Edit tour

Windows Analysis Report
DHL_119040 receipt document,pdf.exe

Overview

General Information

Sample Name:	DHL_119040 receipt document,pdf.exe
Analysis ID:	672294
MD5:	5a975876a6183035d674a69990752a0a
SHA1:	466d5c51e510dce79adfe9667ac34b057c6a77a3
SHA256:	97ed8b1eda57edbbc3c2d12faeeec7f3091392ee8c42dd516ac789f18ffacc42
Tags:	AgentTeslaDHLexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DHL_119040 receipt document,pdf.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe" MD5: 5A975876A6183035D674A69990752A0A)

cvtres.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.712487104.0000000006B6A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: DHL_119040 receipt document,pdf.exe PID: 7080	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cvtres.exe PID: 7116	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cvtres.exe PID: 7116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.cvtres.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3099d:$s10: logins 0x30404:$s11: credential 0x2c9da:$g1: get_Clipboard 0x2c9e8:$g2: get_Keyboard 0x2c9f5:$g3: get_Password 0x2dcd6:$g4: get_CtrlKeyDown 0x2dce6:$g5: get_ShiftKeyDown 0x2dcf7:$g6: get_AltKeyDown
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.cvtres.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x32204:$s11: credential 0x2e7da:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3279d:$s10: logins 0x669bd:$s10: logins 0x32204:$s11: credential 0x66424:$s11: credential 0x2e7da:$g1: get_Clipboard 0x629fa:$g1: get_Clipboard 0x2e7e8:$g2: get_Keyboard 0x62a08:$g2: get_Keyboard 0x2e7f5:$g3: get_Password 0x62a15:$g3: get_Password 0x2fad6:$g4: get_CtrlKeyDown 0x63cf6:$g4: get_CtrlKeyDown 0x2fae6:$g5: get_ShiftKeyDown 0x63d06:$g5: get_ShiftKeyDown 0x2faf7:$g6: get_AltKeyDown 0x63d17:$g6: get_AltKeyDown
Click to see the 19 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.5109.99.162.14497675872840032 07/23/22-18:24:15.530948
SID:	2840032
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.5109.99.162.14497675872851779 07/23/22-18:24:15.530948
SID:	2851779
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.5109.99.162.14497675872030171 07/23/22-18:24:15.530849
SID:	2030171
Source Port:	49767
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL_119040 receipt document,pdf.exe	Virustotal: Detection: 31%			Perma Link
Source: DHL_119040 receipt document,pdf.exe	ReversingLabs: Detection: 65%

Machine Learning detection for sample

Source: DHL_119040 receipt document,pdf.exe

Joe Sandbox ML: detected

Source: 1.0.cvtres.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.cvtres.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: 1.0.cvtres.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}

Source: DHL_119040 receipt document,pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DHL_119040 receipt document,pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: NBCBNCXHJKDJHD23442.pdb source: DHL_119040 receipt document,pdf.exe

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_01766780
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0176C964
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0176D42D
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0176D7FC
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_017667A4
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0176678C
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0176CA0A

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49767 -> 109.99.162.14:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49767 -> 109.99.162.14:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49767 -> 109.99.162.14:587

Source: Joe Sandbox View

ASN Name: RTDBucharestRomaniaRO RTDBucharestRomaniaRO

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 109.99.162.14:587

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 109.99.162.14:587

Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cDJlhu.com
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cvtres.exe, 00000001.00000002.713759717.0000000006BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.rematinvest.ro
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: cvtres.exe, 00000001.00000002.713759717.0000000006BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rematinvest.ro
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: DHL_119040 receipt document,pdf.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.rematinvest.ro

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL_119040 receipt document,pdf.exe
Source: initial sample	Static PE information: Filename: DHL_119040 receipt document,pdf.exe

.NET source code contains very large array initializations

Source: 1.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646
Source: 1.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646
Source: 1.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646
Source: 1.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646
Source: 1.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646
Source: 1.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b277910BDu002dFED8u002d4704u002dB713u002d4917BF11BC4Cu007d/u003015E90E4u002d6658u002d4665u002d9F31u002d0FF2B031367D.cs	Large array initialization: .cctor: array initializer size 11646

Executable has a suspicious name (potential lure to open the executable)

Source: DHL_119040 receipt document,pdf.exe

Static file information: Suspicious name

Source: DHL_119040 receipt document,pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01768998	0_2_01768998
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01762580	0_2_01762580
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01769CE0	0_2_01769CE0
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01766B48	0_2_01766B48
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01761B48	0_2_01761B48
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176BF18	0_2_0176BF18
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176DB18	0_2_0176DB18
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_017612B0	0_2_017612B0
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01762570	0_2_01762570
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01767550	0_2_01767550
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176A148	0_2_0176A148
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176C521	0_2_0176C521
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176A12C	0_2_0176A12C
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176A11E	0_2_0176A11E
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176350D	0_2_0176350D
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01768989	0_2_01768989
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01763440	0_2_01763440
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01767840	0_2_01767840
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01760448	0_2_01760448
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01767829	0_2_01767829
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01768818	0_2_01768818
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176040F	0_2_0176040F
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176A0E8	0_2_0176A0E8
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01769CD0	0_2_01769CD0
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01763350	0_2_01763350
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01761B38	0_2_01761B38
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01766B39	0_2_01766B39
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176BF08	0_2_0176BF08
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176DB08	0_2_0176DB08
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01766FE8	0_2_01766FE8
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01766FD8	0_2_01766FD8
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01761224	0_2_01761224
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01765620	0_2_01765620
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01765610	0_2_01765610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_04DEF080	1_2_04DEF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_04DEF3C8	1_2_04DEF3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_04DE6120	1_2_04DE6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_09570040	1_2_09570040

Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.455149585.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHVABjdWatjolCFUDdeTjpFHzNrt.exe4 vs DHL_119040 receipt document,pdf.exe
Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.452824150.0000000000F3D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNBCBNCXHJKDJHD23442.exeH vs DHL_119040 receipt document,pdf.exe
Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHVABjdWatjolCFUDdeTjpFHzNrt.exe4 vs DHL_119040 receipt document,pdf.exe
Source: DHL_119040 receipt document,pdf.exe	Binary or memory string: OriginalFilenameNBCBNCXHJKDJHD23442.exeH vs DHL_119040 receipt document,pdf.exe

Source: DHL_119040 receipt document,pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: DHL_119040 receipt document,pdf.exe

Static PE information: invalid certificate

Source: DHL_119040 receipt document,pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL_119040 receipt document,pdf.exe	Virustotal: Detection: 31%
Source: DHL_119040 receipt document,pdf.exe	ReversingLabs: Detection: 65%

Source: DHL_119040 receipt document,pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe "C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe"
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_119040 receipt document,pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: DHL_119040 receipt document,pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Code function: 0_2_01761224 FindResourceA,

0_2_01761224

Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DHL_119040 receipt document,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_119040 receipt document,pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL_119040 receipt document,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: NBCBNCXHJKDJHD23442.pdb source: DHL_119040 receipt document,pdf.exe

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_00EF6765 push cs; ret	0_2_00EF6766
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_01767DC0 push esp; iretd	0_2_01767DC2
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Code function: 0_2_0176A891 push cs; ret	0_2_0176A892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0957A002 push 8B000005h; retf	1_2_0957A007

Source: DHL_119040 receipt document,pdf.exe

Static PE information: real checksum: 0x59dd1 should be: 0x5d373

Source: initial sample

Static PE information: section name: .text entropy: 7.674710257857661

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4384	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 3548	Thread sleep count: 9516 > 30	Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Window / User API: threadDelayed 9516

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.455840866.0000000004AC5000.00000004.00000800.00020000.00000000.sdmp, DHL_119040 receipt document,pdf.exe, 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %GiEQgaEQeMUQ
Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %kWjFEAAAGiEQgaEQeMUQAAAaIRC
Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %/gEsBhYqHwoTCwARCx3+ASwHCBYzGh4TCwARCxv+ASwGFhMEHBMLABELHwr+ASwgEQQNAgd0DAAAGxEECBZvuQEAChMGEQYWM1cWKh8LEwsAEQse/gEsFQIgAAAAgCj0AgAGKOoAAAYmHwkTCwARCxj+ASwGAxRRGRMLABELF/4BLAMYEwsAEQsW/gEsAxcTCwARCx8L/gEsAisFOCX///8RBBEG1hMECBEG2gwHdAwAABsWCRnaKLoBAAoRBBIAKM8AAAY5SP///wMoowAACgd0DAAAGxYGb9YAAApREQQGOxQBAAARBAbaEwcEEQcX2hfWjS8AAAFRFNCCAAABKBQAAAooVQIABhuNBwAAARMIEQgWBygRAAAKohEIFwaMUQAAAaIRCBgEUKIRCBkWjFEAAAGiEQgaEQeMUQAAAaIRCBM
Source: cvtres.exe, 00000001.00000002.715207118.000000000A020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Code function: 0_2_0176D630 CheckRemoteDebuggerPresent,

0_2_0176D630

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 8C5008	Jump to behavior

.NET source code references suspicious native API functions

Source: DHL_119040 receipt document,pdf.exe, u206a????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: DHL_119040 receipt document,pdf.exe, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.DHL_119040 receipt document,pdf.exe.ef0000.0.unpack, u206a????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 0.0.DHL_119040 receipt document,pdf.exe.ef0000.0.unpack, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.2.DHL_119040 receipt document,pdf.exe.ef0000.0.unpack, u206a????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 0.2.DHL_119040 receipt document,pdf.exe.ef0000.0.unpack, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.cvtres.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.3.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.2.cvtres.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.4.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.2.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.1.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Jump to behavior

Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.455149585.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_119040 receipt document,pdf.exe, 00000000.00000002.455149585.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.712487104.0000000006B6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_119040 receipt document,pdf.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 7116, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_119040 receipt document,pdf.exe.51862c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.712487104.0000000006B6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_119040 receipt document,pdf.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 7116, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	312 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	11 Input Capture	2 Process Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_119040 receipt document,pdf.exe	31%	Virustotal		Browse
DHL_119040 receipt document,pdf.exe	65%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
DHL_119040 receipt document,pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.cvtres.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.2.cvtres.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
rematinvest.ro	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://mail.rematinvest.ro	0%	Avira URL Cloud	safe
http://cDJlhu.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://rematinvest.ro	0%	Avira URL Cloud	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rematinvest.ro	109.99.162.14	true	true	0%, Virustotal, Browse	unknown
mail.rematinvest.ro	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.rematinvest.ro	cvtres.exe, 00000001.00000002.713759717.0000000006BF8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cDJlhu.com	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://rematinvest.ro	cvtres.exe, 00000001.00000002.713759717.0000000006BF8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%%startupfolder%	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://api.ipify.org%	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	cvtres.exe, 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.99.162.14	rematinvest.ro	Romania		9050	RTDBucharestRomaniaRO	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	672294
Start date and time: 23/07/202218:22:40	2022-07-23 18:22:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL_119040 receipt document,pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10.5% (good quality ratio 6.6%) Quality average: 40.8% Quality standard deviation: 37.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:24:01	API Interceptor	1x Sleep call for process: DHL_119040 receipt document,pdf.exe modified
18:24:06	API Interceptor	772x Sleep call for process: cvtres.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
109.99.162.14	SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe	Get hash	malicious	Browse
109.99.162.14	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RTDBucharestRomaniaRO	x86_64-20220723-1318	Get hash	malicious	Browse	109.102.109.70
	SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe	Get hash	malicious	Browse	109.99.162.14
	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Get hash	malicious	Browse	109.99.162.14
	bMwvKA6Owe.exe	Get hash	malicious	Browse	109.102.255.230
	kfHWoySTel	Get hash	malicious	Browse	109.99.173.28
	home.mips	Get hash	malicious	Browse	80.97.224.199
	#Ud83d#Udd0a VM 9193408792.wav.html	Get hash	malicious	Browse	92.87.6.53
	jTpjSXxHjt.dll	Get hash	malicious	Browse	92.81.66.155
	oWmdf3W67o.dll	Get hash	malicious	Browse	109.103.48.81
	djA1JX3UZv.dll	Get hash	malicious	Browse	92.83.238.161
	342hs5UFG1.dll	Get hash	malicious	Browse	109.102.113.172
	196608.htm	Get hash	malicious	Browse	92.87.6.53
	fxyKXb2hV5.dll	Get hash	malicious	Browse	109.103.83.54
	v8Rhp4teOl.dll	Get hash	malicious	Browse	92.85.58.229
	7T2Y8w1zOi.dll	Get hash	malicious	Browse	92.83.239.195
	E3mbtPKpoj.dll	Get hash	malicious	Browse	92.80.107.22
	agsS7yP4eP.dll	Get hash	malicious	Browse	89.121.130.106
	Vi3ioqKqPS.dll	Get hash	malicious	Browse	86.35.226.0
	eYB6B0ahQe.dll	Get hash	malicious	Browse	92.81.231.56
	196488.htm	Get hash	malicious	Browse	92.87.6.53

Process:	C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.3467126928258955
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
MD5:	DD8B7A943A5D834CEEAB90A6BBBF4781
SHA1:	2BED8D47DF1C0FF76B40811E5F11298BD2D06389
SHA-256:	E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
SHA-512:	24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.828168762132371
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_119040 receipt document,pdf.exe
File size:	352408
MD5:	5a975876a6183035d674a69990752a0a
SHA1:	466d5c51e510dce79adfe9667ac34b057c6a77a3
SHA256:	97ed8b1eda57edbbc3c2d12faeeec7f3091392ee8c42dd516ac789f18ffacc42
SHA512:	5713ae6663e43823b0e706b9da34ef6139d9ab62cd5144b4b62ac52a002e1408e917bbd7c7288986b480104df0b7ca6483471d43126ef7c59f4d8cf0334570fd
SSDEEP:	6144:zz0M9JNH59m2/BHG2n1n4Ft9WiJIb82kvsxK32yr42rA:PxbH59m9s4FnJIb82kvs432yr4J
TLSH:	F37439887D5032CFCC16C872CA787C64AAEC6C6657178203AC57355DAB3F58E8E375A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.b..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	18d0c4ccccc4d800

Static PE Info

General

Entrypoint:	0x43a12e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62DA5CE6 [Fri Jul 22 08:16:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	8/25/2020 6:42:07 AM 8/26/2023 6:42:07 AM
Subject Chain	CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
Version:	3
Thumbprint MD5:	185DBD4A2E2671589EEB3E7E1920EA9F
Thumbprint SHA-1:	B3DF816A17A25557316D181DDB9F46254D6D8CA0
Thumbprint SHA-256:	66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
Serial:	731D40AE3F3A1FB2BC3D8395

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a0d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x19a76	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52200	0x3e98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a088	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x38134	0x38200	False	0.8411443833518931	data	7.674710257857661	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x19a76	0x19c00	False	0.08731227245145631	data	3.132050181683162	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x3c254	0xd68	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x3cfbc	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x4d7e4	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x51a0c	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x53fb4	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x5505c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x554c4	0x5a	data
RT_VERSION	0x55520	0x36c	data
RT_MANIFEST	0x5588c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5109.99.162.14497675872840032 07/23/22-18:24:15.530948	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49767	587	192.168.2.5	109.99.162.14
192.168.2.5109.99.162.14497675872851779 07/23/22-18:24:15.530948	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49767	587	192.168.2.5	109.99.162.14
192.168.2.5109.99.162.14497675872030171 07/23/22-18:24:15.530849	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49767	587	192.168.2.5	109.99.162.14

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2022 18:24:14.473475933 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:14.519057035 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:14.519224882 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:14.631393909 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:14.631736040 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:14.677526951 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:14.678447962 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:14.724617958 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:14.729264021 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:14.779422998 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:14.993314981 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.025602102 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.025718927 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.301563025 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.347258091 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.385287046 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.470582008 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.473525047 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.481832027 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.527338982 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.527395964 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.530848980 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.530947924 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.531663895 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.531739950 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:24:15.576498985 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:15.577415943 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:19.454579115 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:24:19.603178978 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:25:53.465122938 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:25:53.513818026 CEST	587	49767	109.99.162.14	192.168.2.5
Jul 23, 2022 18:25:53.513911963 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:25:53.516002893 CEST	49767	587	192.168.2.5	109.99.162.14
Jul 23, 2022 18:25:53.564030886 CEST	587	49767	109.99.162.14	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2022 18:24:13.498558044 CEST	54322	53	192.168.2.5	8.8.8.8
Jul 23, 2022 18:24:13.551697969 CEST	53	54322	8.8.8.8	192.168.2.5
Jul 23, 2022 18:24:14.334506035 CEST	62704	53	192.168.2.5	8.8.8.8
Jul 23, 2022 18:24:14.387947083 CEST	53	62704	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 23, 2022 18:24:13.498558044 CEST	192.168.2.5	8.8.8.8	0xefc8	Standard query (0)	mail.rematinvest.ro	A (IP address)	IN (0x0001)
Jul 23, 2022 18:24:14.334506035 CEST	192.168.2.5	8.8.8.8	0x37c6	Standard query (0)	mail.rematinvest.ro	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 23, 2022 18:24:13.551697969 CEST	8.8.8.8	192.168.2.5	0xefc8	No error (0)	mail.rematinvest.ro	rematinvest.ro		CNAME (Canonical name)	IN (0x0001)
Jul 23, 2022 18:24:13.551697969 CEST	8.8.8.8	192.168.2.5	0xefc8	No error (0)	rematinvest.ro		109.99.162.14	A (IP address)	IN (0x0001)
Jul 23, 2022 18:24:14.387947083 CEST	8.8.8.8	192.168.2.5	0x37c6	No error (0)	mail.rematinvest.ro	rematinvest.ro		CNAME (Canonical name)	IN (0x0001)
Jul 23, 2022 18:24:14.387947083 CEST	8.8.8.8	192.168.2.5	0x37c6	No error (0)	rematinvest.ro		109.99.162.14	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 23, 2022 18:24:14.631393909 CEST	587	49767	109.99.162.14	192.168.2.5	220-cpanel4.romtelecom.net ESMTP Exim 4.93 #2 Sat, 23 Jul 2022 19:24:14 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 23, 2022 18:24:14.631736040 CEST	49767	587	192.168.2.5	109.99.162.14	EHLO 610930
Jul 23, 2022 18:24:14.677526951 CEST	587	49767	109.99.162.14	192.168.2.5	250-cpanel4.romtelecom.net Hello 610930 [84.17.52.55] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 23, 2022 18:24:14.678447962 CEST	49767	587	192.168.2.5	109.99.162.14	AUTH login ZmFjdHVyYXJlQHJlbWF0aW52ZXN0LnJv
Jul 23, 2022 18:24:14.724617958 CEST	587	49767	109.99.162.14	192.168.2.5	334 UGFzc3dvcmQ6
Jul 23, 2022 18:24:14.779422998 CEST	587	49767	109.99.162.14	192.168.2.5	235 Authentication succeeded
Jul 23, 2022 18:24:15.025602102 CEST	587	49767	109.99.162.14	192.168.2.5	235 Authentication succeeded
Jul 23, 2022 18:24:15.301563025 CEST	49767	587	192.168.2.5	109.99.162.14	MAIL FROM:<facturare@rematinvest.ro>
Jul 23, 2022 18:24:15.347258091 CEST	587	49767	109.99.162.14	192.168.2.5	250 OK
Jul 23, 2022 18:24:15.385287046 CEST	49767	587	192.168.2.5	109.99.162.14	RCPT TO:<jacksonhellen567@gmail.com>
Jul 23, 2022 18:24:15.473525047 CEST	587	49767	109.99.162.14	192.168.2.5	250 Accepted
Jul 23, 2022 18:24:15.481832027 CEST	49767	587	192.168.2.5	109.99.162.14	DATA
Jul 23, 2022 18:24:15.527395964 CEST	587	49767	109.99.162.14	192.168.2.5	354 Enter message, ending with "." on a line by itself
Jul 23, 2022 18:24:15.531739950 CEST	49767	587	192.168.2.5	109.99.162.14	.
Jul 23, 2022 18:24:19.454579115 CEST	587	49767	109.99.162.14	192.168.2.5	250 OK id=1oFHvL-000Gi1-G9
Jul 23, 2022 18:25:53.465122938 CEST	49767	587	192.168.2.5	109.99.162.14	QUIT
Jul 23, 2022 18:25:53.513818026 CEST	587	49767	109.99.162.14	192.168.2.5	221 cpanel4.romtelecom.net closing connection

Target ID:	0
Start time:	18:23:59
Start date:	23/07/2022
Path:	C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_119040 receipt document,pdf.exe"
Imagebase:	0xef0000
File size:	352408 bytes
MD5 hash:	5A975876A6183035D674A69990752A0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.457646522.0000000004C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	18:24:01
Start date:	23/07/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Imagebase:	0xa60000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.450414167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.449260040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.450990827.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.709452659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.712487104.0000000006B6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.712112003.0000000006B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.449737218.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	22.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.9%
Total number of Nodes:	143
Total number of Limit Nodes:	6

Executed Functions

Function 01766B48 Relevance: 10.2, Strings: 8, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M62, xrefs: 01766D06
M62, xrefs: 01766D14
x$m, xrefs: 01766C6C
f9o1, xrefs: 01766D4C
f9o1, xrefs: 01766D35
f9o1, xrefs: 01766D2E
^<], xrefs: 01766C92
x$m, xrefs: 01766B84

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: M62$M62$^<]$f9o1$f9o1$f9o1$x$m$x$m
API String ID: 0-4083327839
Opcode ID: 4bde5be6620aa8bb6fff619fb6b45666a7cef7703a442def5fec77e10661dabf
Instruction ID: 6f227800a0098fdb79e87012bf3e542815f456c992e6a6e2a3424935abb37220
Opcode Fuzzy Hash: 4bde5be6620aa8bb6fff619fb6b45666a7cef7703a442def5fec77e10661dabf
Instruction Fuzzy Hash: 757124B0D05219DFCF04CFA6C940AAEFBB9FB89304F648869D816AB254D7749A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01766B39 Relevance: 8.9, Strings: 7, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M62, xrefs: 01766D14
x$m, xrefs: 01766C6C
f9o1, xrefs: 01766D4C
f9o1, xrefs: 01766D35
f9o1, xrefs: 01766D2E
^<], xrefs: 01766C92
x$m, xrefs: 01766B84

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: M62$^<]$f9o1$f9o1$f9o1$x$m$x$m
API String ID: 0-1673852399
Opcode ID: 82b9c3d543e02f6d3e37d6148b0be2bb36dc6faa40c89cc49ec44522d4c95756
Instruction ID: 3bdea018fbff4e6fd8ffbd79c7e3c5325f880a6045b78881bacf6d955fee1c72
Opcode Fuzzy Hash: 82b9c3d543e02f6d3e37d6148b0be2bb36dc6faa40c89cc49ec44522d4c95756
Instruction Fuzzy Hash: 26615570D05219CFCF14CFAAC540AAEFBB9FF89304F64886AD816AB254D7749A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01768998 Relevance: 4.0, Strings: 3, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rD&[, xrefs: 01768C34
ER~i, xrefs: 01768A9E
rD&[, xrefs: 01768C3B

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: ER~i$rD&[$rD&[
API String ID: 0-3641059293
Opcode ID: 36c1831d7321a8b10732b5fa91fd38edc7108122c65371741ddb52cbeca2e6a0
Instruction ID: b3e336513e153dfd584eac6e52b5cd64050f16a7448c511628fa5ca7b6976a60
Opcode Fuzzy Hash: 36c1831d7321a8b10732b5fa91fd38edc7108122c65371741ddb52cbeca2e6a0
Instruction Fuzzy Hash: F2A18DB0E04309CFCB10CFA9D585AAEFBB6FB48344F248596C915AB345C7349A41CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0176DB08 Relevance: 4.0, Strings: 3, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H\X , xrefs: 0176DC3A
H\X , xrefs: 0176DC33
hlRH, xrefs: 0176DC66

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: H\X $H\X $hlRH
API String ID: 0-3254217069
Opcode ID: 01a821ddb74eef2aee76c77b8da4aac0fc0b14fae8fee25befd9be5caa2ca176
Instruction ID: a4ac7fefdcf4a6c9aec56006df8187d1d18f48467a18b0b9c460a56830f8cff8
Opcode Fuzzy Hash: 01a821ddb74eef2aee76c77b8da4aac0fc0b14fae8fee25befd9be5caa2ca176
Instruction Fuzzy Hash: B1A124B0E14209CFCB24CFEAD4846EEFBB6FB88310F14956AD959BB258D73099418F50

Uniqueness

Uniqueness Score: -1.00%

Function 0176DB18 Relevance: 4.0, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H\X , xrefs: 0176DC3A
H\X , xrefs: 0176DC33
hlRH, xrefs: 0176DC66

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: H\X $H\X $hlRH
API String ID: 0-3254217069
Opcode ID: e5abe5c267a39451e452f725340efbdc2e902e78cbd9a02961329474e68b5e1b
Instruction ID: 3df5eeddeff1805b4ce450c3a80fec75918946c767d4c8ef931d4ec75305a28b
Opcode Fuzzy Hash: e5abe5c267a39451e452f725340efbdc2e902e78cbd9a02961329474e68b5e1b
Instruction Fuzzy Hash: 24A102B4E14209CFCB24CFEAD4846DEFBB6FB88310F24956AD959BB248D73099418F50

Uniqueness

Uniqueness Score: -1.00%

Function 0176BF18 Relevance: 3.0, Strings: 2, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X(tO, xrefs: 0176BFDA
*, xrefs: 0176C13D

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: *$X(tO
API String ID: 2591292051-257287647
Opcode ID: f9719fa04c42e4bcc4ac2c271a0b56b7963afaf577dc38a74c5896a6686187e8
Instruction ID: c5f156a3a6b378952945bfdddd1c83d3f699964e9a35c1099236053dd83411e3
Opcode Fuzzy Hash: f9719fa04c42e4bcc4ac2c271a0b56b7963afaf577dc38a74c5896a6686187e8
Instruction Fuzzy Hash: 492237B4E05219CFDB25CFA5D980BEDFBB9AF49300F2490AAD949B7254DB344A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0176BF08 Relevance: 3.0, Strings: 2, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X(tO, xrefs: 0176BFDA
*, xrefs: 0176C13D

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: *$X(tO
API String ID: 0-257287647
Opcode ID: 46d87351f17193d7032a6f1b5d3b5cc0c29493037a197934c1a28c58e2eaa29c
Instruction ID: 26c199121437f7693e9884bd78db5610f985cf891ec65f0cc1ef90a3bb92431b
Opcode Fuzzy Hash: 46d87351f17193d7032a6f1b5d3b5cc0c29493037a197934c1a28c58e2eaa29c
Instruction Fuzzy Hash: 9D125A74E05219CFEB25CFA5D980BEDFBB5AF49300F2490AAD949B7254DB348A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01768818 Relevance: 2.9, Strings: 2, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ER~i, xrefs: 01768A9E
rD&[, xrefs: 01768C3B

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: ER~i$rD&[
API String ID: 0-1260428334
Opcode ID: cc9554544471959aeb652f15e86fd9dcc7000a70ccdd2bd5faba51bfd35e038e
Instruction ID: 048d43c2ab08877d960b12d35ff19326623e0b04b2e67c2a9e78bcb7a045ee90
Opcode Fuzzy Hash: cc9554544471959aeb652f15e86fd9dcc7000a70ccdd2bd5faba51bfd35e038e
Instruction Fuzzy Hash: 4AE1DE71D4870ACFCB11CFA8C4456AEFBFAFF45354B14859AC965AB216D3309A42CB83

Uniqueness

Uniqueness Score: -1.00%

Function 01761224 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-5&\, xrefs: 01761333
9~ln, xrefs: 01761398

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: -5&\$9~ln
API String ID: 0-200604456
Opcode ID: 05e4debde997b8c9c40ab58718181bbf6e2ad6fa32276bde347750fe4daf3798
Instruction ID: b3fa420f6dcbd3951a30cc9af56a7699b784361502d6681bc4820a0465b97b72
Opcode Fuzzy Hash: 05e4debde997b8c9c40ab58718181bbf6e2ad6fa32276bde347750fe4daf3798
Instruction Fuzzy Hash: 17D153B0E092198FCB14CFA9C8449AEFBF6FF89300F64856AD816EB265D7359801CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01769CE0 Relevance: 2.8, Strings: 2, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: 8f081e52400fa288aaa49bcbef431252a9ff17a031491590315655ff2a366769
Instruction ID: c60301608590937e35bb63125d2051b7404d9bedc20560102d9d7769745eaaa8
Opcode Fuzzy Hash: 8f081e52400fa288aaa49bcbef431252a9ff17a031491590315655ff2a366769
Instruction Fuzzy Hash: BFD1F5B4E042298FDB69DF61D8406DDF7BAAF96300F10A5EA850DB7254DB705E808F51

Uniqueness

Uniqueness Score: -1.00%

Function 01769CD0 Relevance: 2.8, Strings: 2, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: 7a82124ab66beab96223e0ea1255025c3aef7cb848495859c401c3c2d609369c
Instruction ID: f48398a5a756eb5b029b6bd497d3afca8644f98c4ba3d485bbb54e0bfd34e6b7
Opcode Fuzzy Hash: 7a82124ab66beab96223e0ea1255025c3aef7cb848495859c401c3c2d609369c
Instruction Fuzzy Hash: F1D102B4E042298FDB69CF61D8406DDF7BAAF95300F10A5EACA09B7254DB305F818F51

Uniqueness

Uniqueness Score: -1.00%

Function 0176A148 Relevance: 2.8, Strings: 2, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: dac1ab35d1a20d68149274cf6d4abbca568c4f99bbf1ec267742e2a5037a49fe
Instruction ID: e7f0dee414279b662dfe44ab27bf2893a7928e3173c07e7986687555a31bbda0
Opcode Fuzzy Hash: dac1ab35d1a20d68149274cf6d4abbca568c4f99bbf1ec267742e2a5037a49fe
Instruction Fuzzy Hash: 2FC1E3B4E042298FCB69DF61D940BDDB7BAAB96300F10A5EA850DB7254DB705FC08F51

Uniqueness

Uniqueness Score: -1.00%

Function 0176A0E8 Relevance: 2.8, Strings: 2, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: e3778c18aa8c36b59e4cc653a10bb22c3a7a494234bf7a5b4261dc9833b94acd
Instruction ID: ec1faf4ce2acd2d095adf2c373ae7e26f61e77941a1860722a1d6d1561f05cd2
Opcode Fuzzy Hash: e3778c18aa8c36b59e4cc653a10bb22c3a7a494234bf7a5b4261dc9833b94acd
Instruction Fuzzy Hash: 49C1F5B4E142298FCB69DF60D840BDDB7BAAF96300F10A4EAD609B7254DB705F808F51

Uniqueness

Uniqueness Score: -1.00%

Function 0176A12C Relevance: 2.8, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: cee1ea7ddda7422fdbd9bafe9aa07de38216e0a475ab013af4530f1ed387503a
Instruction ID: d8cf09d82b786d9431546ca638871e07042d89908ac6220d5151255e76e6cc7a
Opcode Fuzzy Hash: cee1ea7ddda7422fdbd9bafe9aa07de38216e0a475ab013af4530f1ed387503a
Instruction Fuzzy Hash: 40C1F4B4E042298FCB69DF60D840BDDB7BAAF96300F10A5EA9609B7254DB705FC08F51

Uniqueness

Uniqueness Score: -1.00%

Function 017612B0 Relevance: 2.8, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-5&\, xrefs: 01761333
9~ln, xrefs: 01761398

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: -5&\$9~ln
API String ID: 0-200604456
Opcode ID: 15a9d23d092ac096a5be1cff0f86ffc02b8131cafabea53b004c0f56594d5d23
Instruction ID: 67f6de637488b31c1f6bf55e0d775284cab2bc3fb86978101a04c0fefe4b2909
Opcode Fuzzy Hash: 15a9d23d092ac096a5be1cff0f86ffc02b8131cafabea53b004c0f56594d5d23
Instruction Fuzzy Hash: ACB1D2B4E052198FDB04CFAAC9849EEFBB6FF89300F64856AD906BB354D7319901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0176A11E Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

m, xrefs: 0176BAE7
!D, xrefs: 0176A000

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: m$!D
API String ID: 0-959577562
Opcode ID: eb31b93338d97ab91f04287f9683053a7fd6e3b3ced663a282144aa08a3d5d05
Instruction ID: 1665bf6f1cd744afbb90816e693a90e532eda7d05c4f5fb5bb327a33e2d56866
Opcode Fuzzy Hash: eb31b93338d97ab91f04287f9683053a7fd6e3b3ced663a282144aa08a3d5d05
Instruction Fuzzy Hash: 27C1F4B4E042298FCB69DF60D840BDDB7BAAF96300F10A5EA9609B7254DB745F808F51

Uniqueness

Uniqueness Score: -1.00%

Function 01768989 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

ER~i, xrefs: 01768A9E
rD&[, xrefs: 01768C3B

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: ER~i$rD&[
API String ID: 0-1260428334
Opcode ID: 9b2cc04ca95d361e3927112b5e705e9a42f1e852aa684e742f4ab2677c179594
Instruction ID: f23db317892e7671d343aef89d5ce132f1858b64f8c153a4f3ca6cc6700c3fbd
Opcode Fuzzy Hash: 9b2cc04ca95d361e3927112b5e705e9a42f1e852aa684e742f4ab2677c179594
Instruction Fuzzy Hash: 6EA16A70E0421ACFCB10CFA9D485AAEFBF6FB88344F248596C915A7255D334DA42CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0176D630 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0176D6BE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3d9fa6be171003ab9859b7e76536e5ba5d3f716edf180a7a3b2215d8cc896be5
Instruction ID: 389f51245402083315c0b57241e5e778bc3163f033eef73151b6d31f7fedc4fa
Opcode Fuzzy Hash: 3d9fa6be171003ab9859b7e76536e5ba5d3f716edf180a7a3b2215d8cc896be5
Instruction Fuzzy Hash: 8931AAB4D012189FDB10CFE9D884AEEFBF9BB49314F14842AE815B7200C775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01761B38 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

$k!>, xrefs: 01761CED

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: $k!>
API String ID: 0-124308476
Opcode ID: 18c688e0e70e1a4baf98692a8a776780d086a1937585456526b4da6e699f1096
Instruction ID: 5db65d411e180370e836679e332569690e553b2693428af8ea7e31f87650a15e
Opcode Fuzzy Hash: 18c688e0e70e1a4baf98692a8a776780d086a1937585456526b4da6e699f1096
Instruction Fuzzy Hash: 5B510870E04219CFDB08CFAAC9455AEFBF6BFC9300F14C16AD519A7255E7348A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 01761B48 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

$k!>, xrefs: 01761CED

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID: $k!>
API String ID: 0-124308476
Opcode ID: 7d20c7d294acfc140642d680505ad43b80071f6d1c2976953e76e1decce729bb
Instruction ID: 6b941bbf6d0015628789171afa31d1da5a3d333037d2384c3fed358873ab3427
Opcode Fuzzy Hash: 7d20c7d294acfc140642d680505ad43b80071f6d1c2976953e76e1decce729bb
Instruction Fuzzy Hash: 97511570E04219CFCB08CFAAC9446AEFBF6BFC8300F14D16AD919B7254E73499418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0176C964 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880204fa6ee6462e63c5f5ea5356940f9e5680b2e8b8236fea9209d47056543
Instruction ID: 577d15770c267ebbd13886812f9ee7f1e59f4c8246abc5ab6422cc66f6f1fd0e
Opcode Fuzzy Hash: 4880204fa6ee6462e63c5f5ea5356940f9e5680b2e8b8236fea9209d47056543
Instruction Fuzzy Hash: 6C818C74C093988FCB02DFA8C8946CEBFB5BF06314F1945ABD485AB252DB784849CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0176CA0A Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5eb7a923d8c582d4fb88a4672711f8466df04f5bc30f899d408a4309bb49b8
Instruction ID: 02a31b5df7a0f4ad006a1b6d1f541f9df3d681dd45340da8b8335656211fa66c
Opcode Fuzzy Hash: 8b5eb7a923d8c582d4fb88a4672711f8466df04f5bc30f899d408a4309bb49b8
Instruction Fuzzy Hash: AD5122B0D04258CFDB15CFA9C884BEEFBB6BF49304F14812AE855AB251DB749885CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0176C521 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 46e9ce85ec1a37c0611e6b8cd70cdfdfc2725a6890037cfa3b37ac8dc8b17b0c
Instruction ID: 250eeb4dccc2718c5e87516ed9278e92281cb46d5c7c70e01bef5e6c2902f0d7
Opcode Fuzzy Hash: 46e9ce85ec1a37c0611e6b8cd70cdfdfc2725a6890037cfa3b37ac8dc8b17b0c
Instruction Fuzzy Hash: 17718974D05218CFDB25CFA9D9807EDFBB5BB89300F2480AAD94AA7345DB349981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01766780 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314dff180e1a608a705105b54455f99c9aed70ed761ab46e8a7d7cd9d595b687
Instruction ID: 094757b4767afe93f3041947765ca4e2ab8a9e4df7d539dca6fcf51cabe861aa
Opcode Fuzzy Hash: 314dff180e1a608a705105b54455f99c9aed70ed761ab46e8a7d7cd9d595b687
Instruction Fuzzy Hash: E051EEB4D00218DFDB15CFA9D884BEEFBB6BB49304F14812AE855AB250DB749885CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01762580 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1338e80d249d3e7298c18a49b1541e0f82112da71d3e8874b43c8d6e9d6d1a67
Instruction ID: 5a8bfdae21c63a40b3f77157b854de5740803dada9033ac5ad2f9701f554b3a2
Opcode Fuzzy Hash: 1338e80d249d3e7298c18a49b1541e0f82112da71d3e8874b43c8d6e9d6d1a67
Instruction Fuzzy Hash: B9310671E006188BDB18CFAAD94469EBBB6BFC8311F14C0AAD909AB268DB315945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01762570 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a290a9c2a139d1b6a92df0a7a1707d27a0a99ce533eb13f8047d3aaf6e8276b9
Instruction ID: a129a7b0d044c815d789e1e20682d3b16d5941512bed143588087f6c54afc6d0
Opcode Fuzzy Hash: a290a9c2a139d1b6a92df0a7a1707d27a0a99ce533eb13f8047d3aaf6e8276b9
Instruction Fuzzy Hash: 1021EAB0E006588BDB19CFABC95479EBFF3AFC9310F18C16AD409AA268DB741945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01769845 Relevance: 1.8, APIs: 1, Instructions: 325processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01769B17

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 69ab01aac183c3bdf67b28e9226670b0e16d76e2fb2430891109f8242e4b3734
Instruction ID: 12bcf13768c35538fa79dd01c2a939656804ce75d76463859c3c5d8e994a2814
Opcode Fuzzy Hash: 69ab01aac183c3bdf67b28e9226670b0e16d76e2fb2430891109f8242e4b3734
Instruction Fuzzy Hash: D7C12671D0022D8FDF24CFA8C841BEEBBB5BB45308F0495AAD949B7240DB709A85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01769850 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01769B17

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6b3d0ec959208d86ac4b99e7bb557e23b47275dcc684d5bbcd2ba481b6928337
Instruction ID: 7eadc07300854de182da977338c727027cc9fb7e82578a4affc12e0b3a4a310a
Opcode Fuzzy Hash: 6b3d0ec959208d86ac4b99e7bb557e23b47275dcc684d5bbcd2ba481b6928337
Instruction Fuzzy Hash: 9DC11571D0022D8FDF25CFA8C841BEEBBB5BB49308F0495A9D949B7240DB709A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 017694C1 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0176959B

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a313edcee0d4b85109734fecceb26b16b9dff59292408c19424e938f349ac351
Instruction ID: 6774b8e0637b5a58133c8a9b91ab402e56e635c7009fa61f6e3e703c0e1e5f1a
Opcode Fuzzy Hash: a313edcee0d4b85109734fecceb26b16b9dff59292408c19424e938f349ac351
Instruction Fuzzy Hash: 5A41BAB4D012589FDF00CFA9D984AEEFBF5BB49314F24942AE818B7240D734AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 017694C8 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0176959B

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6f51d52d4e6dafb47b8bc394043f7c02ed68f7f1ff854a1589c8677aecd30b9f
Instruction ID: f4b97696ac4925bcc5000415dc5be8597cabab903e5a196233a432cb2d055a53
Opcode Fuzzy Hash: 6f51d52d4e6dafb47b8bc394043f7c02ed68f7f1ff854a1589c8677aecd30b9f
Instruction Fuzzy Hash: 6C41B8B4D012589FDF00CFA9D984AEEFBF5BB49314F24942AE818B7240D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01769618 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017696D2

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9f10551fc7fecc151fe1ee5de8965aea6719b78912ac35ba5557f38a0d665b8e
Instruction ID: ec3e24a7bc3ed2fee2a99337a9cdaf36797059e5574a1aad7c8eb41c44e2cb28
Opcode Fuzzy Hash: 9f10551fc7fecc151fe1ee5de8965aea6719b78912ac35ba5557f38a0d665b8e
Instruction Fuzzy Hash: 1C4196B9D002589FCF10CFE9E884AEEFBB5BB49314F14942AE815BB200D735A945DF64

Uniqueness

Uniqueness Score: -1.00%

Function 01769620 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017696D2

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ceb9c3e1c626c9e77329046a5ee5f56b7af65be3e7b1e88beadfe336482cfc97
Instruction ID: bffa8ad2005ffc09e90d01beedfe192de3cf99515aa589b33b30806503738923
Opcode Fuzzy Hash: ceb9c3e1c626c9e77329046a5ee5f56b7af65be3e7b1e88beadfe336482cfc97
Instruction Fuzzy Hash: C34195B8D042589FCF00CFEAD884AEEFBB5BB09314F14942AE815B7200D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 017693A0 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01769452

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7c3662e7f8728f1593e87805db7117fbe7ae38d76b0bb90176928affb1c0822
Instruction ID: 27268e5bebcb0d4e8cbe5ca47cd76cf535f1bda4a622032c87a8ad85504a5a0d
Opcode Fuzzy Hash: f7c3662e7f8728f1593e87805db7117fbe7ae38d76b0bb90176928affb1c0822
Instruction Fuzzy Hash: 3B4185B9D00258DFCF10CFA9D880AEEFBB5BB49324F14942AE815BB210D735A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 017693A8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01769452

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5aef4c4e9a7dbf696238088e0fb20d29f339b244edb5c1bf24d941e0f88fbf40
Instruction ID: 4fe8f5b796ecc31383c4968b3c9740f3db9e272ba71367078a8de89f1545deb6
Opcode Fuzzy Hash: 5aef4c4e9a7dbf696238088e0fb20d29f339b244edb5c1bf24d941e0f88fbf40
Instruction Fuzzy Hash: D83197B8D002589FCF00CFE9D880ADEFBB9BB49314F10942AE815BB200D735A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01769279 Relevance: 1.6, APIs: 1, Instructions: 95threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0176932F

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 50b7998394e8f25b50dbaa1798610e1b75cb3ca034beabf7a258d5118d473088
Instruction ID: 398e86b3057b6620cd27ffb5e8978a61612a354fc5b6374a117ff0f09a46a7e4
Opcode Fuzzy Hash: 50b7998394e8f25b50dbaa1798610e1b75cb3ca034beabf7a258d5118d473088
Instruction Fuzzy Hash: 7841ABB4D012589FDB14CFEAD884AEEFBB5BF48314F14842AE815B7240D738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01769280 Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0176932F

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 824219808a2009b3a6252f303e536b3d5bc0a97925c8950b730a2841c76dcc1d
Instruction ID: 32b3e9f093781878220f1696587307be2109bb75eff5a15dc1ccbe01d8acd11c
Opcode Fuzzy Hash: 824219808a2009b3a6252f303e536b3d5bc0a97925c8950b730a2841c76dcc1d
Instruction Fuzzy Hash: 9A31BAB4D012589FDB14CFEAD884AEEFBF5BB48314F14842AE815B7240D738A949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0176D9F9 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?), ref: 0176DA99

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 33a18d667d8b67299bef9953158ae647e5a8b36134de22188279453543956b1f
Instruction ID: beb8ef997cc078ebadc6d796e088ca148e6604ce851f8d892f77fb97fc2c900e
Opcode Fuzzy Hash: 33a18d667d8b67299bef9953158ae647e5a8b36134de22188279453543956b1f
Instruction Fuzzy Hash: 7F31CAB4D052189FDB14CFE9D884AEEFBB5BF49314F14942AE805B7240C774AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0176DA00 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?), ref: 0176DA99

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 56048b279bb93b1591d9ab2bb4f9b7d84a84527b3522fd6efacac284631e3c70
Instruction ID: b29ba893cb623a5e00d87c03013aacc1f1f3dabb9eb3bcc6397a893cc4381810
Opcode Fuzzy Hash: 56048b279bb93b1591d9ab2bb4f9b7d84a84527b3522fd6efacac284631e3c70
Instruction Fuzzy Hash: 6D31B8B4D052189FDB14CFE9D884AEEFBB9BF49314F14942AE805B7200C774AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0176D629 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0176D6BE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a71835e5f4cfcfba8ee3b375c78c4df3af6ed12025493aa11e8a5e1327e718e9
Instruction ID: 46cad2e2b07b95bd0a0c1393ff4b9e41968560223e82f7fa7d5d524984c55b9e
Opcode Fuzzy Hash: a71835e5f4cfcfba8ee3b375c78c4df3af6ed12025493aa11e8a5e1327e718e9
Instruction Fuzzy Hash: B131B8B8D012189FDB10CFE9D880AEEFBB5BB49314F14842AE809B7200C734A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01769189 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0176920E

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 35196a36234ab812ec5c012ff4b4ec19da6dc303d92fda6e98342fe315b58271
Instruction ID: 68fe84336538d14db1f9854213e7b697ea6ed2d97142d818be4bd69b64cb3c46
Opcode Fuzzy Hash: 35196a36234ab812ec5c012ff4b4ec19da6dc303d92fda6e98342fe315b58271
Instruction Fuzzy Hash: 8431CCB4D052189FDF14CFA9D884AEEFBB9AF49314F14842AE819B7300D735A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01769190 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0176920E

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8aa43c95a8bb785981e8a7b997ef5bdedc4c34f2f2c5b865b918e505f363132f
Instruction ID: 6855bdf33416c5f3772b518ef68bada91b6d4cfd5bdeb8461c06941998765788
Opcode Fuzzy Hash: 8aa43c95a8bb785981e8a7b997ef5bdedc4c34f2f2c5b865b918e505f363132f
Instruction Fuzzy Hash: F031AAB4D052189FDF14CFAAE884AEEFBB9AF49314F14842AE915B7300D734A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0176D728 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0176D7AE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9545c51bb670ca39cc8e5f6fa6291fa7faa462f04e2f20adf39e2c3d82680a3a
Instruction ID: 3f543823419dd05c0f52f53567a003bcd264126431e8a91e1bebb0cd857757e4
Opcode Fuzzy Hash: 9545c51bb670ca39cc8e5f6fa6291fa7faa462f04e2f20adf39e2c3d82680a3a
Instruction Fuzzy Hash: 3831ACB8D102189FCB10CFA9E484AEEFBF4BB49324F14906AE815B7310C334A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01766798 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0176D7AE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 858e49fdbc7ad71f60e3e61bb678aa7807c3c0f9f15b92687bd0640dc00d2ff8
Instruction ID: 7db7ef645d7c2a998aa56380d5d7cea420f2c9e9fe27b0a52e9d01a85bdb8269
Opcode Fuzzy Hash: 858e49fdbc7ad71f60e3e61bb678aa7807c3c0f9f15b92687bd0640dc00d2ff8
Instruction Fuzzy Hash: EA31BBB8D102189FCB10CFA9D884ADEFBF4BB49320F14906AE818B7310D734A845CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0176040F Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

, xrefs: 017604BE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3c0cfb3d0d7a1f8602921f0a0c5f1998302deb6062c5bda03fbc7baf3f5072ad
Instruction ID: 3aa655a9b5b716fde8922ad9b2a41cdfce8187794f4d4747a0d1828ef0c96b49
Opcode Fuzzy Hash: 3c0cfb3d0d7a1f8602921f0a0c5f1998302deb6062c5bda03fbc7baf3f5072ad
Instruction Fuzzy Hash: DE314C71E016099FDB29CFAAD8446DABBF3AFC9310F14C0BAD544AA265EB3409428F11

Uniqueness

Uniqueness Score: -1.00%

Function 01760448 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

, xrefs: 017604BE

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 36d09eed268f0e3c6425bc78fa722312e9346846e6a0b0ecbd90967f21f0643d
Instruction ID: a131988cbc9eac56aa3e6297d234cec8033ca076757a236bf44b2aefab0c323d
Opcode Fuzzy Hash: 36d09eed268f0e3c6425bc78fa722312e9346846e6a0b0ecbd90967f21f0643d
Instruction Fuzzy Hash: CB21C675E016199BEB18CFABD8446DEFAF7BFC8300F14C57AD918A6264EB305A418F40

Uniqueness

Uniqueness Score: -1.00%

Function 01766FE8 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e6d95fd05c546173f108c808e8c481750ed8837dc0665d87d367c2c0eb5ea0
Instruction ID: cecb99a68c1813e9a1935b50f1c396a2a8f5e679586e703de21c004b4e6960f0
Opcode Fuzzy Hash: f0e6d95fd05c546173f108c808e8c481750ed8837dc0665d87d367c2c0eb5ea0
Instruction Fuzzy Hash: 58D11674A04268CFDB08CBA9D88499EFBB6FF89348F24C559D915AB31AD730A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01766FD8 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1003f6dda8efb1a7c0ef6c1582fa757b2fd208a151dae21e88cf6b9ce65df29a
Instruction ID: 811b67b28b0cd4c3702c0cf1ef904067e1789a3db5d299d6ce08420fb7e4f77f
Opcode Fuzzy Hash: 1003f6dda8efb1a7c0ef6c1582fa757b2fd208a151dae21e88cf6b9ce65df29a
Instruction Fuzzy Hash: 40D11870A04268CFDB08CBA9D884A9EFBF6FF89348F24C559D915AB35AD7349841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01763350 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cb6e3dfe46443d911b40cd758dbe2ef0c64ec356ec97c2c65eb6fdccaf044
Instruction ID: 259f9042aa4473c1e195d5d2a2724ca5cd394747e02c165b20294c3d5a0a69bc
Opcode Fuzzy Hash: ed7cb6e3dfe46443d911b40cd758dbe2ef0c64ec356ec97c2c65eb6fdccaf044
Instruction Fuzzy Hash: CCA18F34D046528BC725CF7AC4484AEFFB7FF46300B18C95AC8A9AB615D735AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01763440 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48219f76830b61afdccefa45e66379be06aeb9f4011fac781e8212798dd72e
Instruction ID: 9739c58fb8dfa1620e43b46006f2e742668aac565514439a012d54174f307ad1
Opcode Fuzzy Hash: aa48219f76830b61afdccefa45e66379be06aeb9f4011fac781e8212798dd72e
Instruction Fuzzy Hash: AE513C74E00206DFDB14CFAAC4858AEFBB6FF89311B15C565C909AB259D734E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0176D7FC Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5df345bc269eff102e3e43ef1ccb67d2bfbdc5ca5a4b38c20f0dc708b668244
Instruction ID: 33db8c581bc17067954c4eeceef62f39c3393b502e198d149e5c2ce9e5909748
Opcode Fuzzy Hash: a5df345bc269eff102e3e43ef1ccb67d2bfbdc5ca5a4b38c20f0dc708b668244
Instruction Fuzzy Hash: 5E51EFB4E102188FDB24CFE9D8847DEFBB6FB49314F14912AE859AB250DB745845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0176D42D Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1169dbba1ca080aa2883d21e858873489852a75b87398ec6206e5d7b609b5421
Instruction ID: 9ed15c3ad902b3eefce6a5b0597b7f7ab97d9d0e7fe0fc215f3f65ff8d337306
Opcode Fuzzy Hash: 1169dbba1ca080aa2883d21e858873489852a75b87398ec6206e5d7b609b5421
Instruction Fuzzy Hash: 2351F2B4E102189FDB24CFE9D884BDEFBB6BF49304F24852AE855AB251DB749845CF40

Uniqueness

Uniqueness Score: -1.00%

Function 017667A4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d445156d49f357ab289475056d89fb8ee5d1d4fae57d80eee5b0e54130ef6fbd
Instruction ID: 23d0154524648cd3734a1fbef5e109ee1c5b1f31516dfbb3df1da31bfb14067c
Opcode Fuzzy Hash: d445156d49f357ab289475056d89fb8ee5d1d4fae57d80eee5b0e54130ef6fbd
Instruction Fuzzy Hash: 94510FB0E10218CFDB24DFE9C88479EFBB6FB49304F14812AE855AB250DB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0176678C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90144f61d1a655ad0a1cab2d3e8c702325c412c9d6bf7e96c5b0a10129f0cae3
Instruction ID: b17435a00605661be6375f47ac7b0514775ba8d8adb9c8f6e9ab1689f76103fe
Opcode Fuzzy Hash: 90144f61d1a655ad0a1cab2d3e8c702325c412c9d6bf7e96c5b0a10129f0cae3
Instruction Fuzzy Hash: 4A5114B4E102189FDB24DFE9C8847DEFBB6BB49304F248129E855AB250DB745845CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01767550 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07836f682d806c3c4b00314e7c68e4a20fb50266f0b4afee2bb27cf24f34d17c
Instruction ID: 43afa1bc459954447ac9c1a624b99377cdef920f80916561bb44662f7d7120a6
Opcode Fuzzy Hash: 07836f682d806c3c4b00314e7c68e4a20fb50266f0b4afee2bb27cf24f34d17c
Instruction Fuzzy Hash: FC41E270A1524ADFCB04CFA8D48059EBBF6EF89244F30C8AAC405EB269E7349E01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0176350D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bafe6d7ee4329ca0c4f9969a0f1065dd2ff5a44d38c71be509c02213a062d8
Instruction ID: f3f28a0963eb41e15d23fa7dc3a99ad9cce46bd13e0cdd69affdba149956e62f
Opcode Fuzzy Hash: 71bafe6d7ee4329ca0c4f9969a0f1065dd2ff5a44d38c71be509c02213a062d8
Instruction Fuzzy Hash: 40414D74E04106DFC704CFA9C4858AEFBB6FF89310B25C955C919AB259D734EA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01765610 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651758db5a522ca45fef4d1a7fe96f0639efe9bd4062e33177c2da3352530fd1
Instruction ID: cc444804ce51f61271be0387d2cc25479326c6b823b352195a20511294bd1c6d
Opcode Fuzzy Hash: 651758db5a522ca45fef4d1a7fe96f0639efe9bd4062e33177c2da3352530fd1
Instruction Fuzzy Hash: FB41E870E0420A8FCB48CFAAD4805AEFBF2BF89750F24C56AC915B7255D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01765620 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b80c043b13b200f6d974a16fd978b909a4b4c9ead4ac5021fe64e695b2491e
Instruction ID: 11793ee92dbd0b19556ad0ae7b3270e7e72b4b1795f106445ec7470d3707cfee
Opcode Fuzzy Hash: 53b80c043b13b200f6d974a16fd978b909a4b4c9ead4ac5021fe64e695b2491e
Instruction Fuzzy Hash: 6A41E6B0E0420A8FCB44CFAAD4805AEFBB6BB88750F24C569C815B7254D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01767829 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835e57f237be999058b2c09b16a1cee988eaa99d7e2fe182bfdbeb8162527929
Instruction ID: cb720df888da902c071305c8a041aecb61c962c1863acbde903087061d72434e
Opcode Fuzzy Hash: 835e57f237be999058b2c09b16a1cee988eaa99d7e2fe182bfdbeb8162527929
Instruction Fuzzy Hash: 6641DB71D056989FDB19CF6A9C446DABFB3AFC6300F18C0EAD448AB265D7310995CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01767840 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454222449.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1760000_DHL_119040 receipt document,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e606127ec635b5c3f64e4d7f053be164d6356738a04c428cc5a5750b97ff4ae
Instruction ID: 5a2fabdb99b3f993042e24d77e00987dc92179fe736b3e8dd2b06c8000b05c2b
Opcode Fuzzy Hash: 4e606127ec635b5c3f64e4d7f053be164d6356738a04c428cc5a5750b97ff4ae
Instruction Fuzzy Hash: D2417775E016289BDB68CF6BDD446CEFBF7AFC8300F14C1AA990CA7264DB3159918E40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cvtres.exePID: 7116, Parent PID: 7080COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	2

Executed Functions

Function 04DE9DC0 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 04DEC9BA

Memory Dump Source

Source File: 00000001.00000002.711017121.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4de0000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e6b16cd5c651f145af2a682d2aa817c58a8458618c6590fd90ba7147f517c392
Instruction ID: 57f2199b3de29aa103f3db6550302cd8abf6b0752b0335a4a30d1e0d6eaf0cdf
Opcode Fuzzy Hash: e6b16cd5c651f145af2a682d2aa817c58a8458618c6590fd90ba7147f517c392
Instruction Fuzzy Hash: D23155B1D202499FDB14DFAAC8857AEBBF1BB09714F14852AE816BB380D774A441CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DEC8E4 Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 04DEC9BA

Memory Dump Source

Source File: 00000001.00000002.711017121.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4de0000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fcd1b764cd49619de022e746ee12b97efa8943b897d15140f6b14e0eca15899e
Instruction ID: 0df5595c28f6e5b2f4862b29ca10b7b8e6727da617350e95f1468b6f34f1f831
Opcode Fuzzy Hash: fcd1b764cd49619de022e746ee12b97efa8943b897d15140f6b14e0eca15899e
Instruction Fuzzy Hash: 063146B1D102489FDB14DFA9D8857AEBBF1BF09714F14852AE816A7380D774A481CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DE4F1F Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04DE4FED

Memory Dump Source

Source File: 00000001.00000002.711017121.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4de0000_cvtres.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 913335a87108b95bb5f376ed2bda0a1b959f6402140bb9fdc8d239ab8ba3e8a4
Instruction ID: 2bcd25d4f6dd80b4af0ef35a6be5e3a0935a460247dcbc689ad17843b71d6288
Opcode Fuzzy Hash: 913335a87108b95bb5f376ed2bda0a1b959f6402140bb9fdc8d239ab8ba3e8a4
Instruction Fuzzy Hash: 1A21B0709043849FEB50EFA5E4443AD7BF4FB49318F10451AD488E7241C77DA485CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DE4CB9 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04DE4D42

Memory Dump Source

Source File: 00000001.00000002.711017121.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4de0000_cvtres.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c54fd2a8d9cfe7582408c87314bebb337388067a3c506506f8420c9d16ffba36
Instruction ID: e258664c60a68c25d8beb75796e9c2ca3dc6f8c6771bcc66212904b5951d44fe
Opcode Fuzzy Hash: c54fd2a8d9cfe7582408c87314bebb337388067a3c506506f8420c9d16ffba36
Instruction Fuzzy Hash: BA218871901749DFDB50DFA9E5487AEBBF4FB44314F24842AD445E7A40C738A444CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DE4CC8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04DE4D42

Memory Dump Source

Source File: 00000001.00000002.711017121.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4de0000_cvtres.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 83b1dc27f397c8890029b1a147af55b929326af7b6250fd3d67902a8ec86da96
Instruction ID: f0e524451c7856d591988b8752298cca614d37d33bd87b6a78bb9b31ee45e029
Opcode Fuzzy Hash: 83b1dc27f397c8890029b1a147af55b929326af7b6250fd3d67902a8ec86da96
Instruction Fuzzy Hash: 0E11AC709013499FDB50EFA9E84879EBBF8FB44324F14842AD444E7640C778A484CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0957D900 Relevance: .8, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.714967221.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9570000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d7c843b8b928c0be9497ac9edf67a6fc61106443e984acc3faa2b2e2b7fd8f
Instruction ID: 8c2de0b9523e697e986ddde3cf2473d603302f06c3b37c62998d8778304bdc16
Opcode Fuzzy Hash: 21d7c843b8b928c0be9497ac9edf67a6fc61106443e984acc3faa2b2e2b7fd8f
Instruction Fuzzy Hash: 4C726134A0421C9FEB249FA0D850BDEB7BBEF89308F1084A9D506AB794DF349D459F91

Uniqueness

Uniqueness Score: -1.00%

Function 0957E750 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.714967221.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9570000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afc0f45478746182df393d5f8e022bf4fe413f755779b217451d8d0b66ca317
Instruction ID: 35c88611fae16e0181c6a17a250ac3140d85807a54f6b963e9874ea9ae9d9ca1
Opcode Fuzzy Hash: 7afc0f45478746182df393d5f8e022bf4fe413f755779b217451d8d0b66ca317
Instruction Fuzzy Hash: 80D1E875A103159FCB14CF69E9899ADB7F6BF88310B1A80A9E406EB371DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0957E631 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.714967221.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9570000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e26048d85348bfd890ccd05b994a83bd0dff783149f5ff1054d96a3164cfa53
Instruction ID: 5d2924720f8ae55ce1affd6e784d22b91dbd9b360d9d88bb7c22c19dfd06a9fe
Opcode Fuzzy Hash: 9e26048d85348bfd890ccd05b994a83bd0dff783149f5ff1054d96a3164cfa53
Instruction Fuzzy Hash: 32C1E575A003599FCB04CFA9E9899ADBBF6BF88310B168099E415EB371C734ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04BAD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709855382.0000000004BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bad000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab841caf438d890ced888e7904a57263113e2002ef649de8c82274adef08d13
Instruction ID: 3722a8b652f27d19caedefed6242cdb9fbc45218ca779e64437b439541ef751d
Opcode Fuzzy Hash: 8ab841caf438d890ced888e7904a57263113e2002ef649de8c82274adef08d13
Instruction Fuzzy Hash: 4C213DB5508304DFDB00DF54D4C0B66BB6BFB84324F24C9A9D8090BA06C736F466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BAD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709855382.0000000004BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bad000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bca0ad09de3de1b329978a476ab684825861e06981107cc4287498fc74b5113
Instruction ID: ccd1d4bef29118be310f78c1125f0299263b5c893f1f460d3b1b53854fed833c
Opcode Fuzzy Hash: 2bca0ad09de3de1b329978a476ab684825861e06981107cc4287498fc74b5113
Instruction Fuzzy Hash: 77214FB5608304DFDB04CF54D5C4F56BF6AFB88318F2485A9D8050B616C336E865DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0957FE00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.714967221.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9570000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1f35a7a4e9769bec8d6d43915eff7a02dd04b54da868c2b06d0c500ce2a68b
Instruction ID: 3b2af1ddceb354888ae3d24301229c9bc53b0c9f1c994e0d198f0f6bc6338d71
Opcode Fuzzy Hash: 5d1f35a7a4e9769bec8d6d43915eff7a02dd04b54da868c2b06d0c500ce2a68b
Instruction Fuzzy Hash: 1A21C535601219AFDB18DF65E994EADB7B2FF48700F114558F8019B362DB70EE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BAD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709855382.0000000004BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bad000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d24104e7c3173a843a0472e1518ad77889c4c6c77b39ebf8477dc8966a5350
Instruction ID: 75fc404d28d80391fd841785d411fcceae57499f208533389ce8297e3ca581d3
Opcode Fuzzy Hash: 14d24104e7c3173a843a0472e1518ad77889c4c6c77b39ebf8477dc8966a5350
Instruction Fuzzy Hash: 5C11D376404280DFCB11CF14D5C4B56BF72FB84320F24C6A9D8084BA56C33AE46ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BAD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709855382.0000000004BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bad000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d24104e7c3173a843a0472e1518ad77889c4c6c77b39ebf8477dc8966a5350
Instruction ID: 6840f1b116a0a62231138312cf0cc8f4b3a8b29fe96f51c065f43c2a4477cf4a
Opcode Fuzzy Hash: 14d24104e7c3173a843a0472e1518ad77889c4c6c77b39ebf8477dc8966a5350
Instruction Fuzzy Hash: 2311D376504280CFCB11CF10D5C4B16BF72FB84324F2486A9D8090B656C33AE46ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_119040 receipt document,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_119040 receipt document,pdf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
DHL_119040 receipt document,pdf.exe

Function 01766B48 Relevance: 10.2, Strings: 8, Instructions: 168
COMMON

Function 01766B39 Relevance: 8.9, Strings: 7, Instructions: 162
COMMON

Function 01768998 Relevance: 4.0, Strings: 3, Instructions: 249
COMMON

Function 0176DB08 Relevance: 4.0, Strings: 3, Instructions: 231
COMMON

Function 0176DB18 Relevance: 4.0, Strings: 3, Instructions: 230
COMMON

Function 0176BF18 Relevance: 3.0, Strings: 2, Instructions: 501
COMMON

Function 0176BF08 Relevance: 3.0, Strings: 2, Instructions: 454
COMMON

Function 01768818 Relevance: 2.9, Strings: 2, Instructions: 379
COMMON

Function 01761224 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Function 01769CE0 Relevance: 2.8, Strings: 2, Instructions: 301
COMMON

Function 01769CD0 Relevance: 2.8, Strings: 2, Instructions: 297
COMMON

Function 0176A148 Relevance: 2.8, Strings: 2, Instructions: 271
COMMON

Function 0176A0E8 Relevance: 2.8, Strings: 2, Instructions: 270
COMMON

Function 0176A12C Relevance: 2.8, Strings: 2, Instructions: 264
COMMON

Function 017612B0 Relevance: 2.8, Strings: 2, Instructions: 263
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre