Windows Analysis Report
DHL DELIVERY.exe

ID:	635261
Product:	CloudBasic
Start time:	18:03:22
Start date:	27.05.2022
Sample:	DHL DELIVERY.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	56a08fd913bfc20fa0f15a4fb204bac9
SHA1:	b135f9c44b2847d494f1b2d843444711c8421cc0
SHA256:	37305d441b0332e9756a972f0585748807fb90ef363116aa6a224cefa120d09e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "amycarrol@cobinparkop.com", "Password": "WLhpQ58eJQHBZqb", "Host": "smtp.privateemail.com"}

Source: DHL DELIVERY.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL DELIVERY.exe	ReversingLabs: Detection: 34%

Source: DHL DELIVERY.exe

Joe Sandbox ML: detected

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Exploits

Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR

Compliance

Source: DHL DELIVERY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL DELIVERY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe

Networking

Source: Joe Sandbox View

IP Address: 66.29.159.53 66.29.159.53

Source: global traffic

TCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587

Source: global traffic

TCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587

Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fnqsTS.com
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: DHL DELIVERY.exe	String found in binary or memory: http://www.random.org/sequences/
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.697005706.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696995944.000000000349A000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696902033.0000000003470000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696858077.0000000003432000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696885279.000000000346C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x2Ivz0L9UI.com
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: smtp.privateemail.com

System Summary

Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629

Source: DHL DELIVERY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_028176A0		1_2_028176A0
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02810490		1_2_02810490
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281DA08		1_2_0281DA08
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02819A68		1_2_02819A68
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02812748		1_2_02812748
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281047F		1_2_0281047F
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281E570		1_2_0281E570
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281F998		1_2_0281F998
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02819F68		1_2_02819F68
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_00AD6167		1_2_00AD6167
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_0159F080		3_2_0159F080
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_0159F3C8		3_2_0159F3C8
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_01596120		3_2_01596120
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061EBBB0		3_2_061EBBB0
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061EC900		3_2_061EC900
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E1FF8		3_2_061E1FF8
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E0040		3_2_061E0040
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_00AD6167		3_2_00AD6167

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Code function: String function: 061E5A60 appears 55 times

Source: DHL DELIVERY.exe, 00000001.00000002.468229611.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.466221634.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.693156633.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.693211185.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe

Source: DHL DELIVERY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL DELIVERY.exe	Virustotal: Detection: 30%
Source: DHL DELIVERY.exe	ReversingLabs: Detection: 34%

Source: DHL DELIVERY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe "C:\Users\user\Desktop\DHL DELIVERY.exe"
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@3/0@1/2

Source: DHL DELIVERY.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DHL DELIVERY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL DELIVERY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: DHL DELIVERY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe

Data Obfuscation

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02810490 push eax; retf 5500h		1_2_02810DFE
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E9BF7 push es; ret		3_2_061EAA84
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E3139 push es; iretd		3_2_061E313C

Source: initial sample

Static PE information: section name: .text entropy: 7.9180819868

Hooking and other Techniques for Hiding and Protection

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Yara match	File source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DHL DELIVERY.exe, 00000001.00000002.467073176.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7108	Thread sleep time: -26747778906878833s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112	Thread sleep count: 5902 > 30			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112	Thread sleep count: 2855 > 30			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Window / User API: threadDelayed 5902			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Window / User API: threadDelayed 2855			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Anti Debugging

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: DHL DELIVERY.exe, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 1.0.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 1.2.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.a60000.2.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.2.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR