Windows Analysis Report
SHIPMENTDOCUMENTSPDF.exe

Overview

General Information

Sample Name: SHIPMENTDOCUMENTSPDF.exe
Analysis ID: 598602
MD5: db995bcbc1b1ffe95cbde7f316b577bc
SHA1: 95049e53f64a1b5050d697d88ccc8bf62d58e3f6
SHA256: bb95fa20a55260f729584b7932c7dba208dcc5b0a7597be447a72e481e0dcb09
Tags: exe
Infos:

Detection

AveMaria UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected UACMe UAC Bypass tool
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected AveMaria stealer
Initial sample is a PE file and has a suspicious name
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Program does not show much activity (idle)
Abnormal high CPU Usage

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SHIPMENTDOCUMENTSPDF.exe Avira: detected
Found malware configuration
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "goodies.dynamic-dns.net", "port": 5200}
Multi AV Scanner detection for submitted file
Source: SHIPMENTDOCUMENTSPDF.exe Virustotal: Detection: 57% Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe Metadefender: Detection: 23% Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe ReversingLabs: Detection: 61%
Antivirus detection for URL or domain
Source: goodies.dynamic-dns.net Avira URL Cloud: Label: phishing
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack Avira: Label: TR/Redcap.ghjpt

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.29289af.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542027781.0000000000B7F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6796, type: MEMORYSTR
Uses 32bit PE files
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: goodies.dynamic-dns.net
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Installs a raw input device (often for capturing keystrokes)
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.29289af.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SHIPMENTDOCUMENTSPDF.exe
Uses 32bit PE files
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.29289af.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.29289af.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.542027781.0000000000B7F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Code function: String function: 010D1DBB appears 36 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Code function: String function: 010D1E1F appears 171 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Process Stats: CPU usage > 98%
Source: SHIPMENTDOCUMENTSPDF.exe Virustotal: Detection: 57%
Source: SHIPMENTDOCUMENTSPDF.exe Metadefender: Detection: 23%
Source: SHIPMENTDOCUMENTSPDF.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe File read: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Jump to behavior
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@1/0@0/0
Source: SHIPMENTDOCUMENTSPDF.exe Static file information: File size 2554880 > 1048576
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x165000
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe
PE file contains sections with non-standard names
Source: SHIPMENTDOCUMENTSPDF.exe Static PE information: section name: .00cfg

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe TID: 7088 Thread sleep count: 60 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe Process Stats: CPU usage > 85% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6796, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.291053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SHIPMENTDOCUMENTSPDF.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542642008.0000000002910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.541978426.0000000000A44000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598602 Sample: SHIPMENTDOCUMENTSPDF.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus detection for URL or domain 2->12 14 7 other signatures 2->14 5 SHIPMENTDOCUMENTSPDF.exe 1 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
goodies.dynamic-dns.net true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown