Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Sample Name: DHL_29028263 documento de recibo de la compra,pdf.exe
Analysis ID: 626596
MD5: 87a264aa9aec9ce66f4b092363dd5adc
SHA1: 64a0954e622afb6d5e2a0256f179d14f112ec723
SHA256: eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
Tags: AveMariaRATDHLexeRAT
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Machine Learning detection for sample
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to inject threads in other processes
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "37.0.14.197", "port": 1997}
Multi AV Scanner detection for submitted file
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Virustotal: Detection: 33% Perma Link
Source: DHL_29028263 documento de recibo de la compra,pdf.exe ReversingLabs: Detection: 51%
Yara detected AveMaria stealer
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe ReversingLabs: Detection: 51%
Machine Learning detection for sample
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack Avira: Label: TR/Redcap.ghjpt
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack Avira: Label: TR/Redcap.ghjpt
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 3_2_0040B15E
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree, 3_2_0040CAFC
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 3_2_0040CC54
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 3_2_0040CCB4
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 3_2_0040A632
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040CF58 LocalAlloc,BCryptDecrypt,LocalFree, 3_2_0040CF58

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 6600, type: MEMORYSTR
Uses 32bit PE files
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
Source: Binary string: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 3_2_00409DF6
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040FF27 FindFirstFileW,FindNextFileW, 3_2_0040FF27
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 3_2_0041002B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 37.0.14.197
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49755 -> 37.0.14.197:1997
Contains functionality to download and execute PE files
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004027D3 URLDownloadToFileW,ShellExecuteW, 3_2_004027D3
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.197
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040D0A3 recv, 3_2_0040D0A3
Creates a DirectInput object (often for capturing keystrokes)
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.443037764.00000000013FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 3_2_004089D5

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_29028263 documento de recibo de la compra,pdf.exe
Executable has a suspicious name (potential lure to open the executable)
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static file information: Suspicious name
Uses 32bit PE files
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_01370448 1_2_01370448
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_0137D15C 1_2_0137D15C
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_01370438 1_2_01370438
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00411BF8 3_2_00411BF8
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05155760 16_2_05155760
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_051593CC 16_2_051593CC
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05155750 16_2_05155750
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0515AE2C 16_2_0515AE2C
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0515AE90 16_2_0515AE90
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0515AEA0 16_2_0515AEA0
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05150006 16_2_05150006
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05150040 16_2_05150040
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05205913 16_2_05205913
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05200040 16_2_05200040
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_052157E0 16_2_052157E0
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05200007 16_2_05200007
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05215766 16_2_05215766
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_052157D0 16_2_052157D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: String function: 004035E5 appears 40 times
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: String function: 00410969 appears 47 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\cmd.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: window defender.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Virustotal: Detection: 33%
Source: DHL_29028263 documento de recibo de la compra,pdf.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File read: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe"
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\window defender\window defender.exe C:\Users\user\AppData\Roaming\window defender\window defender.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 3_2_0040F619
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: C:\Users\user\AppData\Roaming\window defender Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@15/3@0/1
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0041290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize, 3_2_0041290F
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0040D49C
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_004120B8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4468:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 3_2_004130B3
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: DHL_29028263 documento de recibo de la compra,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
Source: Binary string: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr

Data Obfuscation
barindex
Binary or sample is protected by dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000000.351923499.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000000.351923499.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.441844535.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.441844535.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.414174812.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.414174812.00000000002E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.631371888.0000000003293000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.631371888.0000000003293000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: window defender.exe String found in binary or memory: dotNetProtector
Source: window defender.exe, 00000010.00000000.562468843.0000000000E92000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: dotNetProtector
Source: window defender.exe, 00000010.00000000.562468843.0000000000E92000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: window defender.exe, 00000010.00000002.622503636.0000000000E92000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: dotNetProtector
Source: window defender.exe, 00000010.00000002.622503636.0000000000E92000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: dotNetProtector
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Source: window defender.exe.10.dr String found in binary or memory: dotNetProtector
Source: window defender.exe.10.dr String found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_002EA91C push edi; retf 1_2_002EA930
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_002E5167 push ecx; retf 1_2_002E5168
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 1_2_002E5B7B pushad ; ret 1_2_002E5B83
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_002EA91C push edi; retf 3_2_002EA930
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_002E5167 push ecx; retf 3_2_002E5168
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_002E5B7B pushad ; ret 3_2_002E5B83
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00401190 push eax; ret 3_2_004011A4
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00401190 push eax; ret 3_2_004011CC
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004144B1 push ebp; retf 3_2_00414564
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00414550 push ebp; retf 3_2_00414564
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_00E95167 push ecx; retf 16_2_00E95168
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_00E95B7B pushad ; ret 16_2_00E95B83
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_00E9A91C push edi; retf 16_2_00E9A930
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0520552B pushad ; iretd 16_2_05205565
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0520A907 push ebx; retf 16_2_0520AA5E
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0520AF9B push 00000006h; retf 16_2_0520AFBE
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0520A88C push ebx; retf 16_2_0520AA5E
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_0520A6CB push cs; iretd 16_2_0520A751
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_05210E7E pushad ; ret 16_2_05210E81
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Code function: 16_2_052154EE pushad ; ret 16_2_05215515
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040FA42 LoadLibraryA,GetProcAddress, 3_2_0040FA42
Contains functionality to create new users
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040D418 NetUserAdd,NetLocalGroupAddMembers, 3_2_0040D418
Creates processes with suspicious names
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File created: \dhl_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\window defender\window defender.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004027D3 URLDownloadToFileW,ShellExecuteW, 3_2_004027D3
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 3_2_0040AC0A
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 3_2_0040A6C8

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0040D508

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 2972 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 2972 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6616 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6616 Thread sleep time: -65000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 3_2_0040DA5B
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 3_2_00409DF6
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040FF27 FindFirstFileW,FindNextFileW, 3_2_0040FF27
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 3_2_0041002B
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe API call chain: ExitProcess graph end node
Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.623073837.00000000012A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040FA42 LoadLibraryA,GetProcAddress, 3_2_0040FA42
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00401085 GetProcessHeap,RtlAllocateHeap, 3_2_00401085
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0041094E mov eax, dword ptr fs:[00000030h] 3_2_0041094E
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00419172 mov eax, dword ptr fs:[00000030h] 3_2_00419172
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00410619 mov eax, dword ptr fs:[00000030h] 3_2_00410619
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00410620 mov eax, dword ptr fs:[00000030h] 3_2_00410620
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 8E0000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 940000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 8E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 940000 protect: page read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 8E010E Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_00411FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 3_2_00411FD8
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 3_2_004079E8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 3_2_004120B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 3_2_004118BA
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 3_2_0040F56D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Queries volume information: C:\Users\user\AppData\Roaming\window defender\window defender.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\window defender\window defender.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040F93F cpuid 3_2_0040F93F
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: 3_2_0040882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA, 3_2_0040882F

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to steal e-mail passwords
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: POP3 Password 3_2_0040A29A
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: SMTP Password 3_2_0040A29A
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: IMAP Password 3_2_0040A29A
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: \Google\Chrome\User Data\Default\Login Data 3_2_0040C1B2
Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe Code function: \Chromium\User Data\Default\Login Data 3_2_0040C1B2
Yara detected Credential Stealer
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 6600, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626596 Sample: DHL_29028263 documento de r... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 13 other signatures 2->46 8 DHL_29028263 documento de recibo de la compra,pdf.exe 4 2->8         started        11 window defender.exe 2 2->11         started        process3 file4 36 DHL_29028263 docum... compra,pdf.exe.log, ASCII 8->36 dropped 13 DHL_29028263 documento de recibo de la compra,pdf.exe 3 2 8->13         started        17 cmd.exe 3 8->17         started        20 cmd.exe 1 8->20         started        process5 dnsIp6 38 37.0.14.197, 1997, 49755, 49759 WKD-ASIE Netherlands 13->38 48 Writes to foreign memory regions 13->48 50 Allocates memory in foreign processes 13->50 52 Increases the number of concurrent connection per server for Internet Explorer 13->52 56 2 other signatures 13->56 22 cmd.exe 1 13->22         started        32 C:\Users\user\AppData\...\window defender.exe, PE32 17->32 dropped 34 C:\...\window defender.exe:Zone.Identifier, ASCII 17->34 dropped 24 conhost.exe 17->24         started        54 Uses schtasks.exe or at.exe to add and modify task schedules 20->54 26 conhost.exe 20->26         started        28 schtasks.exe 1 20->28         started        file7 signatures8 process9 process10 30 conhost.exe 22->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.0.14.197
 unknown Netherlands
198301 WKD-ASIE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
37.0.14.197 true
  • Avira URL Cloud: safe
 unknown