Windows Analysis Report
DHL04AWB01173903102023PDF.scr.exe

Overview

General Information

Sample Name: DHL04AWB01173903102023PDF.scr.exe
Analysis ID: 828071
MD5: 1bf124cc783ff47a91ada4e6d4ac9e6b
SHA1: b78f2ffb785071ab785830cdd4cbc5f010b7480b
SHA256: 494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
Infos:

Detection

Remcos, GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Sigma detected: Remcos
Yara detected GuLoader
Installs a global keyboard hook
Drops PE files with a suspicious file extension
Tries to detect Any.run
Creates autostart registry keys with suspicious values (likely registry only malware)
Found potential ransomware demand text
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL04AWB01173903102023PDF.scr.exe Virustotal: Detection: 13% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR
Uses 32bit PE files
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49828 version: TLS 1.2
Source: Binary string: mshtml.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, ContactsApi.dll.1.dr, nseB51F.tmp.1.dr
Source: Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr
Source: Binary string: mshtml.pdbUGP source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00402706 FindFirstFileW, 1_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_004061E0 FindFirstFileW,FindClose, 1_2_004061E0

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: milliondollar23.duckdns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/503469199062990850/1085873812794523729/NxXRtUXfgqSkIuV181.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49829 -> 79.134.225.111:3984
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: DHL04AWB01173903102023PDF.scr.exe, Chirming.scr.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://s2.symcb.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000626000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://www.nero.com
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/503469199062990850/1085873812794523729/NxXRtUXfgqSkIuV181.bin
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/t
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/503469199062990850/1085873812794523729/NxXRtUXfgqSkIuV181.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49828 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00405290 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00405290

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Found potential ransomware demand text
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: ContactsApi.dll.1.dr String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: nseB51F.tmp.1.dr String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Uses 32bit PE files
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_0040331C
Creates files inside the system directory
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00404ACD 1_2_00404ACD
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_004064F2 1_2_004064F2
PE file does not import any functions
Source: msado25.tlb.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000000.5630222194.000000000044E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDefConvertor.DLL vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5982708695.0000000000409000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000000.5843482212.000000000044E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: invalid certificate
Source: DHL04AWB01173903102023PDF.scr.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File read: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Jump to behavior
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\nseB51E.tmp Jump to behavior
Source: classification engine Classification label: mal96.rans.troj.spyw.evad.winEXE@3/13@10/2
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_0040206A CoCreateInstance, 1_2_0040206A
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00404587 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404587
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TUJMU2
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File written: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini Jump to behavior
Source: DHL04AWB01173903102023PDF.scr.exe Static file information: File size 1211760 > 1048576
Source: Binary string: mshtml.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, ContactsApi.dll.1.dr, nseB51F.tmp.1.dr
Source: Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr
Source: Binary string: mshtml.pdbUGP source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.5987381198.0000000006C55000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_10002D50 push eax; ret 1_2_10002D7E
PE file contains sections with non-standard names
Source: ContactsApi.dll.1.dr Static PE information: section name: .nep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00406207
Binary contains a suspicious time stamp
Source: msado25.tlb.1.dr Static PE information: 0x8DBA1FD3 [Sun May 7 15:54:59 2045 UTC]

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\nsbBACD.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe TID: 428 Thread sleep count: 500 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe TID: 428 Thread sleep time: -250000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Window / User API: threadDelayed 500 Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Window / User API: foregroundWindowGot 804 Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00402706 FindFirstFileW, 1_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_004061E0 FindFirstFileW,FindClose, 1_2_004061E0
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe API call chain: ExitProcess graph end node
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.000000000478D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00406207
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Jump to behavior
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerU2\
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager2\
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerU2\:D
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.dr Binary or memory string: [Program Manager]
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 1_2_00405EBF GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 1_2_00405EBF

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828071 Sample: DHL04AWB01173903102023PDF.scr.exe Startdate: 16/03/2023 Architecture: WINDOWS Score: 96 28 milliondollar23.duckdns.org 2->28 30 cdn.discordapp.com 2->30 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected GuLoader 2->38 40 Yara detected Remcos RAT 2->40 42 3 other signatures 2->42 7 DHL04AWB01173903102023PDF.scr.exe 2 43 2->7         started        signatures3 process4 file5 16 C:\Users\user\...\ContactsApi.dll, PE32+ 7->16 dropped 18 C:\Users\user\...\APM_DefConvertor.dll, PE32 7->18 dropped 20 C:\Users\user20onhieratical\...\msado25.tlb, PE32+ 7->20 dropped 22 C:\Users\user\AppData\Local\...\System.dll, PE32 7->22 dropped 44 Drops PE files with a suspicious file extension 7->44 46 Tries to detect Any.run 7->46 11 DHL04AWB01173903102023PDF.scr.exe 3 11 7->11         started        signatures6 process7 dnsIp8 32 milliondollar23.duckdns.org 79.134.225.111, 3984, 49829, 49830 FINK-TELECOM-SERVICESCH Switzerland 11->32 34 cdn.discordapp.com 162.159.129.233, 443, 49828 CLOUDFLARENETUS United States 11->34 24 C:\Users\user\AppData\Local\...\Chirming.scr, PE32 11->24 dropped 26 C:\ProgramData\remcos\logs.dat, data 11->26 dropped 48 Creates autostart registry keys with suspicious values (likely registry only malware) 11->48 50 Tries to detect Any.run 11->50 52 Installs a global keyboard hook 11->52 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
79.134.225.111
 milliondollar23.duckdns.org Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted Domains

Name IP Active
milliondollar23.duckdns.org 79.134.225.111 true
cdn.discordapp.com 162.159.129.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/503469199062990850/1085873812794523729/NxXRtUXfgqSkIuV181.bin false
    		high