Play interactive tour
Edit tourAnalysis Report Proforma Invoice.exe
Overview
General Information
| Sample Name: | Proforma Invoice.exe |
| Analysis ID: | 343196 |
| MD5: | 6479f35608769db340640d6a8f84a38d |
| SHA1: | 1ffc79fde43e746e826f32a018e02a65fc51602e |
| SHA256: | e97a63a8f54270ace4969870597c7642bbdb31fc6d5d1972d412edaf4fccd80e |
| Tags: | GuLoader |
Most interesting Screenshot:  | |
Detection
GuLoader
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_VB6DownloaderGeneric | Yara detected VB6 Downloader Generic | Joe Security | ||
| JoeSecurity_GuLoader | Yara detected GuLoader | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
System Summary: | |
|---|
| Executable has a suspicious name (potential lure to open the executable) | Show sources | ||
| Source: | Static file information: | ||
| Initial sample is a PE file and has a suspicious name | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_021F76CF | |
| Source: | Code function: | 0_2_0040326F | |
| Source: | Code function: | 0_2_00403424 | |
| Source: | Code function: | 0_2_004033DF | |
| Source: | Code function: | 0_2_00403383 | |
| Source: | Code function: | 0_2_004033AF | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
Data Obfuscation: | |
|---|
| Yara detected GuLoader | Show sources | ||
| Source: | File source: | ||
| Yara detected VB6 Downloader Generic | Show sources | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00407A12 | |
| Source: | Code function: | 0_2_00404294 | |
| Source: | Code function: | 0_2_00407361 | |
| Source: | Code function: | 0_2_021F6EF2 | |
| Source: | Code function: | 0_2_021F4AE7 | |
| Source: | Code function: | 0_2_021F576E | |
| Source: | Code function: | 0_2_021F0F9F | |
| Source: | Code function: | 0_2_021F0F9F | |
| Source: | Code function: | 0_2_021F0FC4 | |
| Source: | Code function: | 0_2_021F49C8 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Contains functionality to detect hardware virtualization (CPUID execution measurement) | Show sources | ||
| Source: | Code function: | 0_2_021F1850 | |
| Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Tries to detect virtualization through RDTSC time measurements | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Code function: | 0_2_021F1A1F | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_021F1A1F | |
| Source: | Code function: | 0_2_021F6006 | |
| Source: | Code function: | 0_2_021F5A78 | |
| Source: | Code function: | 0_2_021F34AA | |
| Source: | Code function: | 0_2_021F34A8 | |
| Source: | Code function: | 0_2_021F2519 | |
| Source: | Code function: | 0_2_021F2571 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_021F2BD8 | |
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection1 | Process Injection1 | OS Credential Dumping | Security Software Discovery411 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Obfuscated Files or Information1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | System Information Discovery311 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | Virustotal | Browse | ||
| 20% | ReversingLabs | Win32.Trojan.Generic |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Domains and IPs |
|---|
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 343196 |
| Start date: | 22.01.2021 |
| Start time: | 14:49:45 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 42s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Proforma Invoice.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 39 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal84.troj.evad.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 5.766612306860119 |
| TrID: |
|
| File name: | Proforma Invoice.exe |
| File size: | 69632 |
| MD5: | 6479f35608769db340640d6a8f84a38d |
| SHA1: | 1ffc79fde43e746e826f32a018e02a65fc51602e |
| SHA256: | e97a63a8f54270ace4969870597c7642bbdb31fc6d5d1972d412edaf4fccd80e |
| SHA512: | cab95cae43799faaec6d612e4f63d363629506dd5973513e29870e0d81e1a3a99adc86696d320ffaeeff5cc23b6f6491cbe30052a3eff9afd303227db113054f |
| SSDEEP: | 768:IxdbBehQZF4bp4kbKR80KQWfD5HDm0L5g5eucI1hzRU66t:6dde0F4bekepUrZi0O5FcI1hzR+ |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......S.....................0......T.............@................ |
File Icon |
|---|
 | |
| Icon Hash: | f030f0c6f030b100 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x401354 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x530B1A94 [Mon Feb 24 10:10:28 2014 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e22238527efb5691a1dfa3f0e707406a |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push 00401FECh |
| call 00007FD3307D24E5h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| xor byte ptr [eax], al |
| add byte ptr [eax], al |
| inc eax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add dh, cl |
| in al, dx |
| add edx, dword ptr [ebx+42150DA1h] |
| cmpsd |
| xchg eax, ecx |
| aas |
| test eax, CAE2F407h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add dword ptr [eax], eax |
| add byte ptr [eax], al |
| inc ecx |
| add byte ptr [esi+50018250h], al |
| jc 00007FD3307D2561h |
| push 00000065h |
| arpl word ptr [ecx+esi+00h], si |
| add byte ptr [eax], al |
| add byte ptr [ecx+edi-01h], bl |
| add al, byte ptr [eax] |
| add byte ptr [eax], al |
| add bh, bh |
| int3 |
| xor dword ptr [eax], eax |
| add al, 93h |
| sub eax, 444FEB34h |
| or dword ptr [edi-6Fh], ecx |
| add dword ptr [ebx-03792E85h], esp |
| adc dword ptr [ecx], ebp |
| sti |
| mov edx, BC44A82Ah |
| inc ecx |
| adc al, 0000002Fh |
| lahf |
| aad 16h |
| aad CCh |
| cmp cl, byte ptr [edi-53h] |
| xor ebx, dword ptr [ecx-48EE309Ah] |
| or al, 00h |
| stosb |
| add byte ptr [eax-2Dh], ah |
| xchg eax, ebx |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| in al, 0Bh |
| add byte ptr [eax], al |
| dec eax |
| or eax, dword ptr [eax] |
| add byte ptr [eax], al |
| or dword ptr [eax], eax |
| insb |
| popad |
| jnc 00007FD3307D2566h |
| imul esi, dword ptr [ebx+6Bh], 010D0065h |
| sldt word ptr [esi+69h] |
| jc 00007FD3307D2557h |
| je 00007FD3307D24F3h |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe9f4 | 0x28 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x930 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0xfc | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xde48 | 0xe000 | False | 0.533761160714 | data | 6.42243762415 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .data | 0xf000 | 0x1180 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x11000 | 0x930 | 0x1000 | False | 0.140625 | data | 1.4231462793 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x113c8 | 0x568 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0x113b4 | 0x14 | data | ||
| RT_VERSION | 0x110f0 | 0x2c4 | data | Chinese | Taiwan |
Imports |
|---|
| DLL | Import |
|---|---|
| MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaFreeVar, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaCastObj, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0404 0x04b0 |
| LegalCopyright | Calc Theory |
| InternalName | ABJOINT |
| FileVersion | 1.00 |
| CompanyName | Calc Theory |
| Comments | Calc Theory |
| ProductName | Calc Theory |
| ProductVersion | 1.00 |
| FileDescription | Calc Theory |
| OriginalFilename | ABJOINT.exe |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | Taiwan |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
| No network behavior found |
|---|
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 14:50:35 |
| Start date: | 22/01/2021 |
| Path: | C:\Users\user\Desktop\Proforma Invoice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 69632 bytes |
| MD5 hash: | 6479F35608769DB340640D6A8F84A38D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403383, Relevance: 1.5, APIs: 1, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D7C4, Relevance: 105.6, APIs: 56, Strings: 4, Instructions: 592COMMON
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403475, Relevance: 1.5, APIs: 1, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 021F2519, Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F2571, Relevance: .1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F1850, Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F6006, Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F34AA, Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F1A1F, Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F34A8, Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F2BD8, Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F5A78, Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 021F76CF, Relevance: .0, Instructions: 3COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 51% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 68% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 49% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E20C, Relevance: 9.1, APIs: 6, Instructions: 81COMMON
Download Yara Rule
| C-Code - Quality: 53% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E42B, Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| C-Code - Quality: 49% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E51A, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
Download Yara Rule
| C-Code - Quality: 77% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |