Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Sample Name:DHL_29028263 documento de recibo de la compra,pdf.exe
Analysis ID:626596
MD5:87a264aa9aec9ce66f4b092363dd5adc
SHA1:64a0954e622afb6d5e2a0256f179d14f112ec723
SHA256:eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
Tags:AveMariaRATDHLexeRAT
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Machine Learning detection for sample
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to inject threads in other processes
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
    • DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 6600 cmdline: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
      • cmd.exe (PID: 6632 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2208 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4992 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6716 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • window defender.exe (PID: 3668 cmdline: C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
  • cleanup
{"C2 url": "37.0.14.197", "port": 1997}
SourceRuleDescriptionAuthorStrings
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
    • 0x150e8:$a1: \Opera Software\Opera Stable\Login Data
    • 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data
    • 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
    00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security