=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

DHL SHIPMENT NOTIFICATION 1146789443.exe

Status: finished
Submission Time: 2022-05-14 15:09:31 +02:00
Malicious
Phishing
Trojan
Adware
Spyware
Exploiter
Evader
AgentTesla, AveMaria, UACMe

Comments

Tags

  • bat
  • DHL
  • exe

Details

  • Analysis ID:
    626594
  • API (Web) ID:
    994101
  • Analysis Started:
    2022-05-14 15:09:35 +02:00
  • Analysis Finished:
    2022-05-14 15:24:37 +02:00
  • MD5:
    f883d433fab3b7ae0c25625e75a03b38
  • SHA1:
    d29ddef177a748397abef51f7ec2188fc06506d5
  • SHA256:
    0606d4bc2c27f402be8e98ba28d3af0d35c1c85d3be43690fabe971a687af9ed
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
7/41

malicious

malicious

IPs

IP Country Detection
76.8.53.133
United States
51.210.156.152
France

Domains

Name IP Detection
exportersglobe.com
51.210.156.152
mail.exportersglobe.com
0.0.0.0
x1.i.lencr.org
0.0.0.0

URLs

Name Detection
76.8.53.133
http://127.0.0.1:HTTP/1.1
http://www.fontbureau.com/designersG
Click to see the 52 hidden entries
http://www.sajatypeworks.com0
http://www.sajatypeworks.com2
http://www.fontbureau.com/designers/?
http://www.founder.com.cn/cn/bThe
http://www.fontbureau.com/designers?
http://www.tiro.com
http://www.fontbureau.com/designers
http://www.founder.c
http://www.goodfont.co.kr
https://gdvnpTNIZqNaaR.net
http://www.carterandcone.com
https://github.com/syohex/java-simple-mine-sweeper
http://r3.i.lencr.org/0
http://www.carterandcone.coml%
http://www.sajatypeworks.com
http://www.typography.netD
http://www.founder.com.cn/cn/cThe
http://www.carterandcone.comsmJ
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
http://www.carterandcone.comr%wL0
http://crl.veris
http://x1.c.lencr.org/0
http://x1.i.lencr.org/0
http://r3.o.lencr.org0
http://www.galapagosdesign.com/DPlease
http://FuVaco.com
http://www.fonts.com
http://www.sandoll.co.kr
http://www.sajatypeworks.coma
http://www.urwpp.deDPlease
http://www.zhongyicts.com.cn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.sakkal.com
https://api.ipify.org%
http://www.carterandcone.comN%CL.
http://www.apache.org/licenses/LICENSE-2.0
http://www.fontbureau.com
http://x1.i.lencr.org/
http://cps.letsencrypt.org0
http://www.tiro.comt
http://www.tiro.como
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
http://www.carterandcone.coml
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.founder.com.cn/cn
http://www.fontbureau.com/designers/frere-jones.html
http://DynDns.comDynDNSnamejidPsi/Psi
http://www.jiyu-kobo.co.jp/
http://www.fontbureau.com/designers8
https://api.ipify.org%facebooktwittergmailinstagrammovieskypepornhackwhatsappdiscordemailpassword%st
https://github.com/syohex/java-simple-mine-sweeperC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL SHIPMENT NOTIFICATION 1146789443.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\tmp8559.tmp
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_INVESTORORIGIN.e_77f278dc5a2c1c3935eb52616b8cb594c251e8e_0e345062_1a0b7f2e\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5763.tmp.dmp
Mini DuMP crash report, 15 streams, Sat May 14 22:11:57 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER65CB.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ald43iwi.q5u.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqdexkj3.urd.psm1
very short file (no magic)
#
C:\Users\user\Documents\20220514\PowerShell_transcript.760639.TC5_eELU.20220514151113.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#