Play interactive tour

Edit tour

Analysis Report Agreement Terms Sample.pdf.exe

Overview

General Information

Sample Name:	Agreement Terms Sample.pdf.exe
Analysis ID:	339336
MD5:	76b6c2b227dd2ae92bb3b86a66a8fe52
SHA1:	db06ffb667569ab3b379012567c27919c36d885a
SHA256:	128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Potential time zone aware malware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Agreement Terms Sample.pdf.exe (PID: 6116 cmdline: 'C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe' MD5: 76B6C2B227DD2AE92BB3B86A66A8FE52)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Agreement Terms Sample.pdf.exe

Virustotal: Detection: 20%

Perma Link

Source: Agreement Terms Sample.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Agreement Terms Sample.pdf.exe

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Process Stats: CPU usage > 98%

Source: Agreement Terms Sample.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1371583853.0000000000410000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAffolker.exe vs Agreement Terms Sample.pdf.exe
Source: Agreement Terms Sample.pdf.exe	Binary or memory string: OriginalFilenameAffolker.exe vs Agreement Terms Sample.pdf.exe

Source: Agreement Terms Sample.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF053F462F68CD7C8A.TMP

Jump to behavior

Source: Agreement Terms Sample.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Agreement Terms Sample.pdf.exe

Virustotal: Detection: 20%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116, type: MEMORY

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0040511F push ebp; ret	0_2_00405120
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_004085AB push esp; retf	0_2_004085AC
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0042406A pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0042181D pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_004242BF pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00424167 pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00423F6B pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00423921 pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00424126 pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0042493E pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_004241DB pushfd ; iretd	0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00423FE2 pushfd ; iretd	0_2_00424A35

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Agreement Terms Sample.pdf.exe

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426C57	0_2_00426C57
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426A17	0_2_00426A17
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426A15	0_2_00426A15
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426E18	0_2_00426E18
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426CD1	0_2_00426CD1
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426AEF	0_2_00426AEF
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426CF6	0_2_00426CF6
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00423F6B	0_2_00423F6B
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_004267F7	0_2_004267F7
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426BAF	0_2_00426BAF

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Agreement Terms Sample.pdf.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

RDTSC instruction interceptor: First address: 00000000004262EB second address: 00000000004262EB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB3093C388h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dl, 00000015h 0x00000028 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002f jne 00007FAB3093C365h 0x00000031 cmp dl, dl 0x00000033 cmp eax, ecx 0x00000035 call 00007FAB3093C3FDh 0x0000003a call 00007FAB3093C398h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Code function: 0_2_00426C57 rdtsc

0_2_00426C57

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Agreement Terms Sample.pdf.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe

Code function: 0_2_00426C57 rdtsc

0_2_00426C57

Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426A17 mov eax, dword ptr fs:[00000030h]	0_2_00426A17
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00426A15 mov eax, dword ptr fs:[00000030h]	0_2_00426A15
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00425A2F mov eax, dword ptr fs:[00000030h]	0_2_00425A2F
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00421ED3 mov eax, dword ptr fs:[00000030h]	0_2_00421ED3
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0042229E mov eax, dword ptr fs:[00000030h]	0_2_0042229E
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00425F78 mov eax, dword ptr fs:[00000030h]	0_2_00425F78
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_0042332A mov eax, dword ptr fs:[00000030h]	0_2_0042332A
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_00422537 mov eax, dword ptr fs:[00000030h]	0_2_00422537
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe	Code function: 0_2_004267F7 mov eax, dword ptr fs:[00000030h]	0_2_004267F7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Security Software Discovery411	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Agreement Terms Sample.pdf.exe	21%	Virustotal		Browse
Agreement Terms Sample.pdf.exe	4%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339336
Start date:	13.01.2021
Start time:	21:13:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Agreement Terms Sample.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 12.5% (good quality ratio 3.3%) Quality average: 14.9% Quality standard deviation: 28.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, MusNotifyIcon.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.164931273631205
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Agreement Terms Sample.pdf.exe
File size:	65536
MD5:	76b6c2b227dd2ae92bb3b86a66a8fe52
SHA1:	db06ffb667569ab3b379012567c27919c36d885a
SHA256:	128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47
SHA512:	74614ba4f06a95c07257896002b99023714b85da540a923e2dfa59fbcd3262d2bda715ff4a2a0384b9a7cca0c5dbb34298bda4ae5ebaba9eef51bfc5f87a176b
SSDEEP:	768:tdhWOzU3SN+0MX6x7Z4LNeLmKETN3rWCC0Kg:/hWSUCN+1Xc7ONeFIJ3Hp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...S..M.....................0....................@................

File Icon


Icon Hash:	f030f0c6f030b100

Static PE Info

General
Entrypoint:	0x401200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4DF4FD53 [Sun Jun 12 17:54:27 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e4e19abc2b8b3cdf6beb846e51c393a2

Entrypoint Preview

Instruction
push 00401E60h
call 00007FAB30B1BBF5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], cl
add bl, byte ptr [esi+09C8E7E3h]
dec edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd244	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x8b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc5e8	0xd000	False	0.519193209135	data	5.8716351227	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xe000	0x1158	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x8b0	0x1000	False	0.135986328125	data	1.29485435267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x10348	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x10334	0x14	data
RT_VERSION	0x100f0	0x244	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaCyForInit, _CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaCyI4, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaCyForNext, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Affolker
FileVersion	2.00
CompanyName	Axis Corp
Comments	Axis Corp
ProductName	Project1
ProductVersion	2.00
OriginalFilename	Affolker.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Agreement Terms Sample.pdf.exe PID: 6116 Parent PID: 5880

General

Start time:	21:14:22
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe'
Imagebase:	0x400000
File size:	65536 bytes
MD5 hash:	76B6C2B227DD2AE92BB3B86A66A8FE52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Agreement Terms Sample.pdf.exe PID: 6116 Parent PID: 5880 Agreement Terms Sample.pdf.exeCOMMON

Executed Functions

Function 0040CEF4, Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040CEF4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				void* _v36;
				signed int _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr _t93;
				char* _t94;
				signed int _t95;
				signed int _t102;
				signed int _t105;
				char* _t106;
				signed int _t116;
				signed int _t120;
				signed int _t123;
				void* _t124;
				signed int _t139;
				void* _t142;
				void* _t144;
				void* _t145;
				intOrPtr _t146;

				 *[fs:0x0] = _t146;
				L004010E0();
				_v16 = _t146;
				_v12 = E004010C8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t93 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t144, _t145, _t124,  *[fs:0x0], 0x4010e6);
				_push(0x53933);
				L004011E2();
				_v124 = _t93;
				_v120 = _t139;
				_push(1);
				L004011DC();
				_v116 = _t93;
				_v112 = _t139;
				_push(_v112);
				_push(_v116);
				_push(_v120);
				_push(_v124);
				_push(0);
				L004011DC();
				_push(_t139);
				_push(_t93);
				_t94 =  &_v32;
				_push(_t94);
				L004011D6();
				_v136 = _t94;
				while(_v136 != 0) {
					_v76 = 0x772813;
					_v84 = 3;
					_t95 =  &_v84;
					_push(_t95);
					L004011C4();
					L004011CA();
					_push(_t95);
					_push(0x402a34);
					_push(0x402a3c);
					L004011BE();
					L004011CA();
					_push(_t95);
					_push(0x402a48);
					L004011BE();
					_t139 = _t95;
					L004011CA();
					_push(_t95);
					L004011D0();
					asm("sbb eax, eax");
					_v104 =  ~( ~_t95 + 1);
					_push( &_v64);
					_push( &_v60);
					_push( &_v56);
					_push(3);
					L004011B8();
					_t146 = _t146 + 0x10;
					L004011B2();
					_t102 = _v104;
					if(_t102 != 0) {
						_push(0x402a50);
						_push(0x402a58);
						L004011BE();
						L004011CA();
						_push(_t102);
						L004011A6();
						_push(_t102);
						L004011AC();
						_t139 = _t102;
						L004011CA();
						_push(_t102);
						_push(0x402a60);
						L004011D0();
						asm("sbb eax, eax");
						_v104 =  ~( ~_t102 + 1);
						_push( &_v60);
						_t36 =  &_v56; // 0x402a60
						_push(2);
						L004011B8();
						_t146 = _t146 + 0xc;
						if(_v104 != 0) {
							if( *0x40e010 != 0) {
								_v144 = 0x40e010;
							} else {
								_push("H!Y");
								_push(0x4021d0);
								L00401194();
								_v144 = 0x40e010;
							}
							_t116 =  &_v68;
							L0040119A();
							_v104 = _t116;
							_t120 =  *((intOrPtr*)( *_v104 + 0x50))(_v104,  &_v56, _t116,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x304))( *_v144));
							asm("fclex");
							_v108 = _t120;
							if(_v108 >= 0) {
								_v148 = _v148 & 0x00000000;
							} else {
								_push(0x50);
								_push(0x402a64);
								_push(_v104);
								_push(_v108);
								L0040118E();
								_v148 = _t120;
							}
							_v140 = _v56;
							_v56 = _v56 & 0x00000000;
							_v76 = _v140;
							_v84 = 8;
							_push(0);
							_t123 =  &_v84;
							_push(_t123); // executed
							L004011A0(); // executed
							_t139 = _t123;
							L004011CA();
							L00401188();
							L004011B2();
						}
					}
					_t105 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
					asm("fclex");
					_v104 = _t105;
					if(_v104 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x2b4);
						_push(0x40291c);
						_push(_a4);
						_push(_v104);
						L0040118E();
						_v152 = _t105;
					}
					_push(_v112);
					_push(_v116);
					_push(_v120);
					_push(_v124);
					_t106 =  &_v32;
					_push(_t106);
					L00401182();
					_v136 = _t106;
				}
				_v92 = 0x1513131a;
				_t142 =  >=  ? 0x403f0b : _t139;
				goto __edx;
			}

0x0040cf06
0x0040cf12
0x0040cf1a
0x0040cf1d
0x0040cf2a
0x0040cf32
0x0040cf3d
0x0040cf40
0x0040cf45
0x0040cf4a
0x0040cf4d
0x0040cf50
0x0040cf52
0x0040cf57
0x0040cf5a
0x0040cf5d
0x0040cf60
0x0040cf63
0x0040cf66
0x0040cf69
0x0040cf6b
0x0040cf70
0x0040cf71
0x0040cf72
0x0040cf75
0x0040cf76
0x0040cf7b
0x0040d19d
0x0040cf86
0x0040cf8d
0x0040cf94
0x0040cf97
0x0040cf98
0x0040cfa2
0x0040cfa7
0x0040cfa8
0x0040cfad
0x0040cfb2
0x0040cfbc
0x0040cfc1
0x0040cfc2
0x0040cfc7
0x0040cfcc
0x0040cfd1
0x0040cfd6
0x0040cfd7
0x0040cfde
0x0040cfe3
0x0040cfea
0x0040cfee
0x0040cff2
0x0040cff3
0x0040cff5
0x0040cffa
0x0040d000
0x0040d005
0x0040d00b
0x0040d011
0x0040d016
0x0040d01b
0x0040d025
0x0040d02a
0x0040d02b
0x0040d030
0x0040d031
0x0040d036
0x0040d03b
0x0040d040
0x0040d041
0x0040d046
0x0040d04d
0x0040d052
0x0040d059
0x0040d05a
0x0040d05e
0x0040d060
0x0040d065
0x0040d06e
0x0040d07b
0x0040d098
0x0040d07d
0x0040d07d
0x0040d082
0x0040d087
0x0040d08c
0x0040d08c
0x0040d0bc
0x0040d0c0
0x0040d0c5
0x0040d0d4
0x0040d0d7
0x0040d0d9
0x0040d0e0
0x0040d0fc
0x0040d0e2
0x0040d0e2
0x0040d0e4
0x0040d0e9
0x0040d0ec
0x0040d0ef
0x0040d0f4
0x0040d0f4
0x0040d106
0x0040d10c
0x0040d116
0x0040d119
0x0040d120
0x0040d122
0x0040d125
0x0040d126
0x0040d12b
0x0040d130
0x0040d138
0x0040d140
0x0040d140
0x0040d06e
0x0040d14d
0x0040d153
0x0040d155
0x0040d15c
0x0040d17b
0x0040d15e
0x0040d15e
0x0040d163
0x0040d168
0x0040d16b
0x0040d16e
0x0040d173
0x0040d173
0x0040d182
0x0040d185
0x0040d188
0x0040d18b
0x0040d18e
0x0040d191
0x0040d192
0x0040d197
0x0040d197
0x0040d1aa
0x0040d1b9
0x0040d1bc

APIs

__vbaChkstk.MSVBVM60(?,004010E6), ref: 0040CF12
__vbaCyI4.MSVBVM60(00053933,?,?,?,?,004010E6), ref: 0040CF45
__vbaCyI2.MSVBVM60(00000001,00053933,?,?,?,?,004010E6), ref: 0040CF52
__vbaCyI2.MSVBVM60(00000000,?,?,?,?,00000001,00053933,?,?,?,?,004010E6), ref: 0040CF6B
__vbaCyForInit.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000001,00053933,?,?,?,?,004010E6), ref: 0040CF76
#591.MSVBVM60(00000003), ref: 0040CF98
__vbaStrMove.MSVBVM60(00000003), ref: 0040CFA2
__vbaStrCat.MSVBVM60(00402A3C,00402A34,00000000,00000003), ref: 0040CFB2
__vbaStrMove.MSVBVM60(00402A3C,00402A34,00000000,00000003), ref: 0040CFBC
__vbaStrCat.MSVBVM60(00402A48,00000000,00402A3C,00402A34,00000000,00000003), ref: 0040CFC7
__vbaStrMove.MSVBVM60(00402A48,00000000,00402A3C,00402A34,00000000,00000003), ref: 0040CFD1
__vbaStrCmp.MSVBVM60(00000000,00402A48,00000000,00402A3C,00402A34,00000000,00000003), ref: 0040CFD7
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000,00402A48,00000000,00402A3C,00402A34,00000000,00000003), ref: 0040CFF5
__vbaFreeVar.MSVBVM60(?,?,?,004010E6), ref: 0040D000
__vbaStrCat.MSVBVM60(00402A58,00402A50,?,?,?,004010E6), ref: 0040D01B
__vbaStrMove.MSVBVM60(00402A58,00402A50,?,?,?,004010E6), ref: 0040D025
__vbaI4Str.MSVBVM60(00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D02B
#537.MSVBVM60(00000000,00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D031
__vbaStrMove.MSVBVM60(00000000,00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D03B
__vbaStrCmp.MSVBVM60(00402A60,00000000,00000000,00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D046
__vbaFreeStrList.MSVBVM60(00000002,`*@,?,00402A60,00000000,00000000,00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D060
__vbaNew2.MSVBVM60(004021D0,H!Y,00000000,00402A58,00402A50,?,?,?,004010E6), ref: 0040D087
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D0C0

Strings

H!Y, xrefs: 0040D074, 0040D07D, 0040D08C, 0040D098
P*@, xrefs: 0040D12D
`*@, xrefs: 0040D05A, 0040D05D

Memory Dump Source

Source File: 00000000.00000002.1371511270.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1371475448.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1371552455.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1371583853.0000000000410000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$List$#537#591ChkstkInitNew2
String ID: H!Y$P*@$`*@
API String ID: 1504116222-2810139510
Opcode ID: fca2021351c44e3b18245be0fe7150c573aa21d337df28cbbaee380bf62731e1
Instruction ID: e1c706923e04169e6eb29588809bc7b19056334f7bd2a6089c29d9789405d4d3
Opcode Fuzzy Hash: fca2021351c44e3b18245be0fe7150c573aa21d337df28cbbaee380bf62731e1
Instruction Fuzzy Hash: AC811771E00208AFDB15EFE1CD46B9EBBB9BF08304F10447AB605BB1A1DB785A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401200, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(signed int __eax, void* __ebx, signed int __ecx, void* __edx, intOrPtr* __edi, signed int __esi) {
				intOrPtr* _t27;
				signed int _t29;
				signed char _t30;
				signed char _t31;
				signed char _t32;
				intOrPtr* _t35;
				signed int _t38;
				intOrPtr* _t41;
				void* _t42;
				intOrPtr* _t43;
				signed int _t50;
				void* _t51;
				signed char _t57;
				signed char _t58;

				_t45 = __esi;
				_t38 = __ecx;
				_push("VB5!6&*"); // executed
				L004011FA(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t27 = __eax + 1;
				 *_t27 =  *_t27 + _t27;
				 *_t27 =  *_t27 + _t27;
				 *_t27 =  *_t27 + _t27;
				 *__edi =  *__edi + __ecx;
				_t35 = __ebx +  *((intOrPtr*)(__esi + 0x9c8e7e3));
				asm("invalid");
				asm("std");
				_t41 = __edx - 1 + 1;
				_push(0x2f);
				_t28 = 0x27;
				 *0x27 =  *0x27 + 0x27;
				 *__ecx =  *__ecx + 0x27;
				 *0x27 =  *0x27 + 0x27;
				 *_t41 =  *_t41 + __ecx;
				_t42 = _t41 + 1;
				_t51 = _t42;
				asm("outsd");
				if(_t51 < 0) {
					L5:
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					_t35 = 0xb;
					 *_t28 =  *_t28 + _t28;
					_t42 = _t42 + 1;
				} else {
					_push(0x27);
					if(_t51 >= 0) {
						_push(0x65);
						asm("arpl [ecx+esi], si");
						 *0x7061430a =  *0x7061430a ^ __ecx;
						if ( *0x7061430a == 0) goto L3;
						 *0x27 =  *0x27 + 0x27;
						asm("int3");
						 *0x27 =  *0x27 ^ 0x00000027;
						_t45 = __esi +  *((intOrPtr*)(_t42 - 0x35));
						_t50 = 0x27;
						_t28 = 0xad;
						asm("adc [ecx], ebx");
						asm("out dx, al");
						asm("invalid");
						asm("int3");
						asm("wait");
						asm("daa");
						 *0x49004e6f = 0xad;
						 *((intOrPtr*)(0x66)) = __ecx;
						asm("adc [ecx+0x33ad4f3a], ch");
						asm("cdq");
						asm("iretw");
						asm("adc [edi+0xaa000c], esi");
						asm("pushad");
						asm("rcl dword [ebx], cl");
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						 *0xad =  *0xad + 0xad;
						goto L5;
					}
				}
				_t29 = _t28 |  *_t28;
				 *_t29 =  *_t29 + _t29;
				_t30 = _t29 |  *_t29;
				_t57 = _t30;
				_push(_t35);
				if(_t57 == 0) {
					L11:
					 *_t30 =  *_t30 + _t30;
					 *_t38 =  *_t38 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					goto L12;
				} else {
					if(_t57 < 0) {
						L12:
						asm("lahf");
						asm("lahf");
						asm("lahf");
						 *((intOrPtr*)(_t38 - 0x5aff5e5f)) =  *((intOrPtr*)(_t38 - 0x5aff5e5f)) + _t30;
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t42 - 0x4dff5556)) =  *((intOrPtr*)(_t42 - 0x4dff5556)) + _t38;
						goto L13;
					} else {
						_t30 = _t30 | 0x52000b01;
						_t58 = _t30;
						asm("popad");
						if(_t58 < 0) {
							L13:
							_t42 = 0xb2;
						} else {
							if(_t58 != 0) {
								asm("outsb");
								asm("a16 popad");
								asm("outsb");
								_t31 = _t30 ^ 0x00011900;
								_t43 = _t42 + 1;
								 *_t43 =  *_t43 + _t31;
								 *_t35 =  *_t35 + _t50;
								asm("out dx, al");
								_t32 = _t31 |  *_t31;
								 *((intOrPtr*)(_t50 + _t45 * 2)) =  *((intOrPtr*)(_t50 + _t45 * 2)) + _t38;
								_t42 = _t43 + _t32;
								_t30 = _t32 |  *_t32;
								 *_t30 =  *_t30 + _t30;
								 *_t38 =  *_t38 + _t30;
								 *_t38 =  *_t38 + _t30;
								 *_t30 =  *_t30 + _t42;
								asm("adc [eax], al");
								 *_t38 =  *_t38 + _t30;
								 *_t30 =  *_t30 + _t38;
								 *((intOrPtr*)(_t30 + 5)) =  *((intOrPtr*)(_t30 + 5)) + _t38;
								 *_t30 =  *_t30 + _t30;
								_push(ss);
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t38;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t42;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t38 =  *_t38 + _t30;
								 *_t30 =  *_t30 + _t38;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								 *_t30 =  *_t30 + _t30;
								goto L11;
							}
						}
					}
				}
				 *((intOrPtr*)(_t50 + _t45 * 4 - 0x4141ff4c)) =  *((intOrPtr*)(_t50 + _t45 * 4 - 0x4141ff4c)) + _t42;
				return _t30;
			}

0x00401200
0x00401200
0x00401200
0x00401205
0x0040120a
0x0040120c
0x0040120e
0x00401210
0x00401212
0x00401214
0x00401215
0x00401217
0x00401219
0x0040121b
0x0040121d
0x00401224
0x00401226
0x00401227
0x00401228
0x0040122a
0x0040122f
0x00401231
0x00401233
0x00401235
0x00401237
0x00401237
0x00401238
0x00401239
0x0040129f
0x0040129f
0x004012a1
0x004012a3
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x0040123b
0x0040123b
0x0040123d
0x0040123f
0x00401241
0x00401245
0x0040124b
0x0040124d
0x00401251
0x00401252
0x00401254
0x00401258
0x00401259
0x0040125e
0x00401260
0x00401261
0x00401263
0x00401264
0x00401267
0x00401268
0x0040126d
0x00401272
0x00401279
0x0040127a
0x0040127c
0x00401282
0x00401283
0x00401289
0x0040128b
0x0040128d
0x0040128f
0x00401291
0x00401293
0x00401295
0x00401297
0x00401299
0x0040129b
0x0040129d
0x00000000
0x0040129d
0x0040123d
0x004012ae
0x004012b0
0x004012b2
0x004012b2
0x004012b4
0x004012b5
0x0040131c
0x0040131c
0x0040131e
0x00401320
0x00401322
0x00401324
0x00000000
0x004012b7
0x004012b7
0x00401326
0x00401326
0x00401327
0x00401328
0x00401329
0x0040132f
0x00401330
0x00401331
0x00000000
0x004012b9
0x004012c0
0x004012c0
0x004012c5
0x004012c6
0x00401337
0x00401337
0x004012c8
0x004012c8
0x004012ca
0x004012cb
0x004012cd
0x004012ce
0x004012d3
0x004012d4
0x004012d6
0x004012d8
0x004012d9
0x004012db
0x004012df
0x004012e1
0x004012e3
0x004012e5
0x004012e7
0x004012e9
0x004012eb
0x004012ed
0x004012ef
0x004012f1
0x004012f4
0x004012f6
0x004012f7
0x004012f9
0x004012fb
0x004012fd
0x004012ff
0x00401301
0x00401303
0x00401305
0x00401307
0x00401309
0x0040130b
0x0040130d
0x0040130f
0x00401311
0x00401313
0x00401315
0x00401317
0x00401319
0x0040131b
0x00000000
0x0040131b
0x004012c8
0x004012c6
0x004012b7
0x00401339
0x00401344

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401205

Strings

VB5!6&*, xrefs: 00401200

Memory Dump Source

Source File: 00000000.00000002.1371511270.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1371475448.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1371552455.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1371583853.0000000000410000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: c75b3cf7e482a1df40dad3f6aeaa7161268e0146f8067d4617ce303daa160528
Instruction ID: 41c3b7e3edcba7905f74a093ed7b1dd4d472c54b604e1125e67ced544607520a
Opcode Fuzzy Hash: c75b3cf7e482a1df40dad3f6aeaa7161268e0146f8067d4617ce303daa160528
Instruction Fuzzy Hash: 45D0A41098EBC21ED307237148320566F718D27A9031E59EBE0D6DE0F3C25C186AC726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00423F6B, Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

0={,, xrefs: 0042408C

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 488225164997d6703de8ae6bf83232c5c8c98f32cdebe3254c1ff40791023a0b
Instruction ID: 40b050fda7b86112eecd747f31b70037107253396fe2450a2e7f63cf35e50224
Opcode Fuzzy Hash: 488225164997d6703de8ae6bf83232c5c8c98f32cdebe3254c1ff40791023a0b
Instruction Fuzzy Hash: 07C13B70B04667CFDB20EF79D4913DA7BA1EF95350FA0406AE9854B241DB358887CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00421ED3, Relevance: .6, Instructions: 622COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9281f6f95655c69fb9586e8498e9d6414d6055a5be38ec5a5b8a4e1b54da0967
Instruction ID: 02dae33ccaae74d16fe33ffae204cc56691436c49440893424b6b06f1e5d0f66
Opcode Fuzzy Hash: 9281f6f95655c69fb9586e8498e9d6414d6055a5be38ec5a5b8a4e1b54da0967
Instruction Fuzzy Hash: B9129970740316BFEB209E24EDD1BE673A2FF01390FD4422AED8497280CBBD98968744

Uniqueness

Uniqueness Score: -1.00%

Function 004267F7, Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc352bd1325ac31bd7bc857baac5e6474d0a096fd5759add6f9a71b4946d99c
Instruction ID: 3a4d16712270a7444236e406c5eaf868275957c0bdd0041becbc2d759ffc8f3c
Opcode Fuzzy Hash: 4cc352bd1325ac31bd7bc857baac5e6474d0a096fd5759add6f9a71b4946d99c
Instruction Fuzzy Hash: 26F17D34B043A2CEDB219F38E5D4396B791EF62350FD9819BD9D54B286D7398882C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00422537, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1df040592422b2ffc765b46cdeb5c14bd8479a45370a6d900375f3465853126
Instruction ID: abe7acc6f8826991a6ffaa16ff91461a31103e59edc270b5c7653a43cb1aacac
Opcode Fuzzy Hash: e1df040592422b2ffc765b46cdeb5c14bd8479a45370a6d900375f3465853126
Instruction Fuzzy Hash: D3D13670740315BFFF205E24ED96BEA7762EF11394F94421AFE859B2C1C7BD88858609

Uniqueness

Uniqueness Score: -1.00%

Function 00426A17, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d120fdb1d6f8bb0e460360f1279a7109f0d04eb05bb780ecd8c71e06b3fd469
Instruction ID: fc2384ec2baa6e97929b2e716a9865cd083b3917d9037179ddd449fc748ab8da
Opcode Fuzzy Hash: 2d120fdb1d6f8bb0e460360f1279a7109f0d04eb05bb780ecd8c71e06b3fd469
Instruction Fuzzy Hash: 72710834604392CEDB21DF28D494792BBD0AF56360F99829ECDD58F2D3D7398842C716

Uniqueness

Uniqueness Score: -1.00%

Function 00426A15, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2026eb70a4054a2be3dbc7f1201bbea1addb298e69bb239a04b8e89e8e1b2b2e
Instruction ID: 6bdf45dad282cfac7edbda9bf040413e849ccdb61424778f62ca30ba4f6c0b1c
Opcode Fuzzy Hash: 2026eb70a4054a2be3dbc7f1201bbea1addb298e69bb239a04b8e89e8e1b2b2e
Instruction Fuzzy Hash: E2610774704352CEDB20DF28D4D4796B6D1EF26360F99829EDD968B3D2D3398882C71A

Uniqueness

Uniqueness Score: -1.00%

Function 00426AEF, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9dc7e7341d5ea00346ec17bfcd67d311150434334db46d4023d5598534adfc
Instruction ID: febb75d7480d87255fae5fd34d7cba3b46573e5f96c1c1fd3857f9e5b5fb1b3d
Opcode Fuzzy Hash: 9f9dc7e7341d5ea00346ec17bfcd67d311150434334db46d4023d5598534adfc
Instruction Fuzzy Hash: 67513834A04393CEDB219F389494792BAD0DF62360F99829ECDD54F2D3D7298482C71B

Uniqueness

Uniqueness Score: -1.00%

Function 00426BAF, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16be5b5c4f9e16218da04f015ca595ea4df53a747340f62c9607bea310aa2d5
Instruction ID: 2127888f199d60791e2663117f0ac42b9180726f953ebac05bc372b931264169
Opcode Fuzzy Hash: b16be5b5c4f9e16218da04f015ca595ea4df53a747340f62c9607bea310aa2d5
Instruction Fuzzy Hash: 5F41F534A04393CEDB319F789494352FAD0DF62320F9982AAC9D54F2D7D7298482C71B

Uniqueness

Uniqueness Score: -1.00%

Function 0042229E, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85a279bf964e6127f607a4f7015080e89fa49466e013dd851fb6ddd5271fcfd
Instruction ID: 747cfc4532c07ea1d31a760001bdf654f988e2c69e21c2960c52fdf59eb0011d
Opcode Fuzzy Hash: a85a279bf964e6127f607a4f7015080e89fa49466e013dd851fb6ddd5271fcfd
Instruction Fuzzy Hash: 71312970740226BFC720AD28DDF1BDA3395FB01354FE5822AECC993241CB2998CB8754

Uniqueness

Uniqueness Score: -1.00%

Function 00426C57, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3d33811583d47bfacc5852218634441b21068fc4051484b09e6856eb42fb8c
Instruction ID: aae3edfa1560f0086f1d83b97778559818da7d3cc741141cdbe891d342630b47
Opcode Fuzzy Hash: 8b3d33811583d47bfacc5852218634441b21068fc4051484b09e6856eb42fb8c
Instruction Fuzzy Hash: 91313B34A14393CEDF319F789490352FAA4EF52320FA951AEC6D55E2C3D7294482CB1B

Uniqueness

Uniqueness Score: -1.00%

Function 00426CF6, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b93c74e15b59628b5eb1b362f822e0ac2cde07bcc6e8fff541966b7d4839f7d
Instruction ID: ff831ccc3b7853a79829f0a9fd883737e2a68fea01faa957ccfde8e894923c35
Opcode Fuzzy Hash: 7b93c74e15b59628b5eb1b362f822e0ac2cde07bcc6e8fff541966b7d4839f7d
Instruction Fuzzy Hash: 0D216E34D00393CEDF324F78D590352FAA0AF52720FA551AEC6851E1C3E76A4486C707

Uniqueness

Uniqueness Score: -1.00%

Function 00426CD1, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9754c297c331926f905afc7695a8df4052881cdbec7a7049513125c0fa51f4f8
Instruction ID: c440653af8edbc500f7dad5e3769a659336aa296a86cde22391d20d372714548
Opcode Fuzzy Hash: 9754c297c331926f905afc7695a8df4052881cdbec7a7049513125c0fa51f4f8
Instruction Fuzzy Hash: 73218074B043668DEF314F64A584366B5819F13370FA6C39FCD560E2C7D36D8881822B

Uniqueness

Uniqueness Score: -1.00%

Function 00426E18, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26467f399084dcc90ee9fb8dd3b6d1cad0103c86e30414dd7613d687f77e5420
Instruction ID: 0ed538ede5049982ef879f31376830f99c5acf389f0126a5137798d638d6afd3
Opcode Fuzzy Hash: 26467f399084dcc90ee9fb8dd3b6d1cad0103c86e30414dd7613d687f77e5420
Instruction Fuzzy Hash: CE115C35B083A35FDF258B34E5953A67B918F13360FDB82ABD5A24A1D7C3184886C307

Uniqueness

Uniqueness Score: -1.00%

Function 00425F78, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3164fdcdef8cafca4be858f82e9aeeef2e1d8b13a3c6e1ad04ad28ab5bc6ee9
Instruction ID: 50e58f42097c166f0953eac3c371457d5e5bdac7d435082e38f0c78a4c5d8745
Opcode Fuzzy Hash: c3164fdcdef8cafca4be858f82e9aeeef2e1d8b13a3c6e1ad04ad28ab5bc6ee9
Instruction Fuzzy Hash: B1F0BE303107108FD710CA24D7E4F9B33A09F15790F96025AEC818B2A1D338D844E92A

Uniqueness

Uniqueness Score: -1.00%

Function 0042332A, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ccf7702abb91682df6ec6dac40faeae9134db301ceaeb33c19ab494b052e1f
Instruction ID: 08aa76554b55a637c05efa545cee326559e1fed6cc19e837e7adbc1730abdeb5
Opcode Fuzzy Hash: e4ccf7702abb91682df6ec6dac40faeae9134db301ceaeb33c19ab494b052e1f
Instruction Fuzzy Hash: 36B092B62019818FEF02DB08C491B4073B0FB28688B0804E0E402CB712E224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00425A2F, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371604793.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c571a7efb73024c1bc9583fc201d55e72f3f24259a4eccf9ca9ac18dadd578d
Instruction ID: 7b1270d6b42287c816f7aa3139cba879411b85a00d8e3687f64710bb4b111d7d
Opcode Fuzzy Hash: 6c571a7efb73024c1bc9583fc201d55e72f3f24259a4eccf9ca9ac18dadd578d
Instruction Fuzzy Hash: 1AB09235B51640CFCB51CE18C1C0F8073A0BB14A40B424480A8008BB11C224E804CB00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Agreement Terms Sample.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Agreement Terms Sample.pdf.exe PID: 6116 Parent PID: 5880

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Agreement Terms Sample.pdf.exe PID: 6116 Parent PID: 5880 Agreement Terms Sample.pdf.exeCOMMON

Executed Functions

Function 0040CEF4, Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 204COMMON

Function 00401200, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Non-executed Functions

Function 0040CEF4, Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 204
COMMON

Function 00401200, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
COMMON