Play interactive tour
Edit tourAnalysis Report PO1001910 Sample Arrive Tracking No_SINI0068206497.exe
Overview
General Information
| Sample Name: | PO1001910 Sample Arrive Tracking No_SINI0068206497.exe |
| Analysis ID: | 342204 |
| MD5: | 7d9a5b92d4e287b92d7f4c46f40c3155 |
| SHA1: | 01b5226ea9a4bc9ee01edbf73b0ddb6463b29a25 |
| SHA256: | 43af4469aaafbb8d24b8d0da831e494952db00c649d1888458594a6b8ef1284b |
| Tags: | exeGuLoader |
Most interesting Screenshot:  | |
Detection
GuLoader
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_VB6DownloaderGeneric | Yara detected VB6 Downloader Generic | Joe Security | ||
| JoeSecurity_GuLoader | Yara detected GuLoader | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00404BEE | |
| Source: | Code function: | 0_2_00404C48 | |
| Source: | Code function: | 0_2_00404C21 | |
| Source: | Code function: | 0_2_00404C80 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
Data Obfuscation: | |
|---|
| Yara detected GuLoader | Show sources | ||
| Source: | File source: | ||
| Yara detected VB6 Downloader Generic | Show sources | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040459B | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Contains functionality to detect hardware virtualization (CPUID execution measurement) | Show sources | ||
| Source: | Code function: | 0_2_02212459 | |
| Source: | Code function: | 0_2_02216EA1 | |
| Source: | Code function: | 0_2_022124A7 | |
| Source: | Code function: | 0_2_022168E1 | |
| Source: | Code function: | 0_2_02216AF5 | |
| Source: | Code function: | 0_2_022168D4 | |
| Source: | Code function: | 0_2_02211D88 | |
| Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Tries to detect virtualization through RDTSC time measurements | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Code function: | 0_2_02216056 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Binary or memory string: | ||
Anti Debugging: | |
|---|
| Found potential dummy code loops (likely to delay analysis) | Show sources | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_02216056 | |
| Source: | Code function: | 0_2_022126B7 | |
| Source: | Code function: | 0_2_02216AE8 | |
| Source: | Code function: | 0_2_02216AF5 | |
| Source: | Code function: | 0_2_02216B35 | |
| Source: | Code function: | 0_2_02215F3E | |
| Source: | Code function: | 0_2_02213567 | |
| Source: | Code function: | 0_2_02211D88 | |
| Source: | Code function: | 0_2_022159EE | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection1 | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery511 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection1 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery31 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 24% | Virustotal | Browse | ||
| 24% | ReversingLabs | Win32.Trojan.Vebzenpak |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Domains and IPs |
|---|
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 342204 |
| Start date: | 20.01.2021 |
| Start time: | 16:44:34 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | PO1001910 Sample Arrive Tracking No_SINI0068206497.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 29 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal80.troj.evad.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 5.799072194766734 |
| TrID: |
|
| File name: | PO1001910 Sample Arrive Tracking No_SINI0068206497.exe |
| File size: | 90112 |
| MD5: | 7d9a5b92d4e287b92d7f4c46f40c3155 |
| SHA1: | 01b5226ea9a4bc9ee01edbf73b0ddb6463b29a25 |
| SHA256: | 43af4469aaafbb8d24b8d0da831e494952db00c649d1888458594a6b8ef1284b |
| SHA512: | 17346e4847c43285cd6930063ae6e965ea4343101325b79dc899f70fd974f596fa02758a8b3631f8481372e7fd2e8de8480b720af32b7db89b722c2f81ad5153 |
| SSDEEP: | 768:0D3V/h6zJfdg459JOIbyswtOMe6d8+kkG8RB2EMlUlQ9vL+LK:gl/hMJV557OTPdv4alId |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...". J.................0...0...............@....@................ |
File Icon |
|---|
 | |
| Icon Hash: | f030f0c6f030b100 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4015d4 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4A201A22 [Fri May 29 17:23:46 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 9546a0aa3a7ac8c2e4587b9c0a1704ee |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push 0040225Ch |
| call 00007F1D7CE08085h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| xor byte ptr [eax], al |
| add byte ptr [eax], al |
| inc eax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [ebx+492EB203h], dh |
| jecxz 00007F1D7CE080E4h |
| inc ebx |
| xchg eax, ebp |
| pop ss |
| jno 00007F1D7CE080F6h |
| xchg eax, ecx |
| out F7h, eax |
| test byte ptr [eax], 00000000h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add dword ptr [eax], eax |
| add byte ptr [eax], al |
| push cs |
| add eax, dword ptr [eax] |
| add byte ptr [eax], al |
| add byte ptr [eax+72h], dl |
| outsd |
| push 00000065h |
| arpl word ptr [ecx+esi+00h], si |
| add byte ptr [eax], al |
| add al, cl |
| call 00007F1D7CE0838Ch |
| add byte ptr [eax], al |
| dec esp |
| xor dword ptr [eax], eax |
| add al, B7h |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x13104 | 0x28 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x16000 | 0x938 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x15c | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x126e0 | 0x13000 | False | 0.429957339638 | data | 6.2966491779 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .data | 0x14000 | 0x11b4 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x16000 | 0x938 | 0x1000 | False | 0.142578125 | data | 1.43341804636 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x163d0 | 0x568 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0x163bc | 0x14 | data | ||
| RT_VERSION | 0x160f0 | 0x2cc | data | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaBoolStr, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaUI1Str, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0409 0x04b0 |
| LegalCopyright | Calc Theory |
| InternalName | lseferier |
| FileVersion | 1.00 |
| CompanyName | Calc Theory |
| Comments | Calc Theory |
| ProductName | Calc Theory |
| ProductVersion | 1.00 |
| FileDescription | Calc Theory |
| OriginalFilename | lseferier.exe |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
| No network behavior found |
|---|
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 16:45:25 |
| Start date: | 20/01/2021 |
| Path: | C:\Users\user\Desktop\PO1001910 Sample Arrive Tracking No_SINI0068206497.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 90112 bytes |
| MD5 hash: | 7D9A5B92D4E287B92D7F4C46F40C3155 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 00404BEE, Relevance: 1.5, APIs: 1, Instructions: 251COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404C48, Relevance: 1.5, APIs: 1, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404C80, Relevance: 1.5, APIs: 1, Instructions: 225COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411BD7, Relevance: 84.3, APIs: 38, Strings: 10, Instructions: 309COMMON
Download Yara Rule
| C-Code - Quality: 43% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 47% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411513, Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| C-Code - Quality: 81% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404D14, Relevance: 1.4, APIs: 1, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E55, Relevance: 1.3, APIs: 1, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 02216056, Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02211D88, Relevance: .5, Instructions: 470COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02216AF5, Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02216B35, Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02216AE8, Relevance: .2, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 022126B7, Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02212459, Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 022124A7, Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02216EA1, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 022168D4, Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 022168E1, Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02215F3E, Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02213567, Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 022159EE, Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 51% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 57% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 56% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 54% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412F14, Relevance: 22.6, APIs: 15, Instructions: 67COMMON
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 57% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412E42, Relevance: 16.6, APIs: 11, Instructions: 53COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412D61, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004116CE, Relevance: 12.0, APIs: 8, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 48% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 53% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 51% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 57% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004127EF, Relevance: 9.1, APIs: 6, Instructions: 74COMMON
Download Yara Rule
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411764, Relevance: 9.0, APIs: 6, Instructions: 30COMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411B2E, Relevance: 7.5, APIs: 5, Instructions: 39COMMON
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |