251632964.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameurHctEuzUbYyBfycprxPlEqnVuAMRHMF.exe4 vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000003.00000002.512922970.000000000121A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exe, 00000003.00000002.511253105.0000000000F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exeBinary or memory string: OriginalFilenameCOMServerEnt.exeB vs DHL Waybill receipt.exe
                      Source: DHL Waybill receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Waybill receipt.exeReversingLabs: Detection: 31%
                      Source: DHL Waybill receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe "C:\Users\user\Desktop\DHL Waybill receipt.exe"
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exe
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exe
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Waybill receipt.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/2
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 3.2.DHL Waybill receipt.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.DHL Waybill receipt.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.DHL Waybill receipt.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.DHL Waybill receipt.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.DHL Waybill receipt.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.DHL Waybill receipt.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: DHL Waybill receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Waybill receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: DHL Waybill receipt.exe, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.DHL Waybill receipt.exe.690000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.DHL Waybill receipt.exe.690000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.DHL Waybill receipt.exe.1d0000.2.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.DHL Waybill receipt.exe.1d0000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.DHL Waybill receipt.exe.1d0000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.DHL Waybill receipt.exe.1d0000.3.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.DHL Waybill receipt.exe.1d0000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.DHL Waybill receipt.exe.b00000.11.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.DHL Waybill receipt.exe.b00000.9.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.DHL Waybill receipt.exe.b00000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.DHL Waybill receipt.exe.b00000.13.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 0_2_0106E768 pushfd ; ret 0_2_0106E769
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0134B537 push edi; retn 0000h3_2_0134B539
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_01342308 push cs; ret 3_2_013423AF
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85914519961
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.DHL Waybill receipt.exe.2ab1428.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Waybill receipt.exe PID: 6312, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exe TID: 4380Thread sleep time: -35062s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exe TID: 3976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exe TID: 2920Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exe TID: 5028Thread sleep count: 2676 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exe TID: 5028Thread sleep count: 7179 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWindow / User API: threadDelayed 2676Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWindow / User API: threadDelayed 7179Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeThread delayed: delay time: 35062Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: DHL Waybill receipt.exe, 00000003.00000002.513209462.0000000001282000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: DHL Waybill receipt.exe, 00000000.00000002.254418452.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeCode function: 3_2_0133DBB8 LdrInitializeThunk,3_2_0133DBB8
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Waybill receipt.exeProcess created: C:\Users\user\Desktop\DHL Waybill receipt.exe C:\Users\user\Desktop\DHL Waybill receipt.exeJump to behavior
                      Source: DHL Waybill receipt.exe, 00000003.00000002.514410708.0000000001970000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: DHL Waybill receipt.exe, 00000003.00000002.514410708.0000000001970000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: DHL Waybill receipt.exe, 00000003.00000002.514410708.0000000001970000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: DHL Waybill receipt.exe, 00000003.00000002.514410708.0000000001970000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: DHL Waybill receipt.exe, 00000003.00000002.514410708.0000000001970000.00000002.00020000.sdmpBinary or memory string: Progmanlock