Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL DELIVERY.exe

Overview

General Information

Sample Name:DHL DELIVERY.exe
Analysis ID:635261
MD5:56a08fd913bfc20fa0f15a4fb204bac9
SHA1:b135f9c44b2847d494f1b2d843444711c8421cc0
SHA256:37305d441b0332e9756a972f0585748807fb90ef363116aa6a224cefa120d09e
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL DELIVERY.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\DHL DELIVERY.exe" MD5: 56A08FD913BFC20FA0F15A4FB204BAC9)
    • DHL DELIVERY.exe (PID: 6984 cmdline: C:\Users\user\Desktop\DHL DELIVERY.exe MD5: 56A08FD913BFC20FA0F15A4FB204BAC9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "amycarrol@cobinparkop.com", "Password": "WLhpQ58eJQHBZqb", "Host": "smtp.privateemail.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.DHL DELIVERY.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.DHL DELIVERY.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.DHL DELIVERY.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b07:$s10: logins
                • 0x3256e:$s11: credential
                • 0x2eb86:$g1: get_Clipboard
                • 0x2eb94:$g2: get_Keyboard
                • 0x2eba1:$g3: get_Password
                • 0x2fe7b:$g4: get_CtrlKeyDown
                • 0x2fe8b:$g5: get_ShiftKeyDown
                • 0x2fe9c:$g6: get_AltKeyDown
                3.0.DHL DELIVERY.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.DHL DELIVERY.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "amycarrol@cobinparkop.com", "Password": "WLhpQ58eJQHBZqb", "Host": "smtp.privateemail.com"}
                    Multi AV Scanner detection for submitted file
                    Source: DHL DELIVERY.exeVirustotal: Detection: 30%Perma Link
                    Source: DHL DELIVERY.exeReversingLabs: Detection: 34%
                    Machine Learning detection for sample
                    Source: DHL DELIVERY.exeJoe Sandbox ML: detected
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.2.DHL DELIVERY.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.DHL DELIVERY.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.DHL DELIVERY.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
                    Source: DHL DELIVERY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: DHL DELIVERY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe
                    Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
                    Source: global trafficTCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587
                    Source: global trafficTCP traffic: 192.168.2.5:49775 -> 66.29.159.53:587
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fnqsTS.com
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
                    Source: DHL DELIVERY.exeString found in binary or memory: http://www.random.org/sequences/
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.697005706.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696995944.000000000349A000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696902033.0000000003470000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696858077.0000000003432000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696885279.000000000346C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x2Ivz0L9UI.com
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: smtp.privateemail.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.csLarge array initialization: .cctor: array initializer size 11629
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.csLarge array initialization: .cctor: array initializer size 11629
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.csLarge array initialization: .cctor: array initializer size 11629
                    Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b70BF74AAu002d2FA9u002d4ECDu002d9893u002dC24D8DB7A007u007d/u0030A2BE619u002d75E9u002d4F9Fu002d8F5Bu002d67FE7571C6DB.csLarge array initialization: .cctor: array initializer size 11629
                    Source: DHL DELIVERY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 1.2.DHL DELIVERY.exe.43098e8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_028176A0
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_02810490
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_0281DA08
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_02819A68
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_02812748
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_0281047F
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_0281E570
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_0281F998
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_02819F68
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_00AD6167
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_0159F080
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_0159F3C8
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_01596120
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061EBBB0
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061EC900
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061E1FF8
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061E0040
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_00AD6167
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: String function: 061E5A60 appears 55 times
                    Source: DHL DELIVERY.exe, 00000001.00000002.468229611.0000000002C09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000001.00000002.466221634.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQXOZ VPa.exe2 vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000003.00000002.693156633.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exe, 00000003.00000002.693211185.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exeBinary or memory string: OriginalFilenameSystem.Web.Cors.dllL vs DHL DELIVERY.exe
                    Source: DHL DELIVERY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: DHL DELIVERY.exeVirustotal: Detection: 30%
                    Source: DHL DELIVERY.exeReversingLabs: Detection: 34%
                    Source: DHL DELIVERY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\DHL DELIVERY.exe "C:\Users\user\Desktop\DHL DELIVERY.exe"
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@3/0@1/2
                    Source: DHL DELIVERY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: DHL DELIVERY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DHL DELIVERY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: DHL DELIVERY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: c:\BuildAgent\work\1f3f66b1f4c88f9c\Runtime\src\System.Web.Cors\obj\Release\System.Web.Cors.pdb source: DHL DELIVERY.exe
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 1_2_02810490 push eax; retf 5500h
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061E9BF7 push es; ret
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeCode function: 3_2_061E3139 push es; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.9180819868

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Contains functionality to hide user accounts
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: DHL DELIVERY.exe, 00000001.00000002.467073176.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7108Thread sleep time: -26747778906878833s >= -30000s
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112Thread sleep count: 5902 > 30
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exe TID: 7112Thread sleep count: 2855 > 30
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWindow / User API: threadDelayed 5902
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWindow / User API: threadDelayed 2855
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeThread delayed: delay time: 922337203685477
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: DHL DELIVERY.exe, 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: DHL DELIVERY.exe, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 1.0.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 1.2.DHL DELIVERY.exe.a60000.0.unpack, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 3.0.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 3.0.DHL DELIVERY.exe.a60000.2.unpack, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 3.0.DHL DELIVERY.exe.400000.8.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 3.0.DHL DELIVERY.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 3.2.DHL DELIVERY.exe.a60000.1.unpack, u0033652008427/u0035457087416.csReference to suspicious API methods: ('7773566935', 'GetProcAddress@kernel32'), ('2945618246', 'LoadLibrary@kernel32')
                    Source: 3.0.DHL DELIVERY.exe.400000.10.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 3.2.DHL DELIVERY.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeProcess created: C:\Users\user\Desktop\DHL DELIVERY.exe C:\Users\user\Desktop\DHL DELIVERY.exe
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Users\user\Desktop\DHL DELIVERY.exe VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\DHL DELIVERY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.44234f8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43e34d8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43c34b8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.43e34d8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.DHL DELIVERY.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.DHL DELIVERY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL DELIVERY.exe.44234f8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DHL DELIVERY.exe PID: 6984, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts131
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
                    Process Injection                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Deobfuscate/Decode Files or Information                    		NTDS131
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Hidden Users                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHL DELIVERY.exe31%VirustotalBrowse
                    DHL DELIVERY.exe35%ReversingLabsByteCode-MSIL.Trojan.Injuke
                    DHL DELIVERY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    3.0.DHL DELIVERY.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.DHL DELIVERY.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.DHL DELIVERY.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    3.2.DHL DELIVERY.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.DHL DELIVERY.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.DHL DELIVERY.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://x2Ivz0L9UI.com0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://fnqsTS.com0%Avira URL Cloudsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.privateemail.com
                    		66.29.159.53
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.random.org/sequences/DHL DELIVERY.exefalse
                        		high
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://sectigo.com/CPS0DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%%startupfolder%DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://x2Ivz0L9UI.comDHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.697005706.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696995944.000000000349A000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696902033.0000000003470000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696858077.0000000003432000.00000004.00000800.00020000.00000000.sdmp, DHL DELIVERY.exe, 00000003.00000002.696885279.000000000346C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.sectigo.com0DHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fnqsTS.comDHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.org%DHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://smtp.privateemail.comDHL DELIVERY.exe, 00000003.00000002.696918969.0000000003476000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwDHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://DynDns.comDynDNSnamejidpasswordPsi/PsiDHL DELIVERY.exe, 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          66.29.159.53
                          		smtp.privateemail.comUnited States
                          		19538ADVANTAGECOMUSfalse

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:635261
                          Start date and time: 27/05/202218:03:222022-05-27 18:03:22 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:DHL DELIVERY.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:21
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@3/0@1/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 0.4% (good quality ratio 0.4%)
                          • Quality average: 70.1%
                          • Quality standard deviation: 24.3%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Adjust boot time
                          • Enable AMSI

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          18:04:54API Interceptor713x Sleep call for process: DHL DELIVERY.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.907392354286095
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:DHL DELIVERY.exe
                          File size:574976
                          MD5:56a08fd913bfc20fa0f15a4fb204bac9
                          SHA1:b135f9c44b2847d494f1b2d843444711c8421cc0
                          SHA256:37305d441b0332e9756a972f0585748807fb90ef363116aa6a224cefa120d09e
                          SHA512:cae86e058d6416a72aaa97d5cb970a9cd12a21f65af1bee3ffe0924c787791b8f0366991a9fb0137e537e9226f06167cf5ac1c3cd1ab462615ea0a9bb0430f22
                          SSDEEP:12288:KK2HUdEv8+F2wPLcYfqqDLNoE3TkyuFmcFiGZjC8Ng9n:KK2HrvY8zHNoCTkyuBFM8y
                          TLSH:30C4129037B96F2BEA7E4EF98176106443B1B6066B50C3CE2DD276EE11E3F018E55A13
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.KR..............0.3...@.......-.... ........@.. ....................... ............`................................

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x48db2d
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x524B8F74 [Wed Oct 2 03:13:56 2013 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8da4c0x4a.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x434.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8da960x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x8bb330x8bc00False0.911831604987data7.9180819868IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x8e0000x4340x600False0.305989583333data2.56725335834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x8e0580x3dcdata

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyright Microsoft Corporation. All rights reserved.
                          Assembly Version5.0.0.0
                          InternalNameSystem.Web.Cors.dll
                          FileVersion5.0.11001.0
                          CompanyNameMicrosoft Corporation.
                          ProductNameMicrosoft ASP.NET MVC
                          ProductVersion5.0.11001.0
                          FileDescriptionSystem.Web.Cors (88a1bd8d3344b5df289577425c0314e7f521e88a)
                          OriginalFilenameSystem.Web.Cors.dll

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 27, 2022 18:05:02.151860952 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:02.321647882 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:02.321768999 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:02.493024111 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:02.493402958 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:02.662947893 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:02.663575888 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:02.663954020 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:02.834335089 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:02.874758005 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.046480894 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.047969103 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.048019886 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.048053026 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.048080921 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.048084974 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.048115015 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.048130035 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.075139046 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.244549990 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.245537043 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.387064934 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.556396961 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.557019949 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.558290005 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.727574110 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.729589939 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.730511904 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:03.899827003 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.903959036 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:03.906023979 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.075403929 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.078903913 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.079385042 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.248735905 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.290292025 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.290813923 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.460079908 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.461122990 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.478138924 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.478338957 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.479090929 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.479360104 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:05:04.647291899 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.647352934 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.648190022 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.648361921 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.706700087 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:05:04.926225901 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:06:42.094340086 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:06:42.263477087 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:06:42.264010906 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:06:42.264039993 CEST5874977566.29.159.53192.168.2.5
                          May 27, 2022 18:06:42.264090061 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:06:42.266407967 CEST49775587192.168.2.566.29.159.53
                          May 27, 2022 18:06:42.435457945 CEST5874977566.29.159.53192.168.2.5

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 27, 2022 18:05:02.100497961 CEST5393453192.168.2.58.8.8.8
                          May 27, 2022 18:05:02.121862888 CEST53539348.8.8.8192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          May 27, 2022 18:05:02.100497961 CEST192.168.2.58.8.8.80x9d0eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          May 27, 2022 18:05:02.121862888 CEST8.8.8.8192.168.2.50x9d0eNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)

                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          May 27, 2022 18:05:02.493024111 CEST5874977566.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                          May 27, 2022 18:05:02.493402958 CEST49775587192.168.2.566.29.159.53EHLO 980108
                          May 27, 2022 18:05:02.663575888 CEST5874977566.29.159.53192.168.2.5250-mta-08.privateemail.com
                          250-PIPELINING
                          250-SIZE 81788928
                          250-ETRN
                          250-AUTH PLAIN LOGIN
                          250-ENHANCEDSTATUSCODES
                          250-8BITMIME
                          250-CHUNKING
                          250 STARTTLS
                          May 27, 2022 18:05:02.663954020 CEST49775587192.168.2.566.29.159.53STARTTLS
                          May 27, 2022 18:05:02.834335089 CEST5874977566.29.159.53192.168.2.5220 Ready to start TLS

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:18:04:32
                          Start date:27/05/2022
                          Path:C:\Users\user\Desktop\DHL DELIVERY.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\DHL DELIVERY.exe"
                          Imagebase:0xa60000
                          File size:574976 bytes
                          MD5 hash:56A08FD913BFC20FA0F15A4FB204BAC9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.473923703.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.472974687.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.472421072.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.473251720.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:3
                          Start time:18:04:44
                          Start date:27/05/2022
                          Path:C:\Users\user\Desktop\DHL DELIVERY.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\DHL DELIVERY.exe
                          Imagebase:0xa60000
                          File size:574976 bytes
                          MD5 hash:56A08FD913BFC20FA0F15A4FB204BAC9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.692251401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.463670113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.464161754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.462833671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.461699324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.695721560.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          Disassembly

                          No disassembly