Play interactive tour

Edit tour

Analysis Report DHL_document1102202068090891.exe

Overview

General Information

Sample Name:	DHL_document1102202068090891.exe
Analysis ID:	367966
MD5:	2bb75a79a205701c93773e1bbd5a8c49
SHA1:	21ef9c1e486c19a0186ecff094efdcfa8eaf6b9f
SHA256:	8c248038f6045835d77fe9f89698aafdc26a2644c89bc8cef54c13a9dceff4a2
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large strings

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

DHL_document1102202068090891.exe (PID: 6268 cmdline: 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' MD5: 2BB75A79A205701C93773E1BBD5A8C49)

schtasks.exe (PID: 6436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DHL_document1102202068090891.exe (PID: 6508 cmdline: C:\Users\user\Desktop\DHL_document1102202068090891.exe MD5: 2BB75A79A205701C93773E1BBD5A8C49)

DHL_document1102202068090891.exe (PID: 6532 cmdline: C:\Users\user\Desktop\DHL_document1102202068090891.exe MD5: 2BB75A79A205701C93773E1BBD5A8C49)

DHL_document1102202068090891.exe (PID: 6540 cmdline: C:\Users\user\Desktop\DHL_document1102202068090891.exe MD5: 2BB75A79A205701C93773E1BBD5A8C49)

DHL_document1102202068090891.exe (PID: 6552 cmdline: C:\Users\user\Desktop\DHL_document1102202068090891.exe MD5: 2BB75A79A205701C93773E1BBD5A8C49)

DHL_document1102202068090891.exe (PID: 6560 cmdline: C:\Users\user\Desktop\DHL_document1102202068090891.exe MD5: 2BB75A79A205701C93773E1BBD5A8C49)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "dsmoon@panstar.ltdmmm777mail.privateemail.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.223300212.0000000013EA0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL_document1102202068090891.exe PID: 6268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.DHL_document1102202068090891.exe.141f00a8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL_document1102202068090891.exe.141f00a8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL_document1102202068090891.exe.140d7788.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.DHL_document1102202068090891.exe.14061548.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' , ParentImage: C:\Users\user\Desktop\DHL_document1102202068090891.exe, ParentProcessId: 6268, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp', ProcessId: 6436

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.DHL_document1102202068090891.exe.141f00a8.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dsmoon@panstar.ltdmmm777mail.privateemail.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe	ReversingLabs: Detection: 46%

Multi AV Scanner detection for submitted file

Show sources

Source: DHL_document1102202068090891.exe	Virustotal: Detection: 35%			Perma Link
Source: DHL_document1102202068090891.exe	ReversingLabs: Detection: 46%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: DHL_document1102202068090891.exe

Joe Sandbox ML: detected

Source: DHL_document1102202068090891.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: DHL_document1102202068090891.exe, 00000001.00000002.222667109.0000000002671000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

System Summary:

.NET source code contains very large strings

Show sources

Source: DHL_document1102202068090891.exe, Startup.cs	Long String: Length: 62808
Source: CPaFDuSsVdolxV.exe.1.dr, Startup.cs	Long String: Length: 62808
Source: 1.2.DHL_document1102202068090891.exe.3b0000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 6.2.DHL_document1102202068090891.exe.2c0000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 6.0.DHL_document1102202068090891.exe.2c0000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 7.0.DHL_document1102202068090891.exe.b90000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 7.2.DHL_document1102202068090891.exe.b90000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 8.0.DHL_document1102202068090891.exe.630000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 8.2.DHL_document1102202068090891.exe.630000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 9.2.DHL_document1102202068090891.exe.bd0000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 9.0.DHL_document1102202068090891.exe.bd0000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 10.2.DHL_document1102202068090891.exe.640000.0.unpack, Startup.cs	Long String: Length: 62808
Source: 10.0.DHL_document1102202068090891.exe.640000.0.unpack, Startup.cs	Long String: Length: 62808

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DHL_document1102202068090891.exe

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002C2050	6_2_002C2050
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B92050	7_2_00B92050
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_00632050	8_2_00632050
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 9_2_00BD2050	9_2_00BD2050
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 10_2_00642050	10_2_00642050

Source: DHL_document1102202068090891.exe, 00000001.00000002.225096082.000000001AF40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000002.222448059.00000000009FA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000002.225821487.000000001B0F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000002.225821487.000000001B0F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000002.222667109.0000000002671000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000000.207751008.0000000000450000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000001.00000002.226505171.000000001BCB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000006.00000000.216868947.0000000000360000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000007.00000002.217906373.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000008.00000002.218813485.00000000006D0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000009.00000002.219739263.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 0000000A.00000002.222029719.00000000006E0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe	Binary or memory string: OriginalFilenameXmlIgnoreMemberAttribute.exe@ vs DHL_document1102202068090891.exe

Source: DHL_document1102202068090891.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CPaFDuSsVdolxV.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Users\user\AppData\Local\Temp\tmp777C.tmp

Jump to behavior

Source: DHL_document1102202068090891.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: DHL_document1102202068090891.exe	Virustotal: Detection: 35%
Source: DHL_document1102202068090891.exe	ReversingLabs: Detection: 46%

Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game
Source: DHL_document1102202068090891.exe	String found in binary or memory: New/Load Game

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File read: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe 'C:\Users\user\Desktop\DHL_document1102202068090891.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe
Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe
Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe
Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe
Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL_document1102202068090891.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_document1102202068090891.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 1_2_00007FFAEED386E4 push 00000074h; retf	1_2_00007FFAEED386EC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 1_2_00007FFAEED31FE5 push 00000074h; retf	1_2_00007FFAEED31FEA
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 1_2_00007FFAEED38E1D push 00000074h; retf	1_2_00007FFAEED38E1F
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 1_2_00007FFAEED3E5CC push 00000074h; retf	1_2_00007FFAEED3E5D8
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 1_2_00007FFAEED3D327 push 00000074h; retf	1_2_00007FFAEED3D329
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE12B push es; ret	6_2_002CE130
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE00F push es; ret	6_2_002CE0FA
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE00F push es; ret	6_2_002CE100
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE101 push es; ret	6_2_002CE12A
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE119 push es; ret	6_2_002CE12A
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE143 push es; ret	6_2_002CE148
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE3B3 push cs; ret	6_2_002CE3DC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE0E9 push es; ret	6_2_002CE100
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE3CB push cs; ret	6_2_002CE3DC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 6_2_002CE3DD push cs; ret	6_2_002CE3E2
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E3B3 push cs; ret	7_2_00B9E3DC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E0E9 push es; ret	7_2_00B9E100
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E3DD push cs; ret	7_2_00B9E3E2
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E3CB push cs; ret	7_2_00B9E3DC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E12B push es; ret	7_2_00B9E130
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E119 push es; ret	7_2_00B9E12A
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E00F push es; ret	7_2_00B9E0FA
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E00F push es; ret	7_2_00B9E100
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E101 push es; ret	7_2_00B9E12A
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 7_2_00B9E143 push es; ret	7_2_00B9E148
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E143 push es; ret	8_2_0063E148
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E12B push es; ret	8_2_0063E130
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E101 push es; ret	8_2_0063E12A
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E00F push es; ret	8_2_0063E0FA
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E00F push es; ret	8_2_0063E100
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 8_2_0063E119 push es; ret	8_2_0063E12A

Source: initial sample	Static PE information: section name: .text entropy: 7.42024887676
Source: initial sample	Static PE information: section name: .text entropy: 7.42024887676

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp'

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_document1102202068090891.exe PID: 6268, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe TID: 6272	Thread sleep time: -100620s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe C:\Users\user\Desktop\DHL_document1102202068090891.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Queries volume information: C:\Users\user\Desktop\DHL_document1102202068090891.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.223300212.0000000013EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.141f00a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.141f00a8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.140d7788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.14061548.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.223300212.0000000013EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.141f00a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.141f00a8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.140d7788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL_document1102202068090891.exe.14061548.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Scheduled Task/Job1	Process Injection11	Masquerading1	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_document1102202068090891.exe	36%	Virustotal		Browse
DHL_document1102202068090891.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
DHL_document1102202068090891.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe	36%	Virustotal		Browse
C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL_document1102202068090891.exe, 00000001.00000002.222667109.0000000002671000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	DHL_document1102202068090891.exe, 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	367966
Start date:	12.03.2021
Start time:	17:01:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL_document1102202068090891.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.7% (good quality ratio 0.7%) Quality average: 69% Quality standard deviation: 23.4%
HCA Information:	Successful, ratio: 61% Number of executed functions: 54 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:02:07	API Interceptor	1x Sleep call for process: DHL_document1102202068090891.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL_document1102202068090891.exe.log Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1742
Entropy (8bit):	5.381353871108486
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
MD5:	978918F6120A43D1FA5899938A5A542F
SHA1:	6567A2E687B40BFD3A46246F51F4C89D93D89455
SHA-256:	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
SHA-512:	1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

C:\Users\user\AppData\Local\Temp\tmp777C.tmp Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.194617887857934
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBptn:cbh47TlNQ//rydbz9I3YODOLNdq3R
MD5:	E25AABC28F631781D504A956A5A8AA28
SHA1:	DB9602AD88C4C5B7C194D85952072277CAA48D72
SHA-256:	310381C323299DF7C3C64254D6F35837C0DA7B09DD82221835DE39AA0C81E6AD
SHA-512:	495B787B818FD79D7809511D850E819300BC701018BA255D5614B7990898E53475A800A8E2F3DC46ACC28A820C400A6DEF415D8A20DC5D05A7EF19F2A2B8D3E7
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	645632
Entropy (8bit):	7.406482138052902
Encrypted:	false
SSDEEP:	12288:+hWX/o2sJVSFPfGqxq3GHZDcum653cGMGQRLz+bazAxbty1vqZR2+LZ:EGfO3mcum6eNMazA/y1vqZJV
MD5:	2BB75A79A205701C93773E1BBD5A8C49
SHA1:	21EF9C1E486C19A0186ECFF094EFDCFA8EAF6B9F
SHA-256:	8C248038F6045835D77FE9F89698AAFDC26A2644C89BC8CEF54C13A9DCEFF4A2
SHA-512:	DF39AA767CA9F2B4864BCEC492FE9A4AE808D663FD39B333D47D6753110F65687592E84BABC4F61B7E8AD4E8DC257C8DC0F67A4C1039E6FD08516F87247CC0DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 36%, Browse Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J`.........."...P.................. ........@.. .......................@............@.................................<...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................p.......H........................F...............................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Roaming\CPaFDuSsVdolxV.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.406482138052902
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	DHL_document1102202068090891.exe
File size:	645632
MD5:	2bb75a79a205701c93773e1bbd5a8c49
SHA1:	21ef9c1e486c19a0186ecff094efdcfa8eaf6b9f
SHA256:	8c248038f6045835d77fe9f89698aafdc26a2644c89bc8cef54c13a9dceff4a2
SHA512:	df39aa767ca9f2b4864bcec492fe9a4ae808d663fd39b333d47d6753110f65687592e84babc4f61b7e8ad4e8dc257c8dc0f67a4c1039e6fd08516f87247cc0df
SSDEEP:	12288:+hWX/o2sJVSFPfGqxq3GHZDcum653cGMGQRLz+bazAxbty1vqZR2+LZ:EGfO3mcum6eNMazA/y1vqZJV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J`.........."...P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49ed8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x604A8EA6 [Thu Mar 11 21:41:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9ed3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x604	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9cd94	0x9ce00	False	0.824901954681	data	7.42024887676	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x604	0x800	False	0.32666015625	data	3.40779416599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa0090	0x374	data
RT_MANIFEST	0xa0414	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	XmlIgnoreMemberAttribute.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Afrideres_Final
ProductVersion	1.0.0.0
FileDescription	Afrideres_Final
OriginalFilename	XmlIgnoreMemberAttribute.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL_document1102202068090891.exe PID: 6268 Parent PID: 5636

General

Start time:	17:02:06
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\DHL_document1102202068090891.exe'
Imagebase:	0x3b0000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.222727824.00000000026FB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.223300212.0000000013EA0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6436 Parent PID: 6268

General

Start time:	17:02:09
Start date:	12/03/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CPaFDuSsVdolxV' /XML 'C:\Users\user\AppData\Local\Temp\tmp777C.tmp'
Imagebase:	0x7ff7125e0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6444 Parent PID: 6436

General

Start time:	17:02:10
Start date:	12/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: DHL_document1102202068090891.exe PID: 6508 Parent PID: 6268

General

Start time:	17:02:10
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Imagebase:	0x2c0000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: DHL_document1102202068090891.exe PID: 6532 Parent PID: 6268

General

Start time:	17:02:11
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Imagebase:	0xb90000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: DHL_document1102202068090891.exe PID: 6540 Parent PID: 6268

General

Start time:	17:02:11
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Imagebase:	0x630000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: DHL_document1102202068090891.exe PID: 6552 Parent PID: 6268

General

Start time:	17:02:12
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Imagebase:	0xbd0000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: DHL_document1102202068090891.exe PID: 6560 Parent PID: 6268

General

Start time:	17:02:12
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Imagebase:	0x640000
File size:	645632 bytes
MD5 hash:	2BB75A79A205701C93773E1BBD5A8C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL_document1102202068090891.exe PID: 6268 Parent PID: 5636 DHL_document1102202068090891.exeCOMMON

Executed Functions

Function 00007FFAEED30A41, Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

HJ<M, xrefs: 00007FFAEED30BF0

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID: HJ<M
API String ID: 0-2037900042
Opcode ID: ebf55bf05d59e876e2beb717cbdc6df5184f1a49d4b9dfbe0207d4c174809e96
Instruction ID: 41cec38d0a25d007f0a3ceef2fa989bf05ef57c956a146ff5ea92771ae5715c9
Opcode Fuzzy Hash: ebf55bf05d59e876e2beb717cbdc6df5184f1a49d4b9dfbe0207d4c174809e96
Instruction Fuzzy Hash: F8B11570908A5D8FDB99EF68D8947E8BBF1FF5A301F1400BAD00DE7296CA756981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED31215, Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480d335f036e1d91f37a0d5d27f3d3b77c94834b869be0af64cb1e9b8d92fbda
Instruction ID: d34d99bb6a09224873b2920b5b4a588cf486d37d574b2778af9bd9f49ae8c25d
Opcode Fuzzy Hash: 480d335f036e1d91f37a0d5d27f3d3b77c94834b869be0af64cb1e9b8d92fbda
Instruction Fuzzy Hash: FF124770E0850B8FEB44EFA9C1C5AADB7B2FF55310F148574D10DE7296DA78A8808B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3B7A2, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd00227ed2a6674289b003f50fffff905a6f1a868332aa1533d570eeedd46cee
Instruction ID: c63191057577e1bd0b0b0b518b5751fe3c9c3b7b2de65aa478a58e9cf186db04
Opcode Fuzzy Hash: cd00227ed2a6674289b003f50fffff905a6f1a868332aa1533d570eeedd46cee
Instruction Fuzzy Hash: 3D514E70908A1C8FDB98EF68C885BE9B7F1FB69300F1081AAD04DE3252DA746985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED33E77, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb250fe787057e3b8842fe5583abcd10e4cbf72f41291e9643ea8276f043b5e
Instruction ID: bb3c99ab4f0b31a55aa3a812d3f90d256b829cfdc439ed5da1e1f9102e4cc5a6
Opcode Fuzzy Hash: 9cb250fe787057e3b8842fe5583abcd10e4cbf72f41291e9643ea8276f043b5e
Instruction Fuzzy Hash: 7151E330A0864D8FDB55EF68C8906EDB7F2FF9A310F14427AD01DEB291CA74A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED34D07, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45eeccc654360ccc34820f5d2e014eb8b03a3ac808676be6eddef4977d69b7dc
Instruction ID: f57e965c9be036efe94e6e7d622efd46a214f332793be3273d603137c0ae6308
Opcode Fuzzy Hash: 45eeccc654360ccc34820f5d2e014eb8b03a3ac808676be6eddef4977d69b7dc
Instruction Fuzzy Hash: 24518D7190D7C98FCB03DB6488616D87FB1AF17310F0A41EBD095DB1A3D668A856CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED310D0, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab45fb8291970ab861759167ef5688fbc8337b5429fbff83cb9dc6aee700d7cb
Instruction ID: 3dd7194d9bf525ebf08db79b49ea6655562ba8ad122013009d05a55438ca449a
Opcode Fuzzy Hash: ab45fb8291970ab861759167ef5688fbc8337b5429fbff83cb9dc6aee700d7cb
Instruction Fuzzy Hash: 04413770A18A4D8FDB89EFA8D8956EDBBF1FF59300F01016AD40DE3292DB74A840CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED31785, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133e767abcdd079f9b49c13165539f7aa0445882c9542d3d3a76e9839d4ed991
Instruction ID: d63d4097d7c765230cb19899da088a6c7177c5476178bbd10244fe9ae148c328
Opcode Fuzzy Hash: 133e767abcdd079f9b49c13165539f7aa0445882c9542d3d3a76e9839d4ed991
Instruction Fuzzy Hash: A1413870A0891D8FDF85EFA8C495BECBBF2FF69300F0401B9D009E7295CA74A8448B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED37CC0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c55792fef8db3a5262d5ded8a873c38dc181cdd8a55bffed3ed0870775649f6
Instruction ID: de5ff401aedf448ff9cb09d9d6f0bdfd0f0488b890d9d32596f592ac96230de2
Opcode Fuzzy Hash: 8c55792fef8db3a5262d5ded8a873c38dc181cdd8a55bffed3ed0870775649f6
Instruction Fuzzy Hash: 8D41BE7190CA8D8FDB46DFA4C8A46EDBFB1FF4A310F0501AAD049D7292DA685845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38C74, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0aeafede6204a145a579d6107a77a32c705ad21753f4383e0fe18000abcc3c9
Instruction ID: 183fb3335b469d653cacce1f6603a451f9b32653ff1b33a1c9974b78def2678c
Opcode Fuzzy Hash: d0aeafede6204a145a579d6107a77a32c705ad21753f4383e0fe18000abcc3c9
Instruction Fuzzy Hash: 7E41A078D0865A8FDB48EFA8C5C19FDB7A1FF55311F108179D00DA72D6CEB4A8408B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED36E7A, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d553280f960c12d94983e74195b9300985030f4fce398281adbc72da085e94
Instruction ID: e3088eb4e500c66f0a697cc424d677013fc8ba729250a9a066b82726d89dd62f
Opcode Fuzzy Hash: 13d553280f960c12d94983e74195b9300985030f4fce398281adbc72da085e94
Instruction Fuzzy Hash: 6E31127180C3898FDB05DF68D4915FD7BF0EF0A310F0641BBE859D7292DA68A945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED30FD9, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be3424d5ac5109157cdf469624470f49040b40382af02b8e55c7b60846ff3cf
Instruction ID: 0b54c9d2fb50097a602c4d57745b487625f9f12ab62d774a4e28fba64d37a020
Opcode Fuzzy Hash: 1be3424d5ac5109157cdf469624470f49040b40382af02b8e55c7b60846ff3cf
Instruction Fuzzy Hash: 2831DF7188D2C68FE7569B209CA26E53FA0EF03310F0A41BAE45DC71D3D96D695AC352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39F0D, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113c9ea773c2b7edbd853b808c75a26bf7cb43110c462b926e313bcdd94909ad
Instruction ID: 4f9c425474d50bd36194f2f14657e8e7add24dc4f5e8b685ccfdc69e2b23bdc3
Opcode Fuzzy Hash: 113c9ea773c2b7edbd853b808c75a26bf7cb43110c462b926e313bcdd94909ad
Instruction Fuzzy Hash: 49319E7181860D8FDF51EF68C885AE977F0FB28310F40017AE81DC7191DB74A654CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED33EF0, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be2261d830480c34fd93a2ef976949a616c6990f9f4a7def96019f2b15ab4df
Instruction ID: 77947cd7f4df2d277bdc9ae18108988f57e7d0b4bd2a9f42f4c5766e2f9141da
Opcode Fuzzy Hash: 3be2261d830480c34fd93a2ef976949a616c6990f9f4a7def96019f2b15ab4df
Instruction Fuzzy Hash: CF31D03090D7898FDB52DF28C8906E93BF1EF5B310F0542ABD448DB2A2CA346959CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED32B52, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdfd047a4aed5c8edd00093f76425f24ec7f7af4ef600d255587c7c1d202094
Instruction ID: 6bb0d523803a2f6280968bf289006e23d76ea48049d1f844a812edc6977504a9
Opcode Fuzzy Hash: 5cdfd047a4aed5c8edd00093f76425f24ec7f7af4ef600d255587c7c1d202094
Instruction Fuzzy Hash: 36315870E0890E8FDB58DF99D895AACB7B2FB59301F11816AD00AE7385DA74A800CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED37900, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda78afd63e1bbe1a6a505ba999450c1ae73054c0c17ce5bc2ce9df82015fe48
Instruction ID: 2d1b6f1f76dd9c5f4fb05bc54ce38a5d408cb967838c1db58c2ce221cfe3d163
Opcode Fuzzy Hash: bda78afd63e1bbe1a6a505ba999450c1ae73054c0c17ce5bc2ce9df82015fe48
Instruction Fuzzy Hash: 6A31FB7091891D8FDF88EFA8C495BADBBB1FF59310F1041A9C00EE7292DA75A841CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39EFD, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b49e3b6d181517a3da1907242464a939924a858255ce8e78684824e853d31c
Instruction ID: a775f88dbdc03e27dbfbfd57a94cfc2d05850744b1dc52d1b73e7e16fbe46ad9
Opcode Fuzzy Hash: d3b49e3b6d181517a3da1907242464a939924a858255ce8e78684824e853d31c
Instruction Fuzzy Hash: D021AC71C2860E8FEF11EF69D986AE977B0FF14310F44007AE81C87292DB786564CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39EF5, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4367d366b9b7c9a867a9dc6103876dcd04aa4571ef3b7ee1ea4298bd532acac
Instruction ID: 50318b19fa1aea7f3acca9dee67373798a6c99fb0b1936e6d284efbd3823a41f
Opcode Fuzzy Hash: f4367d366b9b7c9a867a9dc6103876dcd04aa4571ef3b7ee1ea4298bd532acac
Instruction Fuzzy Hash: 8421E071C2860A8FEF12EF65D986AED73B4FF05300F44047AE81D87192DB786664CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED36F08, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75c5253da949db3988063f406e27f44c727d46fbcb3f676d60a5987211fa18b
Instruction ID: a38f5c4d002f630d94d5b16487e392a964abf49d8d7cc425a7b0c7dd8aa77aaf
Opcode Fuzzy Hash: f75c5253da949db3988063f406e27f44c727d46fbcb3f676d60a5987211fa18b
Instruction Fuzzy Hash: 20219A7091864D8FDB48EF58D482AFEB7E0FF08710F05027AE819D3281DA74E9548BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED318F8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd86b19a80357144c968f12fd37423d47771e00a14debfb94c0f3f0f5d12a9e
Instruction ID: a18b83bc2b2104c99558fa6ac938d8f0cae17f821ea97172f3135c94d62145cc
Opcode Fuzzy Hash: 8dd86b19a80357144c968f12fd37423d47771e00a14debfb94c0f3f0f5d12a9e
Instruction Fuzzy Hash: E921673091864D8FCB48EF59D882AFEB7F0EB08740F01017AE81AE3281CA74F9508BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39F05, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f866ab95ae3f8d273d14ea17c3c343de3570de31b4cb22ef2cc9bfdd92c1cba
Instruction ID: 030497e2721bb82e8db309c489489ff05399714b6cd0add883bed4bedaadc5c6
Opcode Fuzzy Hash: 5f866ab95ae3f8d273d14ea17c3c343de3570de31b4cb22ef2cc9bfdd92c1cba
Instruction Fuzzy Hash: DA21DE71C2850E8EEF21EF69D5CAAE873B0FF15310F4400B6E41C87182EA786164CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED32C42, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89ff0bf92c6b4f1cca6bbb6a13203c053dd58a1d6df4fb9bb8886abb861ed1c
Instruction ID: d1157254b3a74bd2a147e4e0006a0d402194a3696071724094363104aceb1317
Opcode Fuzzy Hash: c89ff0bf92c6b4f1cca6bbb6a13203c053dd58a1d6df4fb9bb8886abb861ed1c
Instruction Fuzzy Hash: 2F11C975A04A1D8FDF94EF9CC884BACB7F2FB69311F100169D04DE3255CA75A881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39F7D, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece10741b1eda566c59e8c0da5447a2b90e249dce7498c17ad33b89cb5ca615f
Instruction ID: 290b586a2326d95f16aa025572e72c09843c5883fc2c7fefdc8c513c23c781a4
Opcode Fuzzy Hash: ece10741b1eda566c59e8c0da5447a2b90e249dce7498c17ad33b89cb5ca615f
Instruction Fuzzy Hash: 0711C472D286198EDF02FF78D586AE877B0FF14320F440076E80D87152EA7421A8CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED32B73, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa378aa7792f993264e37ba00eb1f58f4b445bafbfe023f04ec1d33bdf24b71
Instruction ID: e737cd85786ad59bcea777ebbe5dc9d6863cc6a023ccdba3ef040a771f07bdfe
Opcode Fuzzy Hash: 1aa378aa7792f993264e37ba00eb1f58f4b445bafbfe023f04ec1d33bdf24b71
Instruction Fuzzy Hash: 2D11DA70D08A1D8FDB98EB68C895BACB7B1FF59311F1181B9D00DE7255DA74A845CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED37750, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2500ec8e15d87fbe099419eb0c37078c29f5f5edc06fcdbe985a978f307d8718
Instruction ID: a78cda5ef017450f060570724e2d6406bb7d7234b32ec1cbeb68fefbfe3d3336
Opcode Fuzzy Hash: 2500ec8e15d87fbe099419eb0c37078c29f5f5edc06fcdbe985a978f307d8718
Instruction Fuzzy Hash: 98118E7080D78A8FDB42DF24C8956E53FF0EF5B210F0601AAE848C7292D668A955C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED337B2, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35129ac599fef6dc75e0400c49a41b92aeef51ea93c79da84be35677c0547f10
Instruction ID: b81b2e75eee7ae2c0f84c349277852db0a443466df6a18c19dbb77511dc50f15
Opcode Fuzzy Hash: 35129ac599fef6dc75e0400c49a41b92aeef51ea93c79da84be35677c0547f10
Instruction Fuzzy Hash: A7113DB5E0850A8FDF44DF99D880AEEB7B1FB99310F148236D419E3244DB34A9568B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED30465, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05c8a138af5af401f6566d31e4678cf80af5e0363041041be8a94cb22bb77f3
Instruction ID: f66c4e45b91cb347363ab7237333dc3f4014d629e7055b167897e2f7ba012232
Opcode Fuzzy Hash: a05c8a138af5af401f6566d31e4678cf80af5e0363041041be8a94cb22bb77f3
Instruction Fuzzy Hash: D7113D71D0D68E8ED795EF6488952F97AB0EF17200F4548BAE05CD7192DA785A048742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39F1D, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb25d95a10917e34b19365cef29a5219806e91313fd23e44a8676729b0faf4a
Instruction ID: 9035e566e3380391a3c8069ba6092d0f219d4bbb58a7780b5486f9a16ab727e2
Opcode Fuzzy Hash: fbb25d95a10917e34b19365cef29a5219806e91313fd23e44a8676729b0faf4a
Instruction Fuzzy Hash: CC11C271C286198FEF12EF79D98AAE877B4FF55310F44017AD81D8B192DB7421A4CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED30869, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b38913152c7811a39a7e0ec3e5ce4b5597e6445e28520b1f9be17bcfb29b98
Instruction ID: 49b113810733b67c414ca78a321be92c648ace5e0829ad80cb3429b2567f75b2
Opcode Fuzzy Hash: 86b38913152c7811a39a7e0ec3e5ce4b5597e6445e28520b1f9be17bcfb29b98
Instruction Fuzzy Hash: 35118E31D0C74C8FDB85EB6488943ED7BB1FF5A310F4500BAD008E7292DAB998148781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED307E9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdeef4ac9bd48ddc219edfc609c0100c3097702435b66aa8d508c4916e7d1525
Instruction ID: 3269fe5381729a12ec39de4cfbe9172e850e3aaee0ee1442e3aede5a8f1198a7
Opcode Fuzzy Hash: bdeef4ac9bd48ddc219edfc609c0100c3097702435b66aa8d508c4916e7d1525
Instruction Fuzzy Hash: 5901617094D68A4FE709AF3498912E97751EF89300F468435E41D87183CDB9A915C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38C88, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f0820c4a90119a37d812a3397d8e24c0f5189677b0698491cd2b9275719da0
Instruction ID: 106beb485fd9d4149de3e234a77d78f234fcbfc8f8934837aed1667ec4ae7ea2
Opcode Fuzzy Hash: 41f0820c4a90119a37d812a3397d8e24c0f5189677b0698491cd2b9275719da0
Instruction Fuzzy Hash: 4411A0B5D0990A4FEB98EFACD9C56ADA7A1FF55321F108139D10CE3282DEB4A8414B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED30427, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2523830975e874df5a9f0a56b0baf66b2093feef1d6487174eb19dce228b064
Instruction ID: 686d98d67bf1db4b883d19628f007497a9391940f90eb0c67def9062534bc7bc
Opcode Fuzzy Hash: c2523830975e874df5a9f0a56b0baf66b2093feef1d6487174eb19dce228b064
Instruction Fuzzy Hash: CB012970D0961E8EDB84EF6488992FD77B0EF16301F41487AE05DD3292DA789A408B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED379DC, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8121d8ffa3509619cd85917ce6e3cd796eb6e59ac6297fe1f78b17797a59fc87
Instruction ID: 450b1bd6023280f3dc7dd07e26a67bcaa2d15f496b58171942d848eadf587397
Opcode Fuzzy Hash: 8121d8ffa3509619cd85917ce6e3cd796eb6e59ac6297fe1f78b17797a59fc87
Instruction Fuzzy Hash: CE11A470D14A1D8FDB94EF28C895BADB7B1FF59302F5081AA900DE3291CB706981CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED37DE5, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23891dc39e50e93c389353f2a4c0160a71a4ac3d7e1b671ee0d34788f929a32b
Instruction ID: 46246ec7f4b33397f44f59f093c5f9f2dce43760ddf0601a0086f8745130bc15
Opcode Fuzzy Hash: 23891dc39e50e93c389353f2a4c0160a71a4ac3d7e1b671ee0d34788f929a32b
Instruction Fuzzy Hash: 7E11FA75D0851ECFDB44DF58D894AEDB7B2FF58351B11426AD40AE7254DB74A802CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED378A5, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62fcd882242e3c3b70af2011f2510889cec7f334170738e254d306447424a53
Instruction ID: 04273866c99fb55efca56c9c1ec5d6cca050ffccc514159a8d29fb0452195879
Opcode Fuzzy Hash: a62fcd882242e3c3b70af2011f2510889cec7f334170738e254d306447424a53
Instruction Fuzzy Hash: BB014C70E1950A8FDB48DF98C490AEEB7F2FF4C310F14806AE409E7391DA34A940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3BC6E, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71960188b6868385ef91bf93a55592b939423ca44dfcc9a0021e079c42facb09
Instruction ID: 151283bc4614e211458cb9ba173ee32f0e34ce163e9a649ced81a96e1144f625
Opcode Fuzzy Hash: 71960188b6868385ef91bf93a55592b939423ca44dfcc9a0021e079c42facb09
Instruction Fuzzy Hash: 24112370D0821A8EEB54EFA5D8D46FC73B0FF19311F11457AD00AEB291DBB8A944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED31CA0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376b7a397431e18b9bff59eda22c02545f81099e22581e926d49219d25d8126f
Instruction ID: 2a170d5fc48ae82db7b1c4c71c25f003bb4be080dc6bc3d400c6381d667e782c
Opcode Fuzzy Hash: 376b7a397431e18b9bff59eda22c02545f81099e22581e926d49219d25d8126f
Instruction Fuzzy Hash: 72F0D67294D3858FD346AB7588966E57FF0EF03220F0900BAE44CC7192F9A5594D8792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3106D, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4066ba2db6b9a20d60717645720aa3febe20f076c90f6aaaba5fc228350ac7
Instruction ID: 2b2ec08f42243ecb317b128022af55d0019200fa3a65cdb8d5320b0d383e478d
Opcode Fuzzy Hash: 0c4066ba2db6b9a20d60717645720aa3febe20f076c90f6aaaba5fc228350ac7
Instruction Fuzzy Hash: 80F06D3090850A8FEB98EF18C8D1BE973A1FB58300F104679D45DC3282EA34A5568785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38970, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123c9595608813463c1ffce13ff5c9f5896e7030e1ee8b04388e723bf27c6ef1
Instruction ID: 9ae38683e44aa84b65253f677374573c5f0a69b7a0369a10610f4ee6df3d423a
Opcode Fuzzy Hash: 123c9595608813463c1ffce13ff5c9f5896e7030e1ee8b04388e723bf27c6ef1
Instruction Fuzzy Hash: A3F06D75D0854A4EEB48EBA9D5C13ADBB63BF91321F11C1B5C10C66199CAB868018B63

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED348F3, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78518a62b423137adc09bc705dee6dc389924ab2a73981715848bbab3209054d
Instruction ID: 474a9bc18279f5d9230574a456313f4763ba8d3c563ce9389d93d8c46a48da8b
Opcode Fuzzy Hash: 78518a62b423137adc09bc705dee6dc389924ab2a73981715848bbab3209054d
Instruction Fuzzy Hash: D6013534D0831D8FCBA8DF19D8803ADB7B1BF06300F4181A9C04E5B245CB785A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED34ADB, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc50877e111befc29f3350df16a5d121c78a58b962c84be6def54a7ec1b5e8b
Instruction ID: 73d98086bd0544c5ee278d28c64744d1c88d702dfef16fe74c6baf4dbdc81ae5
Opcode Fuzzy Hash: ddc50877e111befc29f3350df16a5d121c78a58b962c84be6def54a7ec1b5e8b
Instruction Fuzzy Hash: AE016734D082498ECB59DF59D9846ACBB71FB66340F4082AAC1195B159DB345444CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED386F2, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e840e48e781b852c0aee5eb40392c31de53221cca137f9dfb9188c6deecdab
Instruction ID: c22112ab773b5a6f08fa300c0102127c56c0c851420598be96cdcf8c99945f18
Opcode Fuzzy Hash: 18e840e48e781b852c0aee5eb40392c31de53221cca137f9dfb9188c6deecdab
Instruction Fuzzy Hash: EB011D70E0465DCFDB59DF94D8947ADB7B5FB59310F5082AAC00AEB284DB349996CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3C719, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d17ffd6d1741e19cf52a1fa70735e823431450bb27355d89ecbe950cdb8ccb9
Instruction ID: e80825873764b238aba01083280318b2cb466b3d929165afbf87c3456f56477f
Opcode Fuzzy Hash: 2d17ffd6d1741e19cf52a1fa70735e823431450bb27355d89ecbe950cdb8ccb9
Instruction Fuzzy Hash: 52F06D7181D6898FEB56EF2488996E83FB0AF16200F0A44FBD80CC7192DA789548C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3386A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca911096b3d3724a8f6f4ba834d125c1761270ae17d5158ad68d87287104b2e
Instruction ID: 1b25c9d8d2ed855fd274a8f0ee47a022fa2986e12ae4d4f3c1817353c28b028b
Opcode Fuzzy Hash: 2ca911096b3d3724a8f6f4ba834d125c1761270ae17d5158ad68d87287104b2e
Instruction Fuzzy Hash: 45F0677081928DCBDB48EF28C8852E93BA0FF49704F410569E80D87241DB75AA20CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38916, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e49912c5d5855e52d78e9f07792b0441b6b186dd709a24b9399476929a3582
Instruction ID: eb14b05a5116ae8ee9e49d7d7016200ee16ffb384c993561a255007276ce6ad5
Opcode Fuzzy Hash: 43e49912c5d5855e52d78e9f07792b0441b6b186dd709a24b9399476929a3582
Instruction Fuzzy Hash: 43F09074D0854A4EE754DB99A5C43ACBB62BF92311F21C1B5C00C67199DAB864104B23

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED378E3, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc50c5502774a3ffa92ae4e4ebf43c22f2d459c5f0207a0d3719ae2032216de
Instruction ID: d5ceacd7473b5bddfebfdde87c3020328846e8191a55405a23b64af6e4d94b94
Opcode Fuzzy Hash: 7dc50c5502774a3ffa92ae4e4ebf43c22f2d459c5f0207a0d3719ae2032216de
Instruction Fuzzy Hash: E4F01D70E0520ACBEB08DF94D4915FEBBB2FB89320F14953ED416E7280DA386950CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED35650, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804506bee4502f076b37b2b4890fd41ab14ca6bade4c703a90c3043f0ed76115
Instruction ID: 8660609dc49e6457769bbe0c0f6af812fb8be00e2e2f19fa07dc27443ea3c7a8
Opcode Fuzzy Hash: 804506bee4502f076b37b2b4890fd41ab14ca6bade4c703a90c3043f0ed76115
Instruction Fuzzy Hash: 76E01A74A08A4D8F8B05EF1CD88ACAAB3E0FB58710B454A66E469C7225CF30F951CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED34B43, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d00bf7e4b7418ae6473719b942f465e2c1ae545dd5f7c6d88538f70b58a767
Instruction ID: 79335a365cf2c5f925b98adb48e6e6d96bc49ea48d42c998480920234a6a1ac0
Opcode Fuzzy Hash: 15d00bf7e4b7418ae6473719b942f465e2c1ae545dd5f7c6d88538f70b58a767
Instruction Fuzzy Hash: 7BF05E3490854A8FCB49FF59C5D49A9B762FF65350B009765C0199B15AC674A881CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39E88, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f78900e271d3ca47f38f07b054cd146941ecad005ffcef90b29a9c4095cd95e
Instruction ID: b932790b7f0d5e222c8b61975725cd041a1068180332ae1a274aac8e7fb0209d
Opcode Fuzzy Hash: 2f78900e271d3ca47f38f07b054cd146941ecad005ffcef90b29a9c4095cd95e
Instruction Fuzzy Hash: 83E0397082854E9BEB54EF6588C87ED77A4EF05304F114476E80CD3191DBB4A2948A92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED39F75, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cd20b0108026f2fc1402b1ef96dc79d9dd7be6bfd40f38c897ae0e6fd6f5a0
Instruction ID: 046178904019f705d8b35cf599117708fc98e76983c935926218045140edfd32
Opcode Fuzzy Hash: 13cd20b0108026f2fc1402b1ef96dc79d9dd7be6bfd40f38c897ae0e6fd6f5a0
Instruction Fuzzy Hash: 14E09A3084E24E8AEB25AF2A89897F932A5FB56304F000436E00D832D1DABCA260C642

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38781, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e5f54e84b618e721973477873d5b76940dfad1c57f7eb5a2643b1f6f06a718
Instruction ID: 2c5960331cb00610fca14426f20a5ff1d4debf3bdd114275b7994819fe8e7a61
Opcode Fuzzy Hash: 19e5f54e84b618e721973477873d5b76940dfad1c57f7eb5a2643b1f6f06a718
Instruction Fuzzy Hash: FAF01270D285598FDB99EF65C991BADB7B1BF48300F5045A9D00E67196CE386944CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED34889, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242453946eb6c131ada85ee1f8d40745c3a4aa026643c73510f530e79ddffa5e
Instruction ID: 87156a9a1cc5cc9c3cbf24eb7a9a7ba41081faf8fbcfbd01472c25a4b31a28fa
Opcode Fuzzy Hash: 242453946eb6c131ada85ee1f8d40745c3a4aa026643c73510f530e79ddffa5e
Instruction Fuzzy Hash: 75E0127090520C9FC754EB55C9966A9BBB1FF05308B404199D08957256CA745891CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED3248B, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370efeed03482a8e8166d55e50020db66a24ef758e147e1f26dd4f0a2d42a688
Instruction ID: a3c3603e1c4c1711b5d94af4c77a3e69c4a8e0b963d55e836b999633e0fed7f1
Opcode Fuzzy Hash: 370efeed03482a8e8166d55e50020db66a24ef758e147e1f26dd4f0a2d42a688
Instruction Fuzzy Hash: FAE01230D1852F8ED794EF69C9D17ECBAB0BF45240F4081B5D01DE3192DA3459419F51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED38E25, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bfca6897206a1a0f98886cdb79bcf567a9dc987422c56d6292693488041185
Instruction ID: e0517b8c0cdecfb4f052f8bdde57bbbc3e2a219e9809077c911bb4ada8d35832
Opcode Fuzzy Hash: 56bfca6897206a1a0f98886cdb79bcf567a9dc987422c56d6292693488041185
Instruction Fuzzy Hash: 53D052B1E0822D9ECB50EF68C881B9EFAF0BB1A300F1000AAA00DE3240DB346600CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEED35051, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.226805270.00007FFAEED30000.00000040.00000001.sdmp, Offset: 00007FFAEED30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6220dae05658328f224f38f015ec4912692483254f98bf3ae6ca7f8e7d106027
Instruction ID: fc44eb42cc6403c96c48173e103ceead0b9e7e31884ea66d28bb242eef23bc53
Opcode Fuzzy Hash: 6220dae05658328f224f38f015ec4912692483254f98bf3ae6ca7f8e7d106027
Instruction Fuzzy Hash: 14D0C934906609CFCB8CEFA5C0E25EC7365BF46301B61556ED00AA7695CBB9AC41CB15

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL_document1102202068090891.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior