Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan-Dropper.17837.23667.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
Analysis ID:1431436
MD5:448ac477d6ee07ef2bab4aa206e55371
SHA1:f174f8f81f6817db32a32380c7ad70213f19f971
SHA256:8d09e55629dd15deebce3ee83f5a4b6cc09925c83eaca7c2fa75707c2ab9cd11
Tags:exe
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://dhld.dyndns.org/libgen/forum
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/Converter.exe
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/Function.dat
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/Index.mht
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/LibGen.exe
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/Readme.txt
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/BEAM.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/COLOUR.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/EFFECTS.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/GROUP.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/FUNCTION.TXT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/_lib.lib
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/_userlib.dat
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/oldFunc.res
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res$TemplateShow
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/PAGE.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/POSITION.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT(TemplateShow
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/DESKTOP.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/FIXTURE.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DATTitlebody
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/MIDIMAP.TXT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/MOREOPTS.TXT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/OPTIONS.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/PATCH.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/SETUP/REPORTS.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/TemplateShow/_ZCAT.DAT
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/config.ini
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/fixtures.dat
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeString found in binary or memory: http://www.lightkid.de/updater/vbzip11.dll
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exe, 00000000.00000000.1520017120.0000000000414000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdate.exe vs SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeBinary or memory string: OriginalFilenameupdate.exe vs SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeBinary or memory string: @ A*\AC:\Dokumente und Einstellungen\denis\Desktop\developing\ver 0.6.8\updater\Project1.vbp
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exe, 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: 2@*\AC:\Dokumente und Einstellungen\denis\Desktop\developing\ver 0.6.8\updater\Project1.vbp
Source: classification engineClassification label: clean2.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeMutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF081A0D5B7062551.TMPJump to behavior
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeCode function: 0_2_0040387A push ss; iretd 0_2_0040387B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exeAPI coverage: 0.6 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.Trojan-Dropper.17837.23667.exe, 00000000.00000003.1563694466.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-Dropper.17837.23667.exe, 00000000.00000002.1564062291.00000000005ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan-Dropper.17837.23667.exe2%ReversingLabs
SecuriteInfo.com.Trojan-Dropper.17837.23667.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.lightkid.de/updater/TemplateShow/BEAM.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DATTitlebody0%Avira URL Cloudsafe
http://www.lightkid.de/updater/Index.mht0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/LIBRARY/FUNCTION.TXT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/config.ini0%Avira URL Cloudsafe
http://dhld.dyndns.org/libgen/forum0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/EFFECTS.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/LIBRARY/oldFunc.res0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/DESKTOP.DAT0%Avira URL Cloudsafe
http://dhld.dyndns.org/libgen/forum0%VirustotalBrowse
http://www.lightkid.de/updater/Index.mht1%VirustotalBrowse
http://www.lightkid.de/updater/config.ini1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/REPORTS.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/BEAM.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/EFFECTS.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/oldFunc.res1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/DESKTOP.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/FUNCTION.TXT1%VirustotalBrowse
http://www.lightkid.de/updater/Function.dat0%Avira URL Cloudsafe
http://www.lightkid.de/updater/LibGen.exe0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_lib.lib0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/GROUP.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/OPTIONS.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/REPORTS.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/Function.dat1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res0%Avira URL Cloudsafe
http://www.lightkid.de/updater/vbzip11.dll0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res$TemplateShow0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/OPTIONS.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_lib.lib1%VirustotalBrowse
http://www.lightkid.de/updater/LibGen.exe1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT(TemplateShow0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/COLOUR.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/PAGE.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/FIXTURE.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/GROUP.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/vbzip11.dll1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/COLOUR.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_userlib.dat0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res1%VirustotalBrowse
http://www.lightkid.de/updater/Readme.txt0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/FIXTURE.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/Converter.exe0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/_ZCAT.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/PAGE.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/POSITION.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/PATCH.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/Readme.txt1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_userlib.dat1%VirustotalBrowse
http://www.lightkid.de/updater/fixtures.dat0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/Converter.exe1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/MIDIMAP.TXT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/SETUP/PATCH.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/MOREOPTS.TXT0%Avira URL Cloudsafe
http://www.lightkid.de/updater/TemplateShow/POSITION.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/fixtures.dat1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/MOREOPTS.TXT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/_ZCAT.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT1%VirustotalBrowse
http://www.lightkid.de/updater/TemplateShow/SETUP/MIDIMAP.TXT1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.lightkid.de/updater/Index.mhtSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/FUNCTION.TXTSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DATTitlebodySecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/BEAM.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/config.iniSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://dhld.dyndns.org/libgen/forumSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/EFFECTS.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/oldFunc.resSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/DESKTOP.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/REPORTS.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/Function.datSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/LibGen.exeSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_lib.libSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/GROUP.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/OPTIONS.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/INPUT.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.resSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/vbzip11.dllSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/tokens.res$TemplateShowSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/RTTABLE.DAT(TemplateShowSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/COLOUR.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/SecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/PAGE.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/FIXTURE.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/LIBRARY/_userlib.datSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/Readme.txtSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/Converter.exeSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/_ZCAT.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/POSITION.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/PATCH.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/fixtures.datSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/RTTABLE.DATSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/MIDIMAP.TXTSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.lightkid.de/updater/TemplateShow/SETUP/MOREOPTS.TXTSecuriteInfo.com.Trojan-Dropper.17837.23667.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431436
Start date and time:2024-04-25 05:24:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
Detection:CLEAN
Classification:clean2.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 7
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFF081A0D5B7062551.TMP

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):3584
Entropy (8bit):2.1959506845833197
Encrypted:false
SSDEEP:12:rl3b/FFQ6rMob7O4Eipl0QeXFqtyF1F4zuT+x9LpHQir6aZZu1rwcXmdmtmUUQvR:r7TEi0QSlOCGvZZimdmtmUUWiWJdR
MD5:AF9A2DFDB009A606D6D10E5AB12AC179
SHA1:4DFC3BD73CA01E1F372F176E7881BE348F809C83
SHA-256:3152DF2D79210AF764E01F74432AF502A966BBB8DEDC393A18ED1DDE61379E48
SHA-512:9376850A55220D509CB70040B3A6385F8ED7B61124DD0DD5ADA9AF49DA6D0FD78F3DB94962976DFB7DA8520A662AE5142E417A6A8491D63069C4209919C7F4F1
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.933331749687061
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
File size:81'920 bytes
MD5:448ac477d6ee07ef2bab4aa206e55371
SHA1:f174f8f81f6817db32a32380c7ad70213f19f971
SHA256:8d09e55629dd15deebce3ee83f5a4b6cc09925c83eaca7c2fa75707c2ab9cd11
SHA512:efd8f09f62df81f6ea8b2b5478a0fe50ec557c76b3dc1050dd1cf60fb9183f27729cdf055a4aa8c4b30b778942c020a176c77add9cbaa57f62a5e90bc1695542
SSDEEP:768:ccvZZ00a0m79ULg0b12nz6g4FlIbZ1nvZZ:Pxw9V0hAV1n
TLSH:63833203AB50E15EE688D9F03F3494DD3949BE3111A0AE4BEA861E4BA175353F4F472B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.............................`.......Rich............................PE..L......G.....................0............... ....@

File Icon

Icon Hash:4b0343591f59a92d

Static PE Info

General

Entrypoint:0x401afc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x47F0D5A3 [Mon Mar 31 12:14:27 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:fb5b25ee167f90abd53682b8ed948849

Entrypoint Preview

Instruction
push 00402334h
call 00007F685C7E3FF3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aaa
cmc
int1
lodsb
je 00007F685C7E3F94h
out dx, al
inc edi
stosb
neg dword ptr [eax]
stc
fld dword ptr [ebx+0000E57Dh]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
xor byte ptr [edx], dh
xor byte ptr [ebx+esi], dh
xor byte ptr [ebp+70h], dl
popad
je 00007F685C7E4067h
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
push es
loop 00007F685C7E400Bh
mov ch, DFh
or dword ptr [edx-12h], ebp
inc ecx
stosb
xor byte ptr [ecx], bl
je 00007F685C7E406Ah
fist word ptr [ecx+79EC9119h]
mov eax, BC47529Dh
pushfd
aaa
fidivr dword ptr [ecx+3A10B513h]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test al, 06h
add byte ptr [eax], al
mov eax, dword ptr [eax+eax]
add byte ptr [eax], al
add eax, 726F4600h
insd
xor dword ptr [eax], eax
or eax, 75001201h
jo 00007F685C7E4066h
popad
je 00007F685C7E4067h
and byte ptr [ecx+6Eh], ch
and byte ptr [eax+72h], dh
outsd
jc 00007F685C7E4068h
jnc 00007F685C7E4075h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x10e140x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x7d4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x160.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x104300x11000f7a247f8cf9603909c973de101e72ec7False0.2273236443014706data5.395381494106568IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x120000x12e00x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x140000x7d40x1000e1c44c7e2c6aaa08712b2adf84675396False0.192626953125data2.091539568471655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x144ec0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.3736559139784946
RT_ICON0x143c40x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.5
RT_GROUP_ICON0x143a00x24data1.0555555555555556
RT_VERSION0x141200x280dataEnglishUnited States0.4703125

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaStrFixstr, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaPutOwner3, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:05:25:39
Start date:25/04/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Dropper.17837.23667.exe"
Imagebase:0x400000
File size:81'920 bytes
MD5 hash:448AC477D6EE07EF2BAB4AA206E55371
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.6%
    Dynamic/Decrypted Code Coverage:6.7%
    Signature Coverage:0%
    Total number of Nodes:134
    Total number of Limit Nodes:1
    execution_graph 376 40f640 __vbaChkstk 377 40f695 __vbaOnError 376->377 381 403664 377->381 382 40366d 381->382 404 405c20 __vbaChkstk 405 405c75 __vbaOnError __vbaStrCopy 404->405 406 4109b0 405->406 407 405ca9 __vbaFreeStr #670 __vbaVarTstNe __vbaFreeVar 406->407 408 405cf8 __vbaStrCopy __vbaStrCopy 407->408 409 405ebf 407->409 410 40fe20 33 API calls 408->410 412 405efe __vbaFreeStr 409->412 413 405ede __vbaHresultCheckObj 409->413 411 405d28 6 API calls 410->411 414 405db6 __vbaObjSet __vbaLateIdCall __vbaFreeStr __vbaFreeObj __vbaFreeVar 411->414 413->412 416 405dfc __vbaObjSet 414->416 417 405e18 416->417 418 405e23 __vbaHresultCheckObj 417->418 419 405e3d 417->419 420 405e44 __vbaFreeObj 418->420 419->420 421 405e63 __vbaObjSet 420->421 422 405e82 421->422 423 405eaa 422->423 424 405e8d __vbaHresultCheckObj 422->424 425 405eb4 __vbaFreeObj 423->425 424->425 425->412 438 40f6f0 __vbaChkstk 439 40f745 __vbaOnError __vbaStrCopy __vbaStrCopy 438->439 440 40fe20 33 API calls 439->440 441 40f78b __vbaStrMove __vbaStrCopy __vbaFreeStrList 440->441 442 40f7d1 __vbaObjSet 441->442 443 40f7f6 442->443 444 40f807 __vbaHresultCheckObj 443->444 445 40f82a 443->445 446 40f834 __vbaFreeObj 444->446 445->446 447 40f861 10 API calls 446->447 448 40f8f0 6 API calls 447->448 449 40fc41 __vbaVarDup __vbaVarDup #595 __vbaFreeVarList 447->449 456 40fa15 448->456 457 40f98c __vbaVarDup #595 __vbaFreeVarList 448->457 450 40fcfa 449->450 458 40fc3c __vbaFreeStr 449->458 453 40fd26 450->453 454 40fd0a __vbaNew2 450->454 455 40fd30 __vbaObjSetAddref 453->455 454->455 461 40fd5f 455->461 459 40fa41 456->459 460 40fa25 __vbaNew2 456->460 457->458 462 40fa4b __vbaChkstk __vbaChkstk 459->462 460->462 463 40fd70 __vbaHresultCheckObj 461->463 464 40fd93 461->464 466 40fae8 462->466 465 40fd9d __vbaFreeObj 463->465 464->465 465->458 467 40faf9 __vbaHresultCheckObj 466->467 468 40fb1f 466->468 467->468 468->458 469 40fb63 __vbaHresultCheckObj 468->469 470 40fb86 468->470 469->470 471 40fba0 __vbaNew2 470->471 472 40fbbc 470->472 473 40fbc6 __vbaObjSetAddref 471->473 472->473 474 40fbf5 473->474 475 40fc06 __vbaHresultCheckObj 474->475 476 40fc29 474->476 477 40fc33 __vbaFreeObj 475->477 476->477 477->458 383 410300 384 410340 __vbaStrCopy __vbaStrCopy 383->384 389 40fe20 __vbaStrCopy 384->389 390 40fe95 389->390 391 40fe85 __vbaNew2 389->391 392 40feba 390->392 393 40feab __vbaHresultCheckObj 390->393 391->390 394 40fede 16 API calls 392->394 395 40fecf __vbaHresultCheckObj 392->395 393->392 401 403934 394->401 395->394 402 40393d 401->402 426 4100e0 427 410120 426->427 428 41013e 427->428 429 41012e __vbaNew2 427->429 430 410155 __vbaHresultCheckObj 428->430 431 410167 428->431 429->428 430->431 432 41017f __vbaObjSetAddref 431->432 433 41016f __vbaNew2 431->433 434 41019d 432->434 433->432 435 4101a3 __vbaHresultCheckObj 434->435 436 4101b2 __vbaFreeObj 434->436 435->436 437 4101cf 436->437 490 410480 __vbaChkstk 491 4104d5 __vbaOnError 490->491 492 410505 491->492 493 410510 __vbaHresultCheckObj 492->493 494 41052d 492->494 493->494 495 4109a7 494->495 496 41054a __vbaChkstk 494->496 495->495 497 410588 __vbaObjSet __vbaLateIdSt __vbaFreeObj 496->497 498 4105bd 497->498 499 4105e5 498->499 500 4105c8 __vbaHresultCheckObj 498->500 499->495 501 410602 __vbaChkstk 499->501 500->499 502 410640 __vbaObjSet __vbaLateIdSt __vbaFreeObj 501->502 503 410671 __vbaObjSet 502->503 504 410692 503->504 505 41069d __vbaHresultCheckObj 504->505 506 4106ba 504->506 505->506 506->495 507 410709 506->507 508 4106ef __vbaHresultCheckObj 506->508 509 410710 __vbaFreeObj 507->509 508->509 510 41072f __vbaObjSet 509->510 511 410750 510->511 512 41075b __vbaHresultCheckObj 511->512 513 410778 511->513 512->513 513->495 514 4107c7 513->514 515 4107ad __vbaHresultCheckObj 513->515 516 4107ce __vbaFreeObj 514->516 515->516 517 4107ed __vbaObjSet 516->517 518 41080e 517->518 519 410819 __vbaHresultCheckObj 518->519 520 410839 518->520 519->520 520->495 521 410871 __vbaHresultCheckObj 520->521 522 41088e 520->522 523 410898 __vbaFreeObj 521->523 522->523 524 4108b7 __vbaObjSet 523->524 525 4108d8 524->525 526 4108e3 __vbaHresultCheckObj 525->526 527 410903 525->527 526->527 527->495 528 410958 527->528 529 41093b __vbaHresultCheckObj 527->529 530 410962 __vbaFreeObj 528->530 529->530 531 410984 530->531 532 4017a3 533 4017e9 __vbaExceptHandler 532->533 403 405f16 __vbaFreeStrList __vbaFreeObj __vbaFreeVarList 373 401afc #100 374 401ab0 __vbaStrFixstr 373->374 375 401b1e 373->375 374->373

    Executed Functions

    Function 00401AFC Relevance: 1.7, APIs: 1, Instructions: 192COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 401afc-401b1c #100 1 401ab0-401ab8 __vbaStrFixstr 0->1 2 401b1e-401b3c 0->2 1->0 3 401ba3-401bbe 2->3 4 401b3e-401b49 2->4 9 401bbf-401bc2 3->9 5 401b54-401b55 4->5 6 401b4b-401b52 4->6 8 401b57-401ba1 5->8 5->9 6->5 8->3 12 401bc4-401c34 9->12 13 401c37-401c5d 9->13 12->13
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: #100
    • String ID:
    • API String ID: 1341478452-0
    • Opcode ID: 9f0f01183b5dadc9a7bdcb65a6ef66a11645baf3f60cd64606ed3a00add972f2
    • Instruction ID: 94a4b33951ee4f01d38ecdaca496d7b362e20570849f9b4f71ac676ff3fb54ce
    • Opcode Fuzzy Hash: 9f0f01183b5dadc9a7bdcb65a6ef66a11645baf3f60cd64606ed3a00add972f2
    • Instruction Fuzzy Hash: 685199A294E7C18FD7034B7498292517FB0AF17219B1E05EBC4C2DF1F3E268584ADB26
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0040F6F0 Relevance: 96.7, APIs: 47, Strings: 8, Instructions: 432COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 14 40f6f0-40f805 __vbaChkstk __vbaOnError __vbaStrCopy * 2 call 40fe20 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaObjSet 20 40f807-40f828 __vbaHresultCheckObj 14->20 21 40f82a 14->21 22 40f834-40f8ea __vbaFreeObj __vbaObjSet __vbaLateIdCallLd __vbaVarLateMemCallLd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaFreeVarList __vbaStrCmp 20->22 21->22 24 40f8f0-40f986 __vbaObjSet __vbaLateIdCallLd __vbaVarLateMemCallLd __vbaVarTstEq __vbaFreeObj __vbaFreeVarList 22->24 25 40fc41-40fcf4 __vbaVarDup * 2 #595 __vbaFreeVarList 22->25 33 40fa15-40fa23 24->33 34 40f98c-40fa10 __vbaVarDup #595 __vbaFreeVarList 24->34 26 40fda6-40fdf9 __vbaFreeStr 25->26 27 40fcfa-40fd08 25->27 30 40fd26 27->30 31 40fd0a-40fd24 __vbaNew2 27->31 32 40fd30-40fd6e __vbaObjSetAddref 30->32 31->32 40 40fd70-40fd91 __vbaHresultCheckObj 32->40 41 40fd93 32->41 36 40fa41 33->36 37 40fa25-40fa3f __vbaNew2 33->37 35 40fc3c 34->35 35->26 39 40fa4b-40faf7 __vbaChkstk * 2 36->39 37->39 44 40faf9-40fb1d __vbaHresultCheckObj 39->44 45 40fb1f 39->45 42 40fd9d-40fda0 __vbaFreeObj 40->42 41->42 42->26 46 40fb29-40fb38 44->46 45->46 46->35 47 40fb3e-40fb61 46->47 49 40fb63-40fb84 __vbaHresultCheckObj 47->49 50 40fb86 47->50 51 40fb90-40fb9e 49->51 50->51 52 40fba0-40fbba __vbaNew2 51->52 53 40fbbc 51->53 54 40fbc6-40fc04 __vbaObjSetAddref 52->54 53->54 56 40fc06-40fc27 __vbaHresultCheckObj 54->56 57 40fc29 54->57 58 40fc33-40fc36 __vbaFreeObj 56->58 57->58 58->35
    APIs
    • __vbaChkstk.MSVBVM60(?,004018F6), ref: 0040F70E
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004018F6), ref: 0040F755
    • __vbaStrCopy.MSVBVM60(?,?,?,?,004018F6), ref: 0040F76A
    • __vbaStrCopy.MSVBVM60(?,?,?,?,004018F6), ref: 0040F778
      • Part of subcall function 0040FE20: __vbaStrCopy.MSVBVM60 ref: 0040FE77
      • Part of subcall function 0040FE20: __vbaNew2.MSVBVM60(00403AEC,00412490), ref: 0040FE8F
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000014), ref: 0040FEB4
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,?,00403AFC,00000050), ref: 0040FED8
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(00403B10,?), ref: 0040FEED
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FEFA
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(?,00000000), ref: 0040FF01
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FF0A
      • Part of subcall function 0040FE20: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FF16
      • Part of subcall function 0040FE20: __vbaFreeObj.MSVBVM60 ref: 0040FF22
      • Part of subcall function 0040FE20: #526.MSVBVM60(?,00000001), ref: 0040FF2E
      • Part of subcall function 0040FE20: #607.MSVBVM60(?,00000100,?), ref: 0040FF41
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,004018F6), ref: 0040F790
    • __vbaStrCopy.MSVBVM60(?,?,?,?,004018F6), ref: 0040F79E
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,004018F6), ref: 0040F7B2
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004018F6), ref: 0040F7D6
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000005C), ref: 0040F81C
    • __vbaFreeObj.MSVBVM60 ref: 0040F837
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F866
    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0040F871
    • __vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004018F6), ref: 0040F87F
    • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F889
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F894
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F8A2
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F8AB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F8B4
    • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004018F6), ref: 0040F8C4
    • __vbaStrCmp.MSVBVM60(?,?), ref: 0040F8E2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F92A
    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0040F935
    • __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 0040F943
    • __vbaVarTstEq.MSVBVM60(?,00000000), ref: 0040F954
    • __vbaFreeObj.MSVBVM60 ref: 0040F964
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040F974
    • __vbaVarDup.MSVBVM60 ref: 0040F9D7
    • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040F9EF
    • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A), ref: 0040FA07
    • __vbaFreeStr.MSVBVM60(0040FDFA), ref: 0040FDF3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$Free$CopyListMove$CallLate$CheckHresult$#526#595#607ChkstkErrorNew2
    • String ID: Misc$No Update!$No Updates available!$Title$You have to update using the installer from http://dhld.dyndns.org/libgen/forum !$\ A$body$version
    • API String ID: 3359282013-2401955378
    • Opcode ID: 37b38dee8496c59fd50d2faec70b62ed8a36817dfdfd4de82283e1957898dd47
    • Instruction ID: ff4fc4c13607922a1e78238ef596fc0102931aaf1c8b50d7ead0b2a0c014b7e3
    • Opcode Fuzzy Hash: 37b38dee8496c59fd50d2faec70b62ed8a36817dfdfd4de82283e1957898dd47
    • Instruction Fuzzy Hash: 1C122CB1900218DFDB14DF90C948BDDBBB9FF48304F1081A9E50ABB2A1DB745A89CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FE20 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0040FE77
    • __vbaNew2.MSVBVM60(00403AEC,00412490), ref: 0040FE8F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000014), ref: 0040FEB4
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403AFC,00000050), ref: 0040FED8
    • __vbaStrCat.MSVBVM60(00403B10,?), ref: 0040FEED
    • __vbaStrMove.MSVBVM60 ref: 0040FEFA
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0040FF01
    • __vbaStrMove.MSVBVM60 ref: 0040FF0A
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FF16
    • __vbaFreeObj.MSVBVM60 ref: 0040FF22
    • #526.MSVBVM60(?,00000001), ref: 0040FF2E
    • #607.MSVBVM60(?,00000100,?), ref: 0040FF41
    • __vbaStrVarMove.MSVBVM60(?), ref: 0040FF4B
    • __vbaStrMove.MSVBVM60 ref: 0040FF56
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040FF62
    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0040FF7B
    • __vbaStrToAnsi.MSVBVM60(?,?,000000FF,00000000), ref: 0040FF8B
    • __vbaStrToAnsi.MSVBVM60(?,00405700,00000000), ref: 0040FF97
    • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000), ref: 0040FFA4
    • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000), ref: 0040FFB1
    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0040FFBB
    • __vbaStrToUnicode.MSVBVM60(00401848,?), ref: 0040FFCF
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0040FFD9
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0040FFE3
    • __vbaStrToUnicode.MSVBVM60(00412034,?), ref: 0040FFEE
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00410006
    • #617.MSVBVM60(?,?,00000000), ref: 00410029
    • __vbaStrVarMove.MSVBVM60(?), ref: 00410033
    • __vbaStrMove.MSVBVM60 ref: 0041003E
    • __vbaFreeVar.MSVBVM60 ref: 00410043
    • __vbaStrCopy.MSVBVM60 ref: 00410058
    • __vbaFreeStr.MSVBVM60(004100C1), ref: 004100B9
    • __vbaFreeStr.MSVBVM60 ref: 004100BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$Free$Move$Ansi$Unicode$List$CheckCopyHresult$#526#607#617ErrorNew2System
    • String ID: 4 A$config.ini
    • API String ID: 2483901722-354649791
    • Opcode ID: 28716899a7a95db94bb6cf3a5901123a8105f0c77323f5e8d9ea6b571d1ec5b4
    • Instruction ID: 5145ee526efabd1026e2439a4dc3f148ce79270003ee24dca7f1d4c89ea736dd
    • Opcode Fuzzy Hash: 28716899a7a95db94bb6cf3a5901123a8105f0c77323f5e8d9ea6b571d1ec5b4
    • Instruction Fuzzy Hash: 2B71ECB5D00219ABCB04DB94DD45DEEBBBCEB58301F10812AF501B72A4DAB4A945CFA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405C20 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 214COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaChkstk.MSVBVM60(?,004018F6), ref: 00405C3E
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004018F6), ref: 00405C85
    • __vbaStrCopy.MSVBVM60(?,?,?,?,004018F6), ref: 00405C9A
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004018F6), ref: 00405CAC
    • #670.MSVBVM60(?,?,?,?,?,004018F6), ref: 00405CBD
    • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00405CD9
    • __vbaFreeVar.MSVBVM60 ref: 00405CE6
    • __vbaStrCopy.MSVBVM60 ref: 00405D07
    • __vbaStrCopy.MSVBVM60 ref: 00405D15
      • Part of subcall function 0040FE20: __vbaStrCopy.MSVBVM60 ref: 0040FE77
      • Part of subcall function 0040FE20: __vbaNew2.MSVBVM60(00403AEC,00412490), ref: 0040FE8F
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000014), ref: 0040FEB4
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,?,00403AFC,00000050), ref: 0040FED8
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(00403B10,?), ref: 0040FEED
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FEFA
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(?,00000000), ref: 0040FF01
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FF0A
      • Part of subcall function 0040FE20: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FF16
      • Part of subcall function 0040FE20: __vbaFreeObj.MSVBVM60 ref: 0040FF22
      • Part of subcall function 0040FE20: #526.MSVBVM60(?,00000001), ref: 0040FF2E
      • Part of subcall function 0040FE20: #607.MSVBVM60(?,00000100,?), ref: 0040FF41
    • __vbaStrMove.MSVBVM60(?,?), ref: 00405D2D
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00405D3D
    • __vbaStrCat.MSVBVM60(?,http://www.lightkid.de/updater/,?,?,004018F6), ref: 00405D56
    • __vbaStrMove.MSVBVM60(?,?,004018F6), ref: 00405D61
    • __vbaStrCat.MSVBVM60(.html,00000000,?,?,004018F6), ref: 00405D6D
    • __vbaChkstk.MSVBVM60 ref: 00405D82
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00405DBB
    • __vbaLateIdCall.MSVBVM60(00000000), ref: 00405DC2
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,004018F6), ref: 00405DCE
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004018F6), ref: 00405DD7
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,004018F6), ref: 00405DE0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004018F6), ref: 00405E01
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000005C), ref: 00405E32
    • __vbaFreeObj.MSVBVM60 ref: 00405E47
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00405E68
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A78,00000054), ref: 00405E9C
    • __vbaFreeObj.MSVBVM60 ref: 00405EB7
    • __vbaHresultCheckObj.MSVBVM60(?,?,0040386C,00000700), ref: 00405EF0
    • __vbaFreeStr.MSVBVM60(00405F50), ref: 00405F49
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$CopyMove$ChkstkList$#526#607#670CallErrorLateNew2
    • String ID: .html$LibGen.exe$Misc$http://www.lightkid.de/updater/$looking for available updates$version
    • API String ID: 3777957480-1668110964
    • Opcode ID: 341dd72cadb50689f6a6f42c3eb059f62cae78531a91e871e33af60e74444709
    • Instruction ID: 245812484c9e8b32d91b78da4a02dd951a29342b7ca6cb070dd3a6e5713e0ce8
    • Opcode Fuzzy Hash: 341dd72cadb50689f6a6f42c3eb059f62cae78531a91e871e33af60e74444709
    • Instruction Fuzzy Hash: 0EA1EB75900208EFDB04DF94D988ADEBBB5FF48705F108169F506BB2A0DB789A85CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410480 Relevance: 42.4, APIs: 28, Instructions: 384COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 97 410480-41050e __vbaChkstk __vbaOnError 100 410510-41052b __vbaHresultCheckObj 97->100 101 41052d 97->101 102 410534-410544 100->102 101->102 103 4109a7 102->103 104 41054a-4105c6 __vbaChkstk __vbaObjSet __vbaLateIdSt __vbaFreeObj 102->104 103->103 107 4105e5 104->107 108 4105c8-4105e3 __vbaHresultCheckObj 104->108 109 4105ec-4105fc 107->109 108->109 109->103 110 410602-41069b __vbaChkstk __vbaObjSet __vbaLateIdSt __vbaFreeObj __vbaObjSet 109->110 114 4106ba 110->114 115 41069d-4106b8 __vbaHresultCheckObj 110->115 116 4106c1-4106ce 114->116 115->116 116->103 117 4106d4-4106ed 116->117 119 410709 117->119 120 4106ef-410707 __vbaHresultCheckObj 117->120 121 410710-410759 __vbaFreeObj __vbaObjSet 119->121 120->121 124 410778 121->124 125 41075b-410776 __vbaHresultCheckObj 121->125 126 41077f-41078c 124->126 125->126 126->103 127 410792-4107ab 126->127 129 4107c7 127->129 130 4107ad-4107c5 __vbaHresultCheckObj 127->130 131 4107ce-410817 __vbaFreeObj __vbaObjSet 129->131 130->131 134 410839 131->134 135 410819-410837 __vbaHresultCheckObj 131->135 136 410843-410850 134->136 135->136 136->103 137 410856-41086f 136->137 139 410871-41088c __vbaHresultCheckObj 137->139 140 41088e 137->140 141 410898-4108e1 __vbaFreeObj __vbaObjSet 139->141 140->141 144 410903 141->144 145 4108e3-410901 __vbaHresultCheckObj 141->145 146 41090d-41091a 144->146 145->146 146->103 147 410920-410939 146->147 149 410958 147->149 150 41093b-410956 __vbaHresultCheckObj 147->150 151 410962-410984 __vbaFreeObj 149->151 150->151
    APIs
    • __vbaChkstk.MSVBVM60(?,004018F6), ref: 0041049E
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004018F6), ref: 004104E5
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000080), ref: 00410522
    • __vbaChkstk.MSVBVM60 ref: 00410556
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041058D
    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00410594
    • __vbaFreeObj.MSVBVM60 ref: 0041059D
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000088), ref: 004105DA
    • __vbaChkstk.MSVBVM60 ref: 0041060E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410645
    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0041064C
    • __vbaFreeObj.MSVBVM60 ref: 00410655
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410676
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000080), ref: 004106AF
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405588,0000006C), ref: 004106FE
    • __vbaFreeObj.MSVBVM60 ref: 00410713
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410734
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000080), ref: 0041076D
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405588,0000006C), ref: 004107BC
    • __vbaFreeObj.MSVBVM60 ref: 004107D1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004107F2
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000088), ref: 0041082B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405588,00000074), ref: 00410880
    • __vbaFreeObj.MSVBVM60 ref: 0041089B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004108BC
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405400,00000088), ref: 004108F5
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405588,00000074), ref: 0041094A
    • __vbaFreeObj.MSVBVM60 ref: 00410965
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Chkstk$Late$Error
    • String ID:
    • API String ID: 643407952-0
    • Opcode ID: 558d7aee046149b791da93b1ce13cfcd83c254f62431c0b2a5d4612e38ac522d
    • Instruction ID: edc31238c8b993eefe2376728c01dd6f3efc3e492cfb61d20765856cfdeb70c4
    • Opcode Fuzzy Hash: 558d7aee046149b791da93b1ce13cfcd83c254f62431c0b2a5d4612e38ac522d
    • Instruction Fuzzy Hash: 4DF129B5900208EFCB04DFA5C988BDEBBB5FF48304F108569E546BB2A5CB789985CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410300 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0041035F
    • __vbaStrCopy.MSVBVM60 ref: 00410369
      • Part of subcall function 0040FE20: __vbaStrCopy.MSVBVM60 ref: 0040FE77
      • Part of subcall function 0040FE20: __vbaNew2.MSVBVM60(00403AEC,00412490), ref: 0040FE8F
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000014), ref: 0040FEB4
      • Part of subcall function 0040FE20: __vbaHresultCheckObj.MSVBVM60(00000000,?,00403AFC,00000050), ref: 0040FED8
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(00403B10,?), ref: 0040FEED
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FEFA
      • Part of subcall function 0040FE20: __vbaStrCat.MSVBVM60(?,00000000), ref: 0040FF01
      • Part of subcall function 0040FE20: __vbaStrMove.MSVBVM60 ref: 0040FF0A
      • Part of subcall function 0040FE20: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FF16
      • Part of subcall function 0040FE20: __vbaFreeObj.MSVBVM60 ref: 0040FF22
      • Part of subcall function 0040FE20: #526.MSVBVM60(?,00000001), ref: 0040FF2E
      • Part of subcall function 0040FE20: #607.MSVBVM60(?,00000100,?), ref: 0040FF41
    • __vbaStrMove.MSVBVM60(?,?), ref: 00410383
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041038F
    • __vbaStrCat.MSVBVM60(?,http://www.lightkid.de/updater/), ref: 004103A1
    • __vbaStrMove.MSVBVM60 ref: 004103AC
    • __vbaStrCat.MSVBVM60(.html,00000000), ref: 004103B4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004103F0
    • __vbaLateIdCall.MSVBVM60(00000000), ref: 004103F7
    • __vbaFreeStr.MSVBVM60 ref: 00410403
    • __vbaFreeObj.MSVBVM60 ref: 0041040C
    • __vbaFreeVar.MSVBVM60 ref: 00410415
    • __vbaFreeStr.MSVBVM60(00410455), ref: 0041044E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$Free$Move$Copy$CheckHresultList$#526#607CallLateNew2
    • String ID: .html$Misc$http://www.lightkid.de/updater/$version
    • API String ID: 1419316036-2307355520
    • Opcode ID: 477e3cab3bcd3647542a26b290d4bb1454143bfd196896bc918b73726e1a5728
    • Instruction ID: a04db33b9ad0ae0b9e7455d5645242cce779ffed2a0cf04f683a550864987b17
    • Opcode Fuzzy Hash: 477e3cab3bcd3647542a26b290d4bb1454143bfd196896bc918b73726e1a5728
    • Instruction Fuzzy Hash: 7D411C71D00209EFCB04EFA4D9899EEBBB8FF58704F10816AE505B72A1DB785A45CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004100E0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 4100e0-41012c 161 41013e-410153 159->161 162 41012e-410138 __vbaNew2 159->162 164 410155-410161 __vbaHresultCheckObj 161->164 165 410167-41016d 161->165 162->161 164->165 166 41017f-4101a1 __vbaObjSetAddref 165->166 167 41016f-410179 __vbaNew2 165->167 169 4101a3-4101ac __vbaHresultCheckObj 166->169 170 4101b2-4101cf __vbaFreeObj 166->170 167->166 169->170
    APIs
    • __vbaNew2.MSVBVM60(00402D98,00412010,?,?,?,?,?,?,?,?,004018F6), ref: 00410138
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040386C,000006FC,?,?,?,?,?,?,?,?,004018F6), ref: 00410161
    • __vbaNew2.MSVBVM60(00403AEC,00412490,?,?,?,?,?,?,?,?,004018F6), ref: 00410179
    • __vbaObjSetAddref.MSVBVM60(?,00401858,?,?,?,?,?,?,?,?,004018F6), ref: 0041018F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000010,?,?,?,?,?,?,?,?,004018F6), ref: 004101AC
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004018F6), ref: 004101B5
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$CheckHresultNew2$AddrefFree
    • String ID:
    • API String ID: 4015893416-0
    • Opcode ID: 0aabef91c11234a4da941540a7955fa67de030d592295a5cb5469d154ea6b5bb
    • Instruction ID: 2c7a155551c23b9e193c9889dda23bf53232e56b21d4ad513e0aaa0d84400ff5
    • Opcode Fuzzy Hash: 0aabef91c11234a4da941540a7955fa67de030d592295a5cb5469d154ea6b5bb
    • Instruction Fuzzy Hash: 03218D70A00205BBCB009F54CE89BDA7FB9FB48714F20813AF541F32A1C3B99984CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004101F0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 172 4101f0-41023c 174 41024e-410262 172->174 175 41023e-410248 __vbaNew2 172->175 177 410264-410270 __vbaHresultCheckObj 174->177 178 410276-41027c 174->178 175->174 177->178 179 41028e-4102b0 __vbaObjSetAddref 178->179 180 41027e-410288 __vbaNew2 178->180 182 4102c1-4102de __vbaFreeObj 179->182 183 4102b2-4102bb __vbaHresultCheckObj 179->183 180->179 183->182
    APIs
    • __vbaNew2.MSVBVM60(00402D98,00412010,?,?,?,?,?,?,?,?,004018F6), ref: 00410248
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040386C,000006FC,?,?,?,?,?,?,?,?,004018F6), ref: 00410270
    • __vbaNew2.MSVBVM60(00403AEC,00412490,?,?,?,?,?,?,?,?,004018F6), ref: 00410288
    • __vbaObjSetAddref.MSVBVM60(?,00401868,?,?,?,?,?,?,?,?,004018F6), ref: 0041029E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403ADC,00000010,?,?,?,?,?,?,?,?,004018F6), ref: 004102BB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004018F6), ref: 004102C4
    Memory Dump Source
    • Source File: 00000000.00000002.1563911975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1563888263.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563935125.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1563950673.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: __vba$CheckHresultNew2$AddrefFree
    • String ID:
    • API String ID: 4015893416-0
    • Opcode ID: 684bf2a8158f6a52d9f068b762039a582debb04a36261345008d50126dc9f266
    • Instruction ID: a957dfbde7ba6cbc39b4743476950f41f3b5ee7815d46bb6f4eb341ba706269d
    • Opcode Fuzzy Hash: 684bf2a8158f6a52d9f068b762039a582debb04a36261345008d50126dc9f266
    • Instruction Fuzzy Hash: F921A674A00205ABCB10DF54CE49ADA7FB9FB48714B20817AF541F32E1C3B89D80CB98
    Uniqueness

    Uniqueness Score: -1.00%