Edit tour

Windows Analysis Report
DHL DELIVERY.exe

Overview

General Information

Sample Name:	DHL DELIVERY.exe
Analysis ID:	635261
MD5:	56a08fd913bfc20fa0f15a4fb204bac9
SHA1:	b135f9c44b2847d494f1b2d843444711c8421cc0
SHA256:	37305d441b0332e9756a972f0585748807fb90ef363116aa6a224cefa120d09e
Tags:	AgentTeslaDHLexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DHL DELIVERY.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\DHL DELIVERY.exe" MD5: 56A08FD913BFC20FA0F15A4FB204BAC9)

DHL DELIVERY.exe (PID: 6984 cmdline: C:\Users\user\Desktop\DHL DELIVERY.exe MD5: 56A08FD913BFC20FA0F15A4FB204BAC9)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "amycarrol@cobinparkop.com", "Password": "WLhpQ58eJQHBZqb", "Host": "smtp.privateemail.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL DELIVERY.exe PID: 6860	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL DELIVERY.exe PID: 6860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DHL DELIVERY.exe PID: 6860	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: DHL DELIVERY.exe PID: 6984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL DELIVERY.exe PID: 6984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.DHL DELIVERY.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
3.0.DHL DELIVERY.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.44234f8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.44234f8.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.44234f8.5.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d07:$s10: logins 0x3076e:$s11: credential 0x2cd86:$g1: get_Clipboard 0x2cd94:$g2: get_Keyboard 0x2cda1:$g3: get_Password 0x2e07b:$g4: get_CtrlKeyDown 0x2e08b:$g5: get_ShiftKeyDown 0x2e09c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.43e34d8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43e34d8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43e34d8.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d07:$s10: logins 0x3076e:$s11: credential 0x2cd86:$g1: get_Clipboard 0x2cd94:$g2: get_Keyboard 0x2cda1:$g3: get_Password 0x2e07b:$g4: get_CtrlKeyDown 0x2e08b:$g5: get_ShiftKeyDown 0x2e09c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2418d:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x241c4:$e2: Add-MpPreference -ExclusionPath
1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x24059:$r1: Classes\Folder\shell\open\command 0x24080:$k1: DelegateExecute 0x23fcc:$s1: /EXEFilename "{0} 0x23fdf:$s2: /WindowState "" 0x24d5b:$s2: /WindowState "" 0x23ff4:$s3: /PriorityClass ""32"" /CommandLine " 0x24d6e:$s3: /PriorityClass ""32"" /CommandLine " 0x2401a:$s4: /StartDirectory " 0x24d94:$s4: /StartDirectory " 0x2402d:$s5: /RunAs 0x24da7:$s5: /RunAs
3.0.DHL DELIVERY.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x52b27:$s10: logins 0x5258e:$s11: credential 0x4eba6:$g1: get_Clipboard 0x4ebb4:$g2: get_Keyboard 0x4ebc1:$g3: get_Password 0x4fe9b:$g4: get_CtrlKeyDown 0x4feab:$g5: get_ShiftKeyDown 0x4febc:$g6: get_AltKeyDown
3.0.DHL DELIVERY.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
3.0.DHL DELIVERY.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.DHL DELIVERY.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
3.2.DHL DELIVERY.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.DHL DELIVERY.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.2.DHL DELIVERY.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b07:$s10: logins 0x3256e:$s11: credential 0x2eb86:$g1: get_Clipboard 0x2eb94:$g2: get_Keyboard 0x2eba1:$g3: get_Password 0x2fe7b:$g4: get_CtrlKeyDown 0x2fe8b:$g5: get_ShiftKeyDown 0x2fe9c:$g6: get_AltKeyDown
Click to see the 31 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "amycarrol@cobinparkop.com", "Password": "WLhpQ58eJQHBZqb", "Host": "smtp.privateemail.com"}

Multi AV Scanner detection for submitted file

Source: DHL DELIVERY.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL DELIVERY.exe	ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: DHL DELIVERY.exe

Joe Sandbox ML: detected

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR

Source: DHL DELIVERY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL DELIVERY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe

Source: Joe Sandbox View

IP Address: 66.29.159.53 66.29.159.53

Source: global traffic

TCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587

Source: global traffic

TCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587

Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fnqsTS.com
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: DHL DELIVERY.exe	String found in binary or memory: http://www.random.org/sequences/
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.697005706.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696995944.000000000349A000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696902033.0000000003470000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696858077.0000000003432000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696885279.000000000346C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x2Ivz0L9UI.com
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: smtp.privateemail.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.cs	Large array initialization: .cctor: array initializer size 11629

Source: DHL DELIVERY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_028176A0	1_2_028176A0
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02810490	1_2_02810490
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281DA08	1_2_0281DA08
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02819A68	1_2_02819A68
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02812748	1_2_02812748
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281047F	1_2_0281047F
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281E570	1_2_0281E570
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_0281F998	1_2_0281F998
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02819F68	1_2_02819F68
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_00AD6167	1_2_00AD6167
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_0159F080	3_2_0159F080
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_0159F3C8	3_2_0159F3C8
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_01596120	3_2_01596120
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061EBBB0	3_2_061EBBB0
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061EC900	3_2_061EC900
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E1FF8	3_2_061E1FF8
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E0040	3_2_061E0040
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_00AD6167	3_2_00AD6167

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Code function: String function: 061E5A60 appears 55 times

Source: DHL DELIVERY.exe, 00000001.00000002.468229611.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.466221634.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.693156633.0000000000AEE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe, 00000003.00000002.693211185.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL DELIVERY.exe
Source: DHL DELIVERY.exe	Binary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe

Source: DHL DELIVERY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL DELIVERY.exe	Virustotal: Detection: 30%
Source: DHL DELIVERY.exe	ReversingLabs: Detection: 34%

Source: DHL DELIVERY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe "C:\Users\user\Desktop\DHL DELIVERY.exe"
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@3/0@1/2

Source: DHL DELIVERY.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DHL DELIVERY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL DELIVERY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: DHL DELIVERY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 1_2_02810490 push eax; retf 5500h	1_2_02810DFE
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E9BF7 push es; ret	3_2_061EAA84
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Code function: 3_2_061E3139 push es; iretd	3_2_061E313C

Source: initial sample

Static PE information: section name: .text entropy: 7.9180819868

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DHL DELIVERY.exe, 00000001.00000002.467073176.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7108	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112	Thread sleep count: 5902 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112	Thread sleep count: 2855 > 30	Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Window / User API: threadDelayed 5902			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Window / User API: threadDelayed 2855			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: DHL DELIVERY.exe, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 1.0.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 1.2.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.a60000.2.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.2.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.cs	Reference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Process created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\DHL DELIVERY.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\DHL DELIVERY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	131 Virtualization/Sandbox Evasion	1 Credentials in Registry	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Deobfuscate/Decode Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Users	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL DELIVERY.exe	31%	Virustotal		Browse
DHL DELIVERY.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.Injuke
DHL DELIVERY.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.DHL DELIVERY.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.DHL DELIVERY.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.DHL DELIVERY.exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.2.DHL DELIVERY.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.DHL DELIVERY.exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.0.DHL DELIVERY.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
http://x2Ivz0L9UI.com	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://fnqsTS.com	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.privateemail.com	66.29.159.53	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.random.org/sequences/	DHL DELIVERY.exe	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://sectigo.com/CPS0	DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%%startupfolder%	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://x2Ivz0L9UI.com	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.697005706.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696995944.000000000349A000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696902033.0000000003470000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696858077.0000000003432000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696885279.000000000346C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fnqsTS.com	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://smtp.privateemail.com	DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.29.159.53	smtp.privateemail.com	United States		19538	ADVANTAGECOMUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635261
Start date and time: 27/05/202218:03:22	2022-05-27 18:03:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL DELIVERY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@3/0@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.4%) Quality average: 70.1% Quality standard deviation: 24.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 62 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:04:54	API Interceptor	713x Sleep call for process: DHL DELIVERY.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.29.159.53	SecuriteInfo.com.Trojan.GenericKD.49032101.27844.exe	Get hash	malicious	Browse
	HALKBANK.exe	Get hash	malicious	Browse
	HALKBANK.exe	Get hash	malicious	Browse
	HALKBANK.exe	Get hash	malicious	Browse
	HALKBANK.exe	Get hash	malicious	Browse
	SW0P9o9ksjpBsnr.exe	Get hash	malicious	Browse
	5.exe	Get hash	malicious	Browse
	xxTzyGLZx5.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.privateemail.com	SecuriteInfo.com.Trojan.GenericKD.49032101.27844.exe	Get hash	malicious	Browse	66.29.159.53
	HALKBANK.exe	Get hash	malicious	Browse	66.29.159.53
	HALKBANK.exe	Get hash	malicious	Browse	66.29.159.53
	HALKBANK.exe	Get hash	malicious	Browse	66.29.159.53
	HALKBANK.exe	Get hash	malicious	Browse	66.29.159.53
	SW0P9o9ksjpBsnr.exe	Get hash	malicious	Browse	66.29.159.53
	5.exe	Get hash	malicious	Browse	66.29.159.53
	xxTzyGLZx5.exe	Get hash	malicious	Browse	66.29.159.53
	triage_dropped_file.exe	Get hash	malicious	Browse	199.193.7.228
	3CcIcrAcTaqztNz.exe	Get hash	malicious	Browse	199.193.7.228
	quotation #Uff08HY20 PP .exe	Get hash	malicious	Browse	199.193.7.228
	Invoicel-datasheet.exe	Get hash	malicious	Browse	199.193.7.228
	Invoicel-datasheet.exe	Get hash	malicious	Browse	199.193.7.228
	dark.exe	Get hash	malicious	Browse	199.193.7.228
	0ZZqw52a6S.exe	Get hash	malicious	Browse	199.193.7.228
	5D8K69LJBi.exe	Get hash	malicious	Browse	199.193.7.228
	SecuriteInfo.com.Trojan.Win32.Save.a.22692.exe	Get hash	malicious	Browse	199.193.7.228
	Baw29sc72T.exe	Get hash	malicious	Browse	199.193.7.228
	P.O# 70058629.exe	Get hash	malicious	Browse	199.193.7.228
	DHL paper-work awaiting address verification.exe	Get hash	malicious	Browse	199.193.7.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ADVANTAGECOMUS	yW4CYO3d2Z.exe	Get hash	malicious	Browse	66.29.142.85
	lams465321.exe	Get hash	malicious	Browse	66.29.132.145
	vicki.htm	Get hash	malicious	Browse	66.29.157.122
	Commercial Invoice_xlsx.exe	Get hash	malicious	Browse	66.29.155.228
	Bill Of Lading-Original_xlsx.exe	Get hash	malicious	Browse	66.29.155.228
	EY_Document_Order459099.exe	Get hash	malicious	Browse	66.29.155.51
	triage_dropped_file.exe	Get hash	malicious	Browse	66.29.155.51
	shipment documents for SST2112-250..exe	Get hash	malicious	Browse	66.29.142.85
	invoicecopy.exe	Get hash	malicious	Browse	66.29.155.228
	pago111GR.xlsx	Get hash	malicious	Browse	66.29.155.51
	lvNEkejxhv.exe	Get hash	malicious	Browse	66.29.132.9
	https://dodeliver.com.pk/portal/fie.zip	Get hash	malicious	Browse	66.29.134.113
	SecuriteInfo.com.Trojan.GenericKD.49032101.27844.exe	Get hash	malicious	Browse	66.29.159.53
	https://www.minstroy.saratov.gov.ru/communication/blog/admin-blg/1.php?pagen=12	Get hash	malicious	Browse	66.29.137.41
	Drawing for specification.xlsx	Get hash	malicious	Browse	66.29.146.86
	SecuriteInfo.com.W32.MSIL_Agent.CTU.genEldorado.31574.exe	Get hash	malicious	Browse	66.29.155.51
	https://sync.crwdcntrl.net/map/c=9828/tp=ADBE/gdpr=0/gdpr_consent=/tpid=62553350917825036762023184708005776201?https%3A%2F%2Fsign-smpu724eb7r29qzs1gw162nd2cilb0gppxkyfq3q1rk.website%E2%80%8B.yandexcloud.net%23dbrodie@standrew.co.uk	Get hash	malicious	Browse	66.29.133.103
	SecuriteInfo.com.Variant.Jaik.72878.4306.exe	Get hash	malicious	Browse	66.29.155.228
	https://youtube.vi5y.com/zl77b324	Get hash	malicious	Browse	66.29.145.90
	StatementCopy#Globalfoundries899824Globalfoundries514-#Ud83d#Udcde49087.HTM	Get hash	malicious	Browse	66.29.152.136

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.907392354286095
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DHL DELIVERY.exe
File size:	574976
MD5:	56a08fd913bfc20fa0f15a4fb204bac9
SHA1:	b135f9c44b2847d494f1b2d843444711c8421cc0
SHA256:	37305d441b0332e9756a972f0585748807fb90ef363116aa6a224cefa120d09e
SHA512:	cae86e058d6416a72aaa97d5cb970a9cd12a21f65af1bee3ffe0924c787791b8f0366991a9fb0137e537e9226f06167cf5ac1c3cd1ab462615ea0a9bb0430f22
SSDEEP:	12288:KK2HUdEv8+F2wPLcYfqqDLNoE3TkyuFmcFiGZjC8Ng9n:KK2HrvY8zHNoCTkyuBFM8y
TLSH:	30C4129037B96F2BEA7E4EF98176106443B1B6066B50C3CE2DD276EE11E3F018E55A13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.KR..............0.3...@.......-.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x48db2d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x524B8F74 [Wed Oct 2 03:13:56 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8da4c	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x434	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8da96	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bb33	0x8bc00	False	0.911831604987	data	7.9180819868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x434	0x600	False	0.305989583333	data	2.56725335834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8e058	0x3dc	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Microsoft Corporation. All rights reserved.
Assembly Version	5.0.0.0
InternalName	System.Web.Cors.dll
FileVersion	5.0.11001.0
CompanyName	Microsoft Corporation.
ProductName	Microsoft ASP.NET MVC
ProductVersion	5.0.11001.0
FileDescription	System.Web.Cors (88a1bd8d3344b5df289577425c0314e7f521e88a)
OriginalFilename	System.Web.Cors.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 18:05:02.151860952 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:02.321647882 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:02.321768999 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:02.493024111 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:02.493402958 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:02.662947893 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:02.663575888 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:02.663954020 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:02.834335089 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:02.874758005 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.046480894 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.047969103 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.048019886 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.048053026 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.048080921 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.048084974 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.048115015 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.048130035 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.075139046 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.244549990 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.245537043 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.387064934 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.556396961 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.557019949 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.558290005 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.727574110 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.729589939 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.730511904 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:03.899827003 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.903959036 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:03.906023979 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.075403929 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.078903913 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.079385042 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.248735905 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.290292025 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.290813923 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.460079908 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.461122990 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.478138924 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.478338957 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.479090929 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.479360104 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:05:04.647291899 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.647352934 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.648190022 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.648361921 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.706700087 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:05:04.926225901 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:06:42.094340086 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:06:42.263477087 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:06:42.264010906 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:06:42.264039993 CEST	587	49775	66.29.159.53	192.168.2.5
May 27, 2022 18:06:42.264090061 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:06:42.266407967 CEST	49775	587	192.168.2.5	66.29.159.53
May 27, 2022 18:06:42.435457945 CEST	587	49775	66.29.159.53	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 18:05:02.100497961 CEST	53934	53	192.168.2.5	8.8.8.8
May 27, 2022 18:05:02.121862888 CEST	53	53934	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 27, 2022 18:05:02.100497961 CEST	192.168.2.5	8.8.8.8	0x9d0e	Standard query (0)	smtp.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 27, 2022 18:05:02.121862888 CEST	8.8.8.8	192.168.2.5	0x9d0e	No error (0)	smtp.privateemail.com		66.29.159.53	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 27, 2022 18:05:02.493024111 CEST	587	49775	66.29.159.53	192.168.2.5	220 PrivateEmail.com prod Mail Node
May 27, 2022 18:05:02.493402958 CEST	49775	587	192.168.2.5	66.29.159.53	EHLO 980108
May 27, 2022 18:05:02.663575888 CEST	587	49775	66.29.159.53	192.168.2.5	250-mta-08.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
May 27, 2022 18:05:02.663954020 CEST	49775	587	192.168.2.5	66.29.159.53	STARTTLS
May 27, 2022 18:05:02.834335089 CEST	587	49775	66.29.159.53	192.168.2.5	220 Ready to start TLS

Target ID:	1
Start time:	18:04:32
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\DHL DELIVERY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL DELIVERY.exe"
Imagebase:	0xa60000
File size:	574976 bytes
MD5 hash:	56A08FD913BFC20FA0F15A4FB204BAC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	18:04:44
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\DHL DELIVERY.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL DELIVERY.exe
Imagebase:	0xa60000
File size:	574976 bytes
MD5 hash:	56A08FD913BFC20FA0F15A4FB204BAC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	56%
Total number of Nodes:	25
Total number of Limit Nodes:	0

Executed Functions

Function 028176A0 Relevance: 2.8, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 028176B6
8|l, xrefs: 028178D9

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: 8|l$fish
API String ID: 0-3163508401
Opcode ID: 69207abb57e202e12af9baa9a56c896a7aeef4601c170241c7e75eac708c16f9
Instruction ID: b606c498bb1fe9f22de67823663391874c2914e5d4305793dc9eb12d4ee2a0b7
Opcode Fuzzy Hash: 69207abb57e202e12af9baa9a56c896a7aeef4601c170241c7e75eac708c16f9
Instruction Fuzzy Hash: 32919E78B002169FDB04DFB5D895AAEF7B6FF88314F10882DE446DB291DB74A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02810490 Relevance: 1.9, Strings: 1, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`l, xrefs: 02810517

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: `l
API String ID: 0-1787797062
Opcode ID: 74bc10d352106644e6c0be336dcc1dfb8d5a3c72cb678eeedb2f7f22b6e880bd
Instruction ID: 4e58af169c33cffa3fd5f988422515eb18674accabe1dee80c61a10f15f947c8
Opcode Fuzzy Hash: 74bc10d352106644e6c0be336dcc1dfb8d5a3c72cb678eeedb2f7f22b6e880bd
Instruction Fuzzy Hash: 644260357001149FDB089B64C851F6A77B7AF89308F1484A8D50A9B3BACF75DC52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0281047F Relevance: 1.8, Strings: 1, Instructions: 597
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`l, xrefs: 02810517

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: `l
API String ID: 0-1787797062
Opcode ID: 49fc0dba2c1a0df41d7efac1c28ad70d4537455b374ffedc4d3eef0a494730f6
Instruction ID: fd2cc0f4959d69f5a60be661bc907963b3ed4315c3ef5f186f722ed3c855f946
Opcode Fuzzy Hash: 49fc0dba2c1a0df41d7efac1c28ad70d4537455b374ffedc4d3eef0a494730f6
Instruction Fuzzy Hash: DF3250357001159FDB189BA4C851F6A7BB7EF88308F1480A8E50A9B3BACF75DC52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0281DA08 Relevance: .5, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53331d4adb380850b4668491d71c0d09168492260eda1ce3cdf8d50685015c0e
Instruction ID: 71f8519ebeacb9dbde088d9bf3c42d2325655efca846471c1b115e25eb59fccd
Opcode Fuzzy Hash: 53331d4adb380850b4668491d71c0d09168492260eda1ce3cdf8d50685015c0e
Instruction Fuzzy Hash: 4C22D479A042558FCB15CF69C880A9EBBF7FF89300B15C5AAD445EB3A2DB30AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02819A68 Relevance: .3, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c55a9e96722fc558d226885a949308497665b015a8dd78bd0c377a4fcb03b8
Instruction ID: 82c5a905148823168469a1eb2b48b66f21806a0590944b901ffdd348cbf665ec
Opcode Fuzzy Hash: 21c55a9e96722fc558d226885a949308497665b015a8dd78bd0c377a4fcb03b8
Instruction Fuzzy Hash: 4ED13B39A00219CFCB05CF64D894A9DFBB6FF88314B16C655E845AB361DB71ED82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02810F95 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02811087

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e15352e991d4d2866c20672fe9b803d9ccc583ad3eb510599bed2e0d23558ced
Instruction ID: c29e3b17da691aa8a4287bcad0ce56ccd0d2a73d0b5909d4ce1b1bca54ce6b59
Opcode Fuzzy Hash: e15352e991d4d2866c20672fe9b803d9ccc583ad3eb510599bed2e0d23558ced
Instruction Fuzzy Hash: BC4158B8E006488FDB10CFA9C889BDEBBF5AB48704F108129D919F7384D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02810F98 Relevance: 1.6, APIs: 1, Instructions: 96
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02811087

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 284b7d13499bd5e483d38dae1e5dace299fedaab44d27b87ac1b62cfeeeb680d
Instruction ID: 77fd67663bb8389c6f0fb0e58bdb12894e0d67beda9be05ec4db4bcb3961970d
Opcode Fuzzy Hash: 284b7d13499bd5e483d38dae1e5dace299fedaab44d27b87ac1b62cfeeeb680d
Instruction Fuzzy Hash: 014136B8E006988FDB10CFA9C889BDEBBF5AB48714F108129D919F7384D7759845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02811480 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 028114FC

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 393c7dbd8e4edb2144d41a1201edb759b56a82de0e45b19d7320c671147092b8
Instruction ID: 3e00f57804ff6d8353e9324abff7a0afe47b7d6c5e2f2996a044e7e4af09b40a
Opcode Fuzzy Hash: 393c7dbd8e4edb2144d41a1201edb759b56a82de0e45b19d7320c671147092b8
Instruction Fuzzy Hash: 732113B5D002498FCB10DFAAC884AEEFBF9FF48324F14882AD559A7250C7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02811488 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 028114FC

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a460bf9db6298c71b4ba4851852928a6c22b82053522f340b355df6c68eda120
Instruction ID: cd510f9e8ea1315770eb7178a2916c2651bddb026c7a18437f82afe5362b1343
Opcode Fuzzy Hash: a460bf9db6298c71b4ba4851852928a6c22b82053522f340b355df6c68eda120
Instruction Fuzzy Hash: 0311F4B5D002499FCB10DFAAC884BEEFBF9BF48324F54882AD519A7250C7749944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02830980 Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09c9bdf67a4bfcbce2d69ba6b5a2bdaed225389c14975771f707e45d2a9675b
Instruction ID: c921ef7613b6bcf87b9365109cea992cd97919fe1da6f769f3b87c7efc31c10e
Opcode Fuzzy Hash: c09c9bdf67a4bfcbce2d69ba6b5a2bdaed225389c14975771f707e45d2a9675b
Instruction Fuzzy Hash: 02C13679D00109EFCF15DFA4C980A9DBBB6FF09304B208196E519AB225DB32F955DF90

Uniqueness

Uniqueness Score: -1.00%

Function 028309A0 Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d882dcf86e25c4f587f7e25bdc49064ef6a9a9cec3ff4f129a7d5e06f31acb49
Instruction ID: adc43402fcc09cb6068a1121695e7f0ebaa34d880633f0c6d5a9ecec2969b798
Opcode Fuzzy Hash: d882dcf86e25c4f587f7e25bdc49064ef6a9a9cec3ff4f129a7d5e06f31acb49
Instruction Fuzzy Hash: DFC14579D00109EFCF25DFA4C980A9DBBB6FF09304B208156E51AAB225DB32F955DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02831200 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d0a660d0cb8c832ed2cfb241a9a405bd008a0a6e45d1e426ee3aa835f7c383
Instruction ID: 6a25ea72ce09c1e8c3ec02806b9bcd426e54c7700c059baeb1cc69cac25d2030
Opcode Fuzzy Hash: c3d0a660d0cb8c832ed2cfb241a9a405bd008a0a6e45d1e426ee3aa835f7c383
Instruction Fuzzy Hash: 27716879D00109DFCB05DFE4C88499EFBBAFF49314B1081A6E519AB265DB32EC56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028311E0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e16ee671e41cac15b8aae94382aa270714ae80f318ed89acfb7e235bf3d36f0
Instruction ID: 6ff7c49f2220c1cc43ec1218a24aa3a2e42d5b50adc0b94ba400d6d64d80eb8c
Opcode Fuzzy Hash: 3e16ee671e41cac15b8aae94382aa270714ae80f318ed89acfb7e235bf3d36f0
Instruction Fuzzy Hash: 0A715779D00109DFCB05DF94C884ADDFBBAFF49314B108166E919AB265DB32E856CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028303A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ff8349fda77977f7a56e39a251988794f1ff713a9577cb5de39e231729cc86
Instruction ID: 5c79fa448d188a2a9c663c7501cb89e3691d7f9aee17c3b7445483b6d7065985
Opcode Fuzzy Hash: 13ff8349fda77977f7a56e39a251988794f1ff713a9577cb5de39e231729cc86
Instruction Fuzzy Hash: 9951BA79D00119EFCF05DFA4D88099EBBB6FF49305B108466E919AB221DB31ED15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0283038C Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccd590f2de97afc699f065d4cf6459c2dc616e82e97b76abf8c846642d598a9
Instruction ID: be636a828c5730a1a644027ff12c573c5d3652360a5fb714f141379a8a4c03b1
Opcode Fuzzy Hash: 7ccd590f2de97afc699f065d4cf6459c2dc616e82e97b76abf8c846642d598a9
Instruction Fuzzy Hash: AF518A79E00119EFCF05DFA4D88099EBBB6FF49305B108466E919AB221DB31ED15CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02830190 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167667cca25fcc1522bbf33087b9a40f44366863f750b912377c0a73394d2441
Instruction ID: f548e9ae8bec052d5aab396d45ddb18eb78479c74c4eca59ccd14719feea8b24
Opcode Fuzzy Hash: 167667cca25fcc1522bbf33087b9a40f44366863f750b912377c0a73394d2441
Instruction Fuzzy Hash: FF41F475900249CFCF02DFA4D884EAEBFB6FF49314B05C09AE559EB262D7349806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0283018A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466746292.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2830000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2259c7b9557f494b785490be2c193fe1cebc8aceb220d85e9a798679dc0834
Instruction ID: 4da645832b33e588e1af690f6b4953539d9632608310c702f2f6412dc5f50bad
Opcode Fuzzy Hash: bd2259c7b9557f494b785490be2c193fe1cebc8aceb220d85e9a798679dc0834
Instruction Fuzzy Hash: C0318079A00119DFCF01DF98D884EAEBBB6FF48315B108126E919A7321D7359916CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0281F998 Relevance: 2.9, Strings: 2, Instructions: 419COMMON

Download Yara Rule

Strings

\l, xrefs: 0281FA2D
\l, xrefs: 0281FA23

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: \l$\l
API String ID: 0-3451059530
Opcode ID: 43848eeca8fb1a33d884af4cc1900ebe1ca9d990fdbc9a2ad36ca0ecce623a3b
Instruction ID: 98ecb5c6c9dec2a18bb77dcbb25d6405505fadddb8094b1ffdcfb4bd4c2af543
Opcode Fuzzy Hash: 43848eeca8fb1a33d884af4cc1900ebe1ca9d990fdbc9a2ad36ca0ecce623a3b
Instruction Fuzzy Hash: 64E1D73AE00B1ACBCB11CFA5C8012EEB3F6AF9E705B254919D505BF550D771AE86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02812748 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701c4d8ffcc1f60031994b28aa5b7ab158273e6514614a76d215c0aada066c9e
Instruction ID: e07d3afe11c260abbc03b9343814e6537a74781e9cae4476561abde288bae4a7
Opcode Fuzzy Hash: 701c4d8ffcc1f60031994b28aa5b7ab158273e6514614a76d215c0aada066c9e
Instruction Fuzzy Hash: 37023D7DA005258FDB18DF79C884A6DB7BABF88714B158569E809DB3B9DB30EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02819F68 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb64bc387571e997023f2f68c5b475eb7a70f0fe38f005abd3ff1a95efda8365
Instruction ID: 5a7c15ac2488638e465f537f1e4469a416a00bff9cea3ec31350a9333b40f987
Opcode Fuzzy Hash: bb64bc387571e997023f2f68c5b475eb7a70f0fe38f005abd3ff1a95efda8365
Instruction Fuzzy Hash: B9D1B33DA066058FCB1CCF64D580AAEB7F6EF48318B258469E50ADB292CB75EC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0281E570 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.466715658.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2810000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c369b2597ab6ea5ea2c8791673f9d6750dd12a407cea5deaa8a7ee94887db6c
Instruction ID: 27780baa235600b67ab0a0a74025f75e5d07af8a9d80c71429969a772ce97c26
Opcode Fuzzy Hash: 2c369b2597ab6ea5ea2c8791673f9d6750dd12a407cea5deaa8a7ee94887db6c
Instruction Fuzzy Hash: CBD1C379604215CFCB15CF69C48099EBBF6FF89300B09C5AAE859DB2A6D730E951CF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DHL DELIVERY.exePID: 6984, Parent PID: 6860COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	283
Total number of Limit Nodes:	2

Executed Functions

Function 061E7552 Relevance: 4.8, APIs: 3, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7618
KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9fc23121a7a66d1b596322b98c675ef005b866b09df44e3d2604a0e0e5cdd34c
Instruction ID: 3516856016b003fda3c1ca115ed94f434a7b6956cb158f5767cdc7e4a7234199
Opcode Fuzzy Hash: 9fc23121a7a66d1b596322b98c675ef005b866b09df44e3d2604a0e0e5cdd34c
Instruction Fuzzy Hash: 3902BA35902259CFEB69EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7573 Relevance: 4.8, APIs: 3, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7618
KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cbcd20829c011d75236822644b001324bd5c79025be23ad9ac418012744d6cc0
Instruction ID: 40c4a061669e2a3f921526a3e4dbfc25039f5b0c2527d9c9786726717b3e79a4
Opcode Fuzzy Hash: cbcd20829c011d75236822644b001324bd5c79025be23ad9ac418012744d6cc0
Instruction Fuzzy Hash: 1B02CC35902259CFEB69EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E75B8 Relevance: 4.8, APIs: 3, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7618
KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 829da99a9fd3a3cfd2bde5a1a3537cd4874778385c4448663eb12644bc7422f8
Instruction ID: f05a66934bc056c03e12ddb67aa591f93b04d506f5f083b3b26c8e2e0c7c36fc
Opcode Fuzzy Hash: 829da99a9fd3a3cfd2bde5a1a3537cd4874778385c4448663eb12644bc7422f8
Instruction Fuzzy Hash: 4202CB35902259CFEB69EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E75F4 Relevance: 4.8, APIs: 3, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7618
KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6567b2547e49a22a0a5880d5c2884679568899df38e9df6cb3c13504451b4cfa
Instruction ID: 976b512789b3f0d62225399e406a62e9ab4e44708b9c26a3860d472c92a58ef3
Opcode Fuzzy Hash: 6567b2547e49a22a0a5880d5c2884679568899df38e9df6cb3c13504451b4cfa
Instruction Fuzzy Hash: B902CB35902269CFEB65EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7639 Relevance: 3.3, APIs: 2, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c19486a5fe90ea17976a9538ae16620efdc51b29bc4aaf38fd4413d749c694f2
Instruction ID: 6c63255870fea5e94a046a269fdab544afb47d5acbae50d4481689b8d7821acc
Opcode Fuzzy Hash: c19486a5fe90ea17976a9538ae16620efdc51b29bc4aaf38fd4413d749c694f2
Instruction Fuzzy Hash: 3F02CB35902259CFEB65EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E767E Relevance: 3.3, APIs: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 76c3045ca39eeae5e0241ee410e033fef42af32977f389339983ab24d260f800
Instruction ID: 8beb8356be752edc5c761b77ff26d733b38374c324902b6bc70ec809862ccdcd
Opcode Fuzzy Hash: 76c3045ca39eeae5e0241ee410e033fef42af32977f389339983ab24d260f800
Instruction Fuzzy Hash: 30F1CB35902259CFEBA5EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E76C3 Relevance: 3.3, APIs: 2, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 56951fe3defe8469c5ffce643682489ff2b81df0be3aebf74d4eff3daf1ed726
Instruction ID: 388da62fc77a2de4c0604e70175aea54b73b8815e03dc9756badf581910b04eb
Opcode Fuzzy Hash: 56951fe3defe8469c5ffce643682489ff2b81df0be3aebf74d4eff3daf1ed726
Instruction Fuzzy Hash: 32F1CB35902259CFDB65EF30E888699B7B2FF4930AF1045D9D51A92350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E76FF Relevance: 3.3, APIs: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c0a1b4465c35f667373e06fb58e6d5cb181e8be0b7c1dd1ae8a5fa796123404f
Instruction ID: d1a5cf5f7981dff96216fecca91e16befff7d79c1b07cdf72193664147abf1a2
Opcode Fuzzy Hash: c0a1b4465c35f667373e06fb58e6d5cb181e8be0b7c1dd1ae8a5fa796123404f
Instruction Fuzzy Hash: F6F1DB35902269CFDBA5EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7744 Relevance: 3.3, APIs: 2, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1a2b326fe6f41193ed8d47510091e7070a769e774e320bb0a45c879a81da2c44
Instruction ID: a6aa7c0e2859e3c7530071cb0f5470a402e103138297f2b9fb828b4477a48fd7
Opcode Fuzzy Hash: 1a2b326fe6f41193ed8d47510091e7070a769e774e320bb0a45c879a81da2c44
Instruction Fuzzy Hash: A7F1DA35902269CFEB65EF30E888699B7B2FF4930AF1045D9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7789 Relevance: 3.3, APIs: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 070b11205eff9442058570ab61e205ff312fc5b3663c5e71b9fd81873e1aa958
Instruction ID: 0e3a438afc0b58fb04385e2b44cf528625eb062b21e0eea6223a217049854d0a
Opcode Fuzzy Hash: 070b11205eff9442058570ab61e205ff312fc5b3663c5e71b9fd81873e1aa958
Instruction Fuzzy Hash: 78E1CA35902269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E77CE Relevance: 3.3, APIs: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d1f192ae1fc377999f82ad24ae1606576bbfc4a0afc98ad4062d7f31dcfd70d4
Instruction ID: e07aa6e51de949b2d04c45f907d46a7324af55aa08854b49c50b66e98832d656
Opcode Fuzzy Hash: d1f192ae1fc377999f82ad24ae1606576bbfc4a0afc98ad4062d7f31dcfd70d4
Instruction Fuzzy Hash: 43E1CA35902269CFDBA5EF70E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7813 Relevance: 3.3, APIs: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8feccd91a9a691ebbf9799bba8d6a0b630014bdf9853e5a9564f4737cac0f605
Instruction ID: da017dde8a3f933336a68f1758065e66913650864d246b97560c8ec896f68679
Opcode Fuzzy Hash: 8feccd91a9a691ebbf9799bba8d6a0b630014bdf9853e5a9564f4737cac0f605
Instruction Fuzzy Hash: EDE1DA35902269CFDBA5EF70E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7858 Relevance: 3.3, APIs: 2, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7fdbc1dfcf041f9216459ea5f989046f32b2ca6e83ed640befd95c17c7f04de2
Instruction ID: e933a8caa3cb1dc5015247bbe3371d76666613d578f175a948babdaca47ee7f2
Opcode Fuzzy Hash: 7fdbc1dfcf041f9216459ea5f989046f32b2ca6e83ed640befd95c17c7f04de2
Instruction Fuzzy Hash: 9BE1D935902269CFDBA5EF70E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E789D Relevance: 3.3, APIs: 2, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e6328b2ac3bb3d2a044a91eb86f8670f30c4d92fde986d4bdd5a85cc7ee14e45
Instruction ID: 36c5363576215bd440032b3b64d79ede04bf55cfa7cd0ca6328c4822866a194c
Opcode Fuzzy Hash: e6328b2ac3bb3d2a044a91eb86f8670f30c4d92fde986d4bdd5a85cc7ee14e45
Instruction Fuzzy Hash: 98D1DA35902269CFDBA5EF70E888699B7B2BF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E78E2 Relevance: 3.3, APIs: 2, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b7beb7ea26a1efa26bcc34be9a6b07937993f5ce444b358b7c74423defe4fd83
Instruction ID: 637eae299ea45727c8f9a474d1420f5ff3093943a64a5dd94b6b57924f8e8491
Opcode Fuzzy Hash: b7beb7ea26a1efa26bcc34be9a6b07937993f5ce444b358b7c74423defe4fd83
Instruction Fuzzy Hash: 3CD1D935902269CFDBA5EF30E888699B7B2BF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7927 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 862f3f0be9ef7240f133d377ea143c02b34ae5441b453254acc4a4ec8cb66769
Instruction ID: db1a498d8818b28c558a0af7db6d99c19b7d5f90999732ef6e731a8119b0ee1d
Opcode Fuzzy Hash: 862f3f0be9ef7240f133d377ea143c02b34ae5441b453254acc4a4ec8cb66769
Instruction Fuzzy Hash: 0AD1E935902269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E796C Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 212d18c96c40d7bba8dbace9a695bbd46915e491f248c42d781a482377efcf3b
Instruction ID: 709ee64e20071f9f548eaa6c1ae2736ce6bc7a671341d6e4b3d7cd5fd6a8f75a
Opcode Fuzzy Hash: 212d18c96c40d7bba8dbace9a695bbd46915e491f248c42d781a482377efcf3b
Instruction Fuzzy Hash: 9CC1DA35906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E79B1 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d9d0071724d8e6b5773f0fe8f193a034ba17c08853cf4455c94a8ced466980d1
Instruction ID: 617681465a612f86220686f05b7c5b9884b782983d38d0e540fcefa8ac689fe8
Opcode Fuzzy Hash: d9d0071724d8e6b5773f0fe8f193a034ba17c08853cf4455c94a8ced466980d1
Instruction Fuzzy Hash: 91C1DA35906269CFDBA5EF30D888699B7B2FF4930AF1045D9D50AA2350CB399EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E79F6 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ceb7f17c36d0dffe7f5798a03d5680695e6d7c53988435a04262f0f4bf65542a
Instruction ID: 98d819de219ce1071bf40fba9c177ca124f1f558254ba75771d2282981a38845
Opcode Fuzzy Hash: ceb7f17c36d0dffe7f5798a03d5680695e6d7c53988435a04262f0f4bf65542a
Instruction Fuzzy Hash: ACC1E935906269CFDBA5EF30D888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7A3B Relevance: 3.2, APIs: 2, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3a9217e34cd23b436a3d5acc7ca9f854a3a0c5c68f8b10d194ce8d41589a964d
Instruction ID: ff246ad1d4293133a64c05029f4225d314a1195aba7991c1ce78f1241274ffe6
Opcode Fuzzy Hash: 3a9217e34cd23b436a3d5acc7ca9f854a3a0c5c68f8b10d194ce8d41589a964d
Instruction Fuzzy Hash: 1BB1D835906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7A80 Relevance: 3.2, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 07687f62122bf1b5ae0ab814673f048b01ff9c711d71ede6bf1915041752c552
Instruction ID: 87867b8b69b6ae6b516d617a036d412d6e7fbf70ade949cf1db49d70fa3203e4
Opcode Fuzzy Hash: 07687f62122bf1b5ae0ab814673f048b01ff9c711d71ede6bf1915041752c552
Instruction Fuzzy Hash: 91B1F835906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7AC5 Relevance: 3.2, APIs: 2, Instructions: 207COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f68a4cbb3715c2adfcf377c37afe0b4cc6d083680b8dc0acb013ed35bbe1b528
Instruction ID: baf56e12ca566743b0734fd1f818e1b1fa6640c5da0d7a8856e1406316979571
Opcode Fuzzy Hash: f68a4cbb3715c2adfcf377c37afe0b4cc6d083680b8dc0acb013ed35bbe1b528
Instruction Fuzzy Hash: 4CB1E835906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359DC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7B0A Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2e679ad8c4bfafaa74bb8fd145df517e6c04ecdd64408b447ca626dbb969a4ee
Instruction ID: db9593c0cf5c89da088f77634e1982771ba851d3724457db88d48ae6112f2366
Opcode Fuzzy Hash: 2e679ad8c4bfafaa74bb8fd145df517e6c04ecdd64408b447ca626dbb969a4ee
Instruction Fuzzy Hash: A4A1E835906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359DC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7B4F Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: be4b051f4a031d5cbfcc353bccd719ebf38ee69f3cf763dc981fce6685cb7a04
Instruction ID: 5ae5cd880793b724a03dabb3d0831fa81018fc338913086ec462096fb4d7cb81
Opcode Fuzzy Hash: be4b051f4a031d5cbfcc353bccd719ebf38ee69f3cf763dc981fce6685cb7a04
Instruction Fuzzy Hash: 2BA1F835906269CFDBA5EF30E888699B7B2BF4930AF1045D9D50AA2350CB359DC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7B94 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d23bc9ce4c899d20fe064b12827f40290f155cf19c9b0af7fd5369139678a8c
Instruction ID: 372a6871eab75acc983d0bc3bce6ca1c5dbd69672b7d4e2ac943f583912ac93d
Opcode Fuzzy Hash: 3d23bc9ce4c899d20fe064b12827f40290f155cf19c9b0af7fd5369139678a8c
Instruction Fuzzy Hash: F7A10935906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359DC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7BD9 Relevance: 3.2, APIs: 2, Instructions: 179COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7C00
KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7dc6633f7e5093ee47bf624531da43b4ac963835ee8f2ecd517933c8c8f440f5
Instruction ID: d6fb93ff62e305f1ad416bbbe1d2fb374d58a1882e84fc73b71a1f4b946e2de9
Opcode Fuzzy Hash: 7dc6633f7e5093ee47bf624531da43b4ac963835ee8f2ecd517933c8c8f440f5
Instruction Fuzzy Hash: A5911935906269CFDBA5EF30E888699B7B2FF4930AF1045D9D50AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 014FD9B5 Relevance: 2.8, Strings: 1, Instructions: 1552COMMON

Download Yara Rule

Strings

""""", xrefs: 014FE2E9, 014FE309

Memory Dump Source

Source File: 00000003.00000002.693789153.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14fd000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: """""
API String ID: 0-1040415110
Opcode ID: d0fbe8b4a5060cf70d11cd3dd2d7c2fbaf04078afafa7fdd816205772e096538
Instruction ID: ee2bff635f5bc19e71b07fd0a69b16f5a774e6097b8d14615ca5f3201e7fec06
Opcode Fuzzy Hash: d0fbe8b4a5060cf70d11cd3dd2d7c2fbaf04078afafa7fdd816205772e096538
Instruction Fuzzy Hash: 3F72486191E3C65FDB438BB55C349847FB05E63198B1E84EFC680DF2B7D169984AC322

Uniqueness

Uniqueness Score: -1.00%

Function 061E7C37 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 38e2b9cf3f27aa9a483768806737b6d25c2f6223a8c21cf18be465cae6c8aea4
Instruction ID: 706b691838fd66d53a3a5c763e0e5720bd5f638d2d682dd177f877e3e3e06097
Opcode Fuzzy Hash: 38e2b9cf3f27aa9a483768806737b6d25c2f6223a8c21cf18be465cae6c8aea4
Instruction Fuzzy Hash: CF911A35906269CFDBA5EF30D888699B7B2BF4930AF1045D9D50AA2350CB359DC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7C7F Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: abfa54ffdbfd98d9b95b1b8144f688f1f6dc85474d15ea2c70750eac760a2621
Instruction ID: 58401eb116e112aa2b85ab9f115931e66377e7a984707c90b240d07efacccf80
Opcode Fuzzy Hash: abfa54ffdbfd98d9b95b1b8144f688f1f6dc85474d15ea2c70750eac760a2621
Instruction Fuzzy Hash: 50812935906268CFDBA5EF30E888699B7B2FF4930AF1045E9D50A92350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7CC7 Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bec89d2b0fe1d7250a238a65f7e3b60b8388cec72a6b5fbfddfd26733d82dc3d
Instruction ID: d26dc501dadcc246109fd11ddc4a7eeb623c5e789d2ac9f56a47d91c5d32ef5d
Opcode Fuzzy Hash: bec89d2b0fe1d7250a238a65f7e3b60b8388cec72a6b5fbfddfd26733d82dc3d
Instruction Fuzzy Hash: 7A713935906268CFDBA5EF30E888699B7B2BF4930AF1045E9D51A92350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7D03 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9dc901f2a4551da9c674b86e152a4832dc332103ea03350dafd7ce81b5a31f03
Instruction ID: 99b0c5fd02c4fd10bd11e157253892ffaa706e6e37bb8a4403815bce185fb7be
Opcode Fuzzy Hash: 9dc901f2a4551da9c674b86e152a4832dc332103ea03350dafd7ce81b5a31f03
Instruction Fuzzy Hash: AB713A35906268CFDBA5EF30D888699B7B2BF4930AF1045E9D51AA2350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7D4B Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 62a628690e2d81ead0176bde93fff547626753b8fa67c723ed0667e467a922ea
Instruction ID: 7799a71e52a7a209d0d81fd15fd66ff1e0e8ee359dfda38aaab847e249d0f2b6
Opcode Fuzzy Hash: 62a628690e2d81ead0176bde93fff547626753b8fa67c723ed0667e467a922ea
Instruction Fuzzy Hash: 73712A35906268CFDBA5EF30D88869DB7B2BF4930AF1045E9D51A92350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7D93 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1fbb384d381d1ff3eccc399a1227dc68ab6f93976cb7dbb24e56f5fe102fb08
Instruction ID: bf453446c84456a137fdf827ff1fced2faab7893304f24c261715f4543c864fb
Opcode Fuzzy Hash: c1fbb384d381d1ff3eccc399a1227dc68ab6f93976cb7dbb24e56f5fe102fb08
Instruction Fuzzy Hash: C4611B35902269CFDBA5EF30D88869DB7B2BF4930AF1045E9D51A92350CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7DDB Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c6dd3a68be4586ea884eecb49e6cc7c1cc6cee48207b9636cc99a3c20bec9cc0
Instruction ID: 7bfdaffe020d495b8d3d3e83ce91186b858dc51cf4c2e793f6ed51bf1687d7b0
Opcode Fuzzy Hash: c6dd3a68be4586ea884eecb49e6cc7c1cc6cee48207b9636cc99a3c20bec9cc0
Instruction Fuzzy Hash: 2451FA35902269CFDBA5EF30E888699B7B2BF4930AF1045E9D51E92250CB359E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7E23 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b6e6895145377947e77827a237405f01ced922e6770103302738365cd7bcb16
Instruction ID: 5924f96a69c88c648fe402cb1f01ac9e079dbcf1a13deb211a7b49b6afdfe9ac
Opcode Fuzzy Hash: 8b6e6895145377947e77827a237405f01ced922e6770103302738365cd7bcb16
Instruction Fuzzy Hash: DC51F935902269CFDBA5EF30E88869DB7B2BF4930AF1045E9D51A92250CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 014FE16B Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

""""", xrefs: 014FE2E9, 014FE309

Memory Dump Source

Source File: 00000003.00000002.693789153.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14fd000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID: """""
API String ID: 0-1040415110
Opcode ID: 9dbecf1abdc0e9a288036ef8a54a983181e558bcd0a0bdce36ba03ee5a9434f5
Instruction ID: 16217c84c82104bbc8735a57353cd4a563bbd74c1a1fc0300ada08e8849c6645
Opcode Fuzzy Hash: 9dbecf1abdc0e9a288036ef8a54a983181e558bcd0a0bdce36ba03ee5a9434f5
Instruction Fuzzy Hash: 95917A6450E3C19FDB038BB588646803FB19F53295B1F94EFC680EF2B7D129984AC762

Uniqueness

Uniqueness Score: -1.00%

Function 061E7E6B Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 89bfffa4c26899c13ecaa9859a65ba3ab373aab7c5394c7203d135a6a2440677
Instruction ID: e5ddf05c935c3ba3c9f185648db8b87baaf0d1969aeacd737eab2cdd596defe4
Opcode Fuzzy Hash: 89bfffa4c26899c13ecaa9859a65ba3ab373aab7c5394c7203d135a6a2440677
Instruction Fuzzy Hash: 4751FA35902269CFDBA5EF30E88869DB7B2BF4930AF1045E9D51E92250CB359EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7EA7 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7ECE

Memory Dump Source

Source File: 00000003.00000002.697738547.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e0000_DHL DELIVERY.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 941e304ab58992b4e25dd48abd739cdd5f2fb44f50ebe9ad0eb1611d146e9470
Instruction ID: dc8f3357eb643bd7e9b0470ca356ce4f6bb05d5074c0e18dbcbea9c84f82128d
Opcode Fuzzy Hash: 941e304ab58992b4e25dd48abd739cdd5f2fb44f50ebe9ad0eb1611d146e9470
Instruction Fuzzy Hash: 9451FB35902269CFDBA5EF30D88869DB7B2BF4930AF1045E9D51A92250CB359E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0159C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0159C9BA

Memory Dump Source

Source File: 00000003.00000002.694143245.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1590000_DHL DELIVERY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f109c1cbd97c2954ccfb77a4778902760a5440b8c4631c2b3eca59a26de98585
Instruction ID: 390a26447738228e32eccb5d369718adc2b7b851db0a593094c8c9fad7942761
Opcode Fuzzy Hash: f109c1cbd97c2954ccfb77a4778902760a5440b8c4631c2b3eca59a26de98585
Instruction Fuzzy Hash: 753133B5D002898FDF14CFA9C8857AEBFB1BF09314F14852EE855AB290D7789485CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01599DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0159C9BA

Memory Dump Source

Source File: 00000003.00000002.694143245.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1590000_DHL DELIVERY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8daf267848c28e782fe990d9465ae1189a663ddde1438db993b0bde2f64de76
Instruction ID: 58acc9649ebf321ae19b325e906e17029d6f76301d64928fb1e272dd5473748b
Opcode Fuzzy Hash: f8daf267848c28e782fe990d9465ae1189a663ddde1438db993b0bde2f64de76
Instruction Fuzzy Hash: A23116B1D002499FDF14CFA9C4857AEBBF1BF08314F148529E815AB390D778A845CF96

Uniqueness

Uniqueness Score: -1.00%

Function 01594CBB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01594D42

Memory Dump Source

Source File: 00000003.00000002.694143245.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1590000_DHL DELIVERY.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: dae5cd99f1bdfff97695d77b7daa2a944b9bef9f43598620ccdd7b5393e5a705
Instruction ID: f12990dfbb6f3e1f056d9108926cc95933051089610575b2d976d70e358ce453
Opcode Fuzzy Hash: dae5cd99f1bdfff97695d77b7daa2a944b9bef9f43598620ccdd7b5393e5a705
Instruction Fuzzy Hash: 70218CB68013458FCB10DFA9C6497AEBBF4FF08314F24882AD445EB641D7386945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01594CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01594D42

Memory Dump Source

Source File: 00000003.00000002.694143245.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1590000_DHL DELIVERY.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 50eded1199508459ca6c6587d8a9fa9b03a948b4006f941b3f77b6fdb5e2217c
Instruction ID: 154cd5eeab11806d920bf319d268a01959b7581689fc910365d401a64d30eeca
Opcode Fuzzy Hash: 50eded1199508459ca6c6587d8a9fa9b03a948b4006f941b3f77b6fdb5e2217c
Instruction Fuzzy Hash: 9511ACB59013458FCB10DFA9C60879EBFF4FB48314F24882AD404A7640D7386945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.693704753.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14ed000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5e2d64462cc37865641756a227eaf3c3e98f554ece40f708fc08cbc12b3fa0
Instruction ID: a44d94a46f15192a9fd20c4e4fb6d606495b95050ef4d193e7711decd9156caf
Opcode Fuzzy Hash: fa5e2d64462cc37865641756a227eaf3c3e98f554ece40f708fc08cbc12b3fa0
Instruction Fuzzy Hash: 0E212871904340DFDB05CF94D9C8B27BBE5FB88329F24896AD8050B326C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.693789153.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14fd000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd7702019c7eef841531b361bb5a9165dd9c7942d924b1f2e187ce01bac1bc9
Instruction ID: 1289aced1b18ba750027a10fcab6e68cdcb48d57d4c3f04e0dbb477c7f83ffd2
Opcode Fuzzy Hash: cdd7702019c7eef841531b361bb5a9165dd9c7942d924b1f2e187ce01bac1bc9
Instruction Fuzzy Hash: 18213771504200DFCB05CF64D8C4B26BBA5FB84318F24C97EDA495B366C33AD806CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 014ED4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.693704753.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14ed000_DHL DELIVERY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a26b7e00566609b61cc6e7b6904e6af9279d8b55cc0f39cc8370a306dd16ad
Instruction ID: 37d25e9c2b93440e4aa81bc65f3802966dccb939311e73a1cd8c749a8bcb3fdc
Opcode Fuzzy Hash: 67a26b7e00566609b61cc6e7b6904e6af9279d8b55cc0f39cc8370a306dd16ad
Instruction Fuzzy Hash: F511D376804280CFCB12CF54D9C4B16BFB1FF84324F2486AAD8450B766C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL DELIVERY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Windows Analysis Report
DHL DELIVERY.exe

Function 028176A0 Relevance: 2.8, Strings: 2, Instructions: 257
COMMON

Function 02810490 Relevance: 1.9, Strings: 1, Instructions: 669
COMMON

Function 0281047F Relevance: 1.8, Strings: 1, Instructions: 597
COMMON

Function 0281DA08 Relevance: .5, Instructions: 524
COMMON

Function 02819A68 Relevance: .3, Instructions: 300
COMMON

Function 02810F95 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 02810F98 Relevance: 1.6, APIs: 1, Instructions: 96
libraryCOMMON

Function 02811480 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Function 02811488 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 02830980 Relevance: .3, Instructions: 293
COMMON

Function 028309A0 Relevance: .3, Instructions: 293
COMMON

Function 061E7552 Relevance: 4.8, APIs: 3, Instructions: 347
COMMON

Function 061E7573 Relevance: 4.8, APIs: 3, Instructions: 347
COMMON

Function 061E75B8 Relevance: 4.8, APIs: 3, Instructions: 338
COMMON

Function 061E75F4 Relevance: 4.8, APIs: 3, Instructions: 333
COMMON

Function 061E7639 Relevance: 3.3, APIs: 2, Instructions: 326
COMMON

Function 061E767E Relevance: 3.3, APIs: 2, Instructions: 319
COMMON

Function 061E76C3 Relevance: 3.3, APIs: 2, Instructions: 310
COMMON

Function 061E76FF Relevance: 3.3, APIs: 2, Instructions: 305
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre