Windows Analysis Report
Shipping documents 000293994900.exe

Overview

General Information

Sample name: Shipping documents 000293994900.exe
Analysis ID: 1546020
MD5: c8d26f7208eaaa31a839ec190489c9a1
SHA1: c9bc4695a4f4afdcc89d216b7ad8d0ce4d0bc7e3
SHA256: f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
Tags: exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: Shipping documents 000293994900.exe.5436.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Uses 32bit PE files
Source: Shipping documents 000293994900.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:56195 version: TLS 1.2
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0040276E FindFirstFileW, 4_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0040622B FindFirstFileW,FindClose, 4_2_0040622B
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.13.234 192.185.13.234
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:56194 -> 84.38.133.42:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:56127
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /FZBmQQQpasdj30.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /FZBmQQQpasdj30.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.concaribe.com
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304876105.0000000006DC0000.00000004.00001000.00020000.00000000.sdmp, Shipping documents 000293994900.exe, 00000004.00000002.3304583690.0000000005426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.133.42/FZBmQQQpasdj30.bin
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://concaribe.com
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.concaribe.com
Source: Shipping documents 000293994900.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323810255.0000000035711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: Shipping documents 000293994900.exe, 00000000.00000002.3040528511.0000000002843000.00000004.00000020.00020000.00000000.sdmp, nsj89C.tmp.0.dr, 660.jpg.0.dr String found in binary or memory: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg
Source: unknown Network traffic detected: HTTP traffic on port 56195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56195
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:56195 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052D1

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Shipping documents 000293994900.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403358
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 4_2_00403358
Detected potential crypto function
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00404B0E 0_2_00404B0E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040653D 0_2_0040653D
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00404B0E 4_2_00404B0E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0040653D 4_2_0040653D
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0016A214 4_2_0016A214
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0016E360 4_2_0016E360
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00164A58 4_2_00164A58
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0016AAAA 4_2_0016AAAA
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00163E40 4_2_00163E40
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00164188 4_2_00164188
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0016DA78 4_2_0016DA78
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_37FECE21 4_2_37FECE21
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_37FEBB90 4_2_37FEBB90
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_37FEA7DC 4_2_37FEA7DC
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D3158 4_2_388D3158
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388DB2F0 4_2_388DB2F0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388DC240 4_2_388DC240
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D56A0 4_2_388D56A0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D66C0 4_2_388D66C0
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D7E40 4_2_388D7E40
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D0040 4_2_388D0040
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D2370 4_2_388D2370
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388DE468 4_2_388DE468
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D5DB7 4_2_388D5DB7
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_388D7760 4_2_388D7760
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_38CA2B98 4_2_38CA2B98
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: String function: 00402B38 appears 47 times
Sample file is different than original file name gathered from version info
Source: Shipping documents 000293994900.exe, 00000000.00000002.3039983496.0000000000454000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000000.3037015443.0000000000454000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe, 00000004.00000002.3323761608.00000000355C9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping documents 000293994900.exe
Source: Shipping documents 000293994900.exe Binary or memory string: OriginalFilenamekinglet.exe> vs Shipping documents 000293994900.exe
Uses 32bit PE files
Source: Shipping documents 000293994900.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/3
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045C8
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File created: C:\Users\user\Uploadable Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File created: C:\Users\user\AppData\Local\Temp\nsu88C.tmp Jump to behavior
Source: Shipping documents 000293994900.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File read: C:\Users\user\Desktop\Shipping documents 000293994900.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe"
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe" Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File written: C:\Users\user\AppData\Local\Temp\Settings.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.3041044972.0000000006125000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_10002DB0 push eax; ret 0_2_10002DDE
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_37FE3FD0 push 2438C7DAh; retf 4_2_37FE3FD5
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_38CA057F push dword ptr [edi]; ret 4_2_38CA0590
Drops PE files
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File created: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe API/Special instruction interceptor: Address: 675E863
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe API/Special instruction interceptor: Address: 31DE863
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe RDTSC instruction interceptor: First address: 6708F70 second address: 6708F70 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ax, bx 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6830F0C228h 0x0000000b cmp esi, 20C649BBh 0x00000011 test cl, 00000060h 0x00000014 inc ebp 0x00000015 cmp eax, ecx 0x00000017 inc ebx 0x00000018 cmp dl, al 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe RDTSC instruction interceptor: First address: 3188F70 second address: 3188F70 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ax, bx 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6830E09938h 0x0000000b cmp esi, 20C649BBh 0x00000011 test cl, 00000060h 0x00000014 inc ebp 0x00000015 cmp eax, ecx 0x00000017 inc ebx 0x00000018 cmp dl, al 0x0000001a rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Memory allocated: 35710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Memory allocated: 37710000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598859 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598418 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598311 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597965 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597808 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597589 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595498 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594484 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Window / User API: threadDelayed 2180 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Window / User API: threadDelayed 7666 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvB4E.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 428 Thread sleep count: 2180 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 428 Thread sleep count: 7666 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598418s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598311s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -598093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597965s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597808s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597589s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -596047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595498s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe TID: 5852 Thread sleep time: -594484s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0040276E FindFirstFileW, 4_2_0040276E
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405770
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 4_2_0040622B FindFirstFileW,FindClose, 4_2_0040622B
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598859 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598418 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598311 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597965 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597808 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597589 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595498 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Thread delayed: delay time: 594484 Jump to behavior
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.0000000005426000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(\G
Source: Shipping documents 000293994900.exe, 00000004.00000002.3304583690.000000000546E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Enables debug privileges
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Process created: C:\Users\user\Desktop\Shipping documents 000293994900.exe "C:\Users\user\Desktop\Shipping documents 000293994900.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Users\user\Desktop\Shipping documents 000293994900.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405F0A
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000293994900.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.3323810255.000000003578C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3323810255.0000000035761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Shipping documents 000293994900.exe PID: 6496, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
84.38.133.42
 unknown Latvia
203557 DATACLUB-NL false
192.185.13.234
 concaribe.com United States
46606 UNIFIEDLAYER-AS-1US true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true
concaribe.com 192.185.13.234 true
ftp.concaribe.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
http://84.38.133.42/FZBmQQQpasdj30.bin false
    		unknown