Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.20225.25607

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Razy.845229.20225.25607 (renamed file extension from 25607 to exe)
Analysis ID:	356588
MD5:	8eb163c0d46881f620662958e37ae6ed
SHA1:	6e4efaee511765eeed72eff90ae4eae26b0c162a
SHA256:	422cc4ab46ac67030dcf4da2b6211913c55dbc51962f578a6419ea52417db806
Most interesting Screenshot:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SecuriteInfo.com.Variant.Razy.845229.20225.exe (PID: 7120 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe' MD5: 8EB163C0D46881F620662958E37AE6ED)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe	Virustotal: Detection: 30%			Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe	ReversingLabs: Detection: 39%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_00409834		0_2_00409834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_00402BFE		0_2_00402BFE

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182245012.0000000002120000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe	Binary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe

File created: C:\Users\user\AppData\Local\Temp\~DF81A51854DC3EFB29.TMP

Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe	Virustotal: Detection: 30%
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe	ReversingLabs: Detection: 39%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe

Static PE information: real checksum: 0x29f52 should be: 0x23811

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_0040523D push ebp; retf	0_2_00405242
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_00408294 push ds; ret	0_2_0040829E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_0040792D push ecx; retf	0_2_0040792E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_00407FC9 push ecx; retf	0_2_0040800E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Code function: 0_2_0040139D push eax; retf	0_2_0040139E

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Razy.845229.20225.exe	30%	Virustotal		Browse
SecuriteInfo.com.Variant.Razy.845229.20225.exe	39%	ReversingLabs	Win32.Trojan.Razy
SecuriteInfo.com.Variant.Razy.845229.20225.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356588
Start date:	23.02.2021
Start time:	11:49:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Razy.845229.20225.25607 (renamed file extension from 25607 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.9% (good quality ratio 2.3%) Quality average: 6.6% Quality standard deviation: 9.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.246218444806131
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Razy.845229.20225.exe
File size:	106496
MD5:	8eb163c0d46881f620662958e37ae6ed
SHA1:	6e4efaee511765eeed72eff90ae4eae26b0c162a
SHA256:	422cc4ab46ac67030dcf4da2b6211913c55dbc51962f578a6419ea52417db806
SHA512:	81eaed3574f10ea22841247c9c4ac8fe66787f5f3643e83cfeeca5ee58b408084f4d2420f2bd838879edac9573705184bae2cd768c3e425724d0958b1a6fe029
SSDEEP:	1536:x+g/UQfG5Y4sfIEawyu+EOOKbi/J6d4L+g/UQf:amDfKwlKbi/5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L....B\|N.................@...p......x........P....@

File Icon


Icon Hash:	d8d490d4e4bcdae9

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E7C42EA [Fri Sep 23 08:27:22 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb04c04dc9621084e24b4642ca2fed6

Entrypoint Preview

Instruction
push 004101B8h
call 00007F3FC4872A85h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+457079EFh], ah
int 86h
inc eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14234	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x30a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136fc	0x14000	False	0.340563964844	data	5.78063287873	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x2560	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x30a4	0x4000	False	0.10693359375	data	3.24315276856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x193fc	0x1ca8	data
RT_ICON	0x18754	0xca8	data
RT_ICON	0x183ec	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x183bc	0x30	data
RT_VERSION	0x18150	0x26c	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
InternalName	punktskatterintrave
FileVersion	1.00
CompanyName	ColdStone
Comments	ColdStone
ProductName	ColdStone
ProductVersion	1.00
OriginalFilename	punktskatterintrave.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120 Parent PID: 5800

General

Start time:	11:50:23
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	8EB163C0D46881F620662958E37AE6ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120 Parent PID: 5800 SecuriteInfo.com.Variant.Razy.845229.20225.exeCOMMON

Executed Functions

Function 004127B0, Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 780COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 004127CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,00000284), ref: 0041284A
__vbaNew2.MSVBVM60(00412150,00416E2C), ref: 0041287C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412140,00000014), ref: 004128E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412160,000000E0), ref: 00412945
__vbaStrMove.MSVBVM60 ref: 00412976
__vbaFreeObj.MSVBVM60 ref: 0041297F
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041299F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004129D9
__vbaChkstk.MSVBVM60 ref: 004129FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412170,000001D0), ref: 00412A66
__vbaFreeObj.MSVBVM60 ref: 00412A81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411FB4,000006F8), ref: 00412B0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411FB4,000006FC), ref: 00412B5D
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412B8F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412BC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412180,00000138), ref: 00412C1A
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412C45
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412C7F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,00000170), ref: 00412CCD
__vbaVarDup.MSVBVM60 ref: 00412D0E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412DD0
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004011E6), ref: 00412DE6
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00412E19
__vbaVarMove.MSVBVM60 ref: 00412E24
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412E44
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E7E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,00000060), ref: 00412EC9
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412EF4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412F2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,00000050), ref: 00412F76
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412FA1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412FDB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412180,00000130), ref: 00413029
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413054
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041308E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,00000088), ref: 004130DF
__vbaStrMove.MSVBVM60 ref: 0041317B
__vbaChkstk.MSVBVM60(0A951920,0000493A,00000003,?,?), ref: 004131B9
__vbaChkstk.MSVBVM60(004B3E59,0A951920,0000493A,00000003,?,?), ref: 004131ED
__vbaFreeStr.MSVBVM60 ref: 00413245
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041325D
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041327A
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041329D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004132D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,000000F8), ref: 00413325
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413349
__vbaI4Var.MSVBVM60(?,?), ref: 00413371
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004133A6
__vbaFreeVar.MSVBVM60 ref: 004133B2
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 004133DE
__vbaOnError.MSVBVM60(000000FF), ref: 004133F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,00000288), ref: 0041343F
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413463
__vbaI4Var.MSVBVM60(00000000), ref: 0041346D
__vbaFreeObj.MSVBVM60 ref: 00413479
__vbaFreeVar.MSVBVM60 ref: 00413482
__vbaFreeStr.MSVBVM60 ref: 004134B5
__vbaFreeStr.MSVBVM60(0041352D), ref: 0041351D
__vbaFreeVar.MSVBVM60 ref: 00413526

Strings

COGNITIONS, xrefs: 00413218
Nerveroot, xrefs: 00412CEE
:I, xrefs: 0041310B
54, xrefs: 004130F7
alkoxy, xrefs: 00412D6C
foldevg, xrefs: 00413128
,nA, xrefs: 0041288E

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$List$Chkstk$Move$CallLate$Error
String ID: ,nA$54$:I$COGNITIONS$Nerveroot$alkoxy$foldevg
API String ID: 2141833910-582225477
Opcode ID: ab9bf036155a59b6f3a3c945e4a1e6e14117b3168dba7aaa2332b248af3cea2a
Instruction ID: e5a5c78ccf9f907a67cdf22b9ad7840c59ce6a1b820a519598aecb4f9734c0e5
Opcode Fuzzy Hash: ab9bf036155a59b6f3a3c945e4a1e6e14117b3168dba7aaa2332b248af3cea2a
Instruction Fuzzy Hash: 12821A74940219DFDB24DF90CD88BDEBBB4BB48300F1081EAE64AAB250D7B45AC5DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413C50, Relevance: 105.4, APIs: 50, Strings: 10, Instructions: 434COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413CBD
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413CD6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413CEF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412170,00000050), ref: 00413D10
#645.MSVBVM60(?,00000000), ref: 00413D2C
__vbaStrMove.MSVBVM60 ref: 00413D37
__vbaFreeObj.MSVBVM60 ref: 00413D46
__vbaFreeVar.MSVBVM60 ref: 00413D4B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,00000218), ref: 00413D85
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413DD8
__vbaObjVar.MSVBVM60(00000000), ref: 00413DDE
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413DE9
__vbaFreeObj.MSVBVM60 ref: 00413DF2
__vbaFreeVar.MSVBVM60 ref: 00413DF7
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00413E32
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413E63
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413E78
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413E91
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412170,000000A0), ref: 00413EC5
__vbaLateMemSt.MSVBVM60(?,Top), ref: 00413F00
__vbaFreeObj.MSVBVM60 ref: 00413F05
__vbaLateMemSt.MSVBVM60(?,Visible), ref: 00413F34
__vbaLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00413F53
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 00413F5D
__vbaFreeVar.MSVBVM60 ref: 00413F69
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413F87
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413FA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412170,00000108), ref: 00413FC9
#580.MSVBVM60(?,00000001), ref: 00413FD5
__vbaFreeStr.MSVBVM60 ref: 00413FDE
__vbaFreeObj.MSVBVM60 ref: 00413FE7
__vbaVarDup.MSVBVM60 ref: 00414005
#528.MSVBVM60(?,?), ref: 00414013
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414035
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414048
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041406D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414086
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412180,00000138), ref: 004140B2
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 004140CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004140E8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412170,00000178), ref: 0041410B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414119
__vbaFpI4.MSVBVM60 ref: 0041412D
__vbaI4Var.MSVBVM60(?,00000000), ref: 00414138
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,000002C8), ref: 0041418F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041419F
__vbaFreeVar.MSVBVM60 ref: 004141AB
__vbaFreeStr.MSVBVM60(00414208), ref: 004141F7
__vbaFreeObj.MSVBVM60 ref: 004141FC
__vbaFreeStr.MSVBVM60 ref: 00414205

Strings

Top, xrefs: 00413EF7
Bigwiggedness1, xrefs: 00413E1B
Caption, xrefs: 00413E29, 00413F3B
JENHJDERNE, xrefs: 00413D65
laboratorieplanlgning, xrefs: 00413F45
Add, xrefs: 00413DCE
Visible, xrefs: 00413F2B
Left, xrefs: 00413E5A
VB.CheckBox, xrefs: 00413D5B
T"A, xrefs: 00413D98, 00413EE8

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultLate$New2$Call$List$#528#580#645AddrefCopyMove
String ID: Add$Bigwiggedness1$Caption$JENHJDERNE$Left$T"A$Top$VB.CheckBox$Visible$laboratorieplanlgning
API String ID: 2919225322-260705044
Opcode ID: cf8a4207124545c36ee401ef6f54eacf304de589e54d5eef5cade6d1b3a287e6
Instruction ID: 9591ddd7d1cc26b0ed38cbc542c0c463ffa8219c09c2a23ffdc4d09c50e48b07
Opcode Fuzzy Hash: cf8a4207124545c36ee401ef6f54eacf304de589e54d5eef5cade6d1b3a287e6
Instruction Fuzzy Hash: E1022C75E002099FCB14DFA8DD88ADEBBB8FF48700F10856AE549E7250D774A985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00413A10, Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

#541.MSVBVM60(?,2:2:2), ref: 00413A74
__vbaStrVarMove.MSVBVM60(?), ref: 00413A7E
__vbaStrMove.MSVBVM60 ref: 00413A89
__vbaFreeVar.MSVBVM60 ref: 00413A98
__vbaI4Str.MSVBVM60(00412230), ref: 00413A9F
#698.MSVBVM60(?,00000000), ref: 00413AAA
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413AC6
__vbaFreeVar.MSVBVM60 ref: 00413AD2
__vbaNew2.MSVBVM60(00412150,00416E2C), ref: 00413AEB
__vbaHresultCheckObj.MSVBVM60(00000000,02A6ECFC,00412140,00000048), ref: 00413B12
__vbaStrMove.MSVBVM60 ref: 00413B21
__vbaVarDup.MSVBVM60 ref: 00413B3C
#545.MSVBVM60(?,?), ref: 00413B4A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413B68
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413B7B
__vbaNew2.MSVBVM60(00412150,00416E2C), ref: 00413B9B
__vbaObjVar.MSVBVM60(?), ref: 00413BAD
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413BB8
__vbaHresultCheckObj.MSVBVM60(00000000,02A6ECFC,00412140,00000010), ref: 00413BD2
__vbaFreeObj.MSVBVM60 ref: 00413BDB
__vbaFreeVar.MSVBVM60(00413C2C), ref: 00413C15
__vbaFreeStr.MSVBVM60 ref: 00413C24
__vbaFreeStr.MSVBVM60 ref: 00413C29

Strings

8/8/8, xrefs: 00413B32
2:2:2, xrefs: 00413A4A

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultNew2$#541#545#698AddrefList
String ID: 2:2:2$8/8/8
API String ID: 889502001-2856156558
Opcode ID: ea9570732f295788e6aaa49f5e8457233373ad13c9dc9ed022015f3015c69056
Instruction ID: b62faa40fa9d3a690fd4e8403dd569eeab9934ecbcd318a21ab600243bc6e2ac
Opcode Fuzzy Hash: ea9570732f295788e6aaa49f5e8457233373ad13c9dc9ed022015f3015c69056
Instruction Fuzzy Hash: 73513D75C00259ABCB10DFE4DA489DDBBB8FB48B01F20812AF545B7264D7746A85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040137D

Strings

VB5!6&*, xrefs: 00401378

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 533ef5a511267f1ba343798a281b5dc367c888deacb77fcf839b3322af79d02c
Instruction ID: fcde01241581f7c4cb4bb69fcc60de0eff556b1ed5a5b66cf05f50c409722617
Opcode Fuzzy Hash: 533ef5a511267f1ba343798a281b5dc367c888deacb77fcf839b3322af79d02c
Instruction Fuzzy Hash: 72D0B14154E3C09ED353537548254413F704D53A5432F00EB84D2DE4F3D05E085AC33B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409834, Relevance: 2.6, Strings: 2, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 17%

			E00409834() {
				intOrPtr* _t33;
				signed int _t44;
				signed char _t45;
				void* _t58;
				signed int _t62;
				void* _t63;
				signed int _t69;
				void* _t70;
				signed int _t71;
				signed int _t73;
				signed int _t81;

				if(_t62 <  *_t33) {
					_t62 = 0x1357eba5;
					asm("clc");
					asm("pushfd");
					asm("pushfd");
					asm("sbb bl, bl");
					_push(_t63);
					asm("cli");
					 *0x110AE9BE =  *0x110AE9BE ^ _t73 ^  *0x3A38AE4A3;
					_t81 = _t81 ^ _t69;
					asm("sbb esi, edi");
					 *0xfb =  *0xfb ^ _t69;
					asm("cli");
					asm("cli");
					asm("cld");
					_t33 = 0x3fc12dc7;
					asm("cld");
				}
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				_t44 = _t33 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62;
				asm("cld");
				 *((intOrPtr*)(_t62 + 0x30 + _t62 * 8)) =  *((intOrPtr*)(_t62 + 0x30 + _t62 * 8)) + _t62;
				_t45 = _t44 /  *(_t81 + 0x52);
				_t66 = 0x3d5e3a31;
				if(_t44 %  *(_t81 + 0x52) > 0) {
					asm("cli");
					 *0x3d5e3a31 =  *0x3d5e3a31 ^ _t69;
					asm("cdq");
					_t81 = 0xfa5e3a25;
					 *(_t69 + 1 + _t62 * 8) =  *(_t69 + 1 + _t62 * 8) ^ _t62;
					asm("adc eax, 0x3ddd6d11");
					asm("adc [ebp+0x34], ebp");
					asm("sti");
					_t25 = _t45 %  *0x962C2FD7;
					_t45 = _t45 /  *0x962C2FD7;
					_t66 = _t25;
					asm("cli");
					 *_t66 =  *_t66 ^ 0x5bfa3485;
					asm("xlatb");
					asm("adc dh, [esi+esi]");
				}
				_pop(_t70);
				asm("cli");
				 *(_t66 - 0x5f) =  *(_t66 - 0x5f) ^ _t81;
				_t71 = _t70 - 1;
				asm("int 0x3a");
				asm("cli");
				asm("fincstp");
				asm("sbb edi, edx");
				 *(_t63 - 0x40c1055a) =  *(_t63 - 0x40c1055a) ^ _t71;
				asm("adc al, 0xf9");
				 *_t66 =  *_t66 ^ _t71;
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				asm("cld");
				_t58 = (_t45 ^ 0x00000036) + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62;
				asm("cld");
				L5:
				_t58 = _t58 + _t62;
				_push(_t71);
				_t62 = 0xc51ac6a4;
				goto L5;
			}

0x00409836
0x00409838
0x0040983d
0x0040983e
0x00409842
0x00409848
0x0040984d
0x0040984e
0x0040984f
0x0040985b
0x0040985d
0x0040985f
0x00409862
0x0040986a
0x00409872
0x00409873
0x00409875
0x00409875
0x00409878
0x0040987b
0x0040987e
0x00409881
0x00409884
0x00409887
0x0040988a
0x0040988d
0x00409890
0x00409893
0x00409894
0x00409896
0x00409897
0x0040989b
0x0040989e
0x004098a3
0x004098a6
0x004098a7
0x004098a9
0x004098aa
0x004098af
0x004098ba
0x004098bf
0x004098c2
0x004098c3
0x004098c3
0x004098c3
0x004098ca
0x004098cb
0x004098cd
0x004098ce
0x004098ce
0x004098d1
0x004098d2
0x004098d3
0x004098d6
0x004098d7
0x004098da
0x004098db
0x004098dd
0x004098df
0x004098e5
0x004098e7
0x004098eb
0x004098ec
0x004098ef
0x004098f2
0x004098f5
0x004098f8
0x004098fb
0x004098fe
0x00409901
0x00409904
0x00409907
0x0040990a
0x0040990d
0x0040990e
0x00409910
0x00409911
0x00409911
0x00409913
0x00409914
0x00000000

Strings

1:^=, xrefs: 0040989E
u\qt, xrefs: 00409843

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1:^=$u\qt
API String ID: 0-1812658751
Opcode ID: bf3e2c46094e0e5549ad8f2be43cf4d32eac12633889112bfc0416b4f142fb31
Instruction ID: f2685ab350d42d31417caaf7ad594c622c4e734114138ba64d44fa94a8d58940
Opcode Fuzzy Hash: bf3e2c46094e0e5549ad8f2be43cf4d32eac12633889112bfc0416b4f142fb31
Instruction Fuzzy Hash: E3219DA2507257FFC3069E39D46B2D6BBD16E81230707D096FCC05FE5293244D5F8680

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFE, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e78ede042b23a5743f1f10722ce3047ffaa05f1e393ee9576e982fc8c890039
Instruction ID: 16ed1cff12d85a54a5ffd84d0bf7ec3e9b630774f3fb68f3a8e13fb1603cba79
Opcode Fuzzy Hash: 3e78ede042b23a5743f1f10722ce3047ffaa05f1e393ee9576e982fc8c890039
Instruction Fuzzy Hash: B00142315181F08FCF52CB78C8D46027BB1AF1F30030658D5C8406F059C2607810EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00413550, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041359C
__vbaVarDup.MSVBVM60 ref: 004135AE
__vbaVarDup.MSVBVM60 ref: 004135B6
#671.MSVBVM60(00000000,00000000,00000000,40000000,00000000,40000000), ref: 004135C6
__vbaFpR8.MSVBVM60 ref: 004135CC
__vbaVarDup.MSVBVM60 ref: 004135F3
#667.MSVBVM60(?), ref: 004135F9
__vbaStrMove.MSVBVM60 ref: 00413604
__vbaFreeVar.MSVBVM60 ref: 0041360D
#541.MSVBVM60(?,2:2:2), ref: 0041361C
__vbaStrVarMove.MSVBVM60(?), ref: 00413626
__vbaStrMove.MSVBVM60 ref: 00413631
__vbaFreeVar.MSVBVM60 ref: 0041363A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,00000254), ref: 0041365F
__vbaFreeStr.MSVBVM60(0041369D), ref: 00413680
__vbaFreeStr.MSVBVM60 ref: 00413685
__vbaFreeVar.MSVBVM60 ref: 00413690
__vbaFreeStr.MSVBVM60 ref: 00413695
__vbaFreeVar.MSVBVM60 ref: 0041369A

Strings

2:2:2, xrefs: 00413613
Velbaaren, xrefs: 004135E5

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#541#667#671CheckCopyHresult
String ID: 2:2:2$Velbaaren
API String ID: 504220352-936174853
Opcode ID: 6f6dfabc2518fb4b76bfbe6dd279b4b5dceb793066b6e53c6686ec99b7dee6e6
Instruction ID: 6604557a708cbdfe49dbb17726cd4f42e7ba14c6643d8f0a82cc895b06023f00
Opcode Fuzzy Hash: 6f6dfabc2518fb4b76bfbe6dd279b4b5dceb793066b6e53c6686ec99b7dee6e6
Instruction Fuzzy Hash: 1D411C71C00249DBCB10DF95DE49ADEBBB8FF94305F10812AE542B7264DB742A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413810, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00411F84,00000190), ref: 0041388D
__vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 004138A2
__vbaI4Var.MSVBVM60(00000000), ref: 004138AC
__vbaFreeObj.MSVBVM60 ref: 004138B5
__vbaFreeVar.MSVBVM60 ref: 004138BE
__vbaVarDup.MSVBVM60 ref: 004138E3
#629.MSVBVM60(?,?,00000001,?), ref: 004138F7
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041391C
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00413933
#570.MSVBVM60(000000C8), ref: 00413946
__vbaNew2.MSVBVM60(00412150,00416E2C), ref: 0041395E
__vbaHresultCheckObj.MSVBVM60(00000000,02A6ECFC,00412140,00000014), ref: 00413983
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412160,000000B8), ref: 004139AC
__vbaFreeObj.MSVBVM60 ref: 004139B1

Strings

FGFG, xrefs: 004138D5

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#629CallLateListNew2
String ID: FGFG
API String ID: 3758171355-2759163656
Opcode ID: 196251d75ffe8d6d69df1cdfc32c18771a9eeb80765e2bc28cf4c8ca966c87e0
Instruction ID: a889d5b355e56ff613a1875f3157fe5dcfc9c819d17c8d507ba56f5b4eeb0460
Opcode Fuzzy Hash: 196251d75ffe8d6d69df1cdfc32c18771a9eeb80765e2bc28cf4c8ca966c87e0
Instruction Fuzzy Hash: 31515A71901208AFDB10DFA5CA49EDEBBB8FF88705F20855AF109B7260D7B45A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004136C0, Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,00000048), ref: 00413719
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041372C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F84,0000015C), ref: 0041374F
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413764
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041377D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412170,000001C8), ref: 004137C0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 004137C5
__vbaFreeStr.MSVBVM60(004137EF), ref: 004137E8

Memory Dump Source

Source File: 00000000.00000002.1182011050.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1182006048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182022808.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$MoveNew2
String ID:
API String ID: 3514808224-0
Opcode ID: 2a80fb76ade63f3f3a09a83b5b21e9a992c0b54fe9a71e364d1c0795cae4e405
Instruction ID: 8e0ce9615ce0411690e5497a29ba34786a48857a4e590129cc7366fef34231ce
Opcode Fuzzy Hash: 2a80fb76ade63f3f3a09a83b5b21e9a992c0b54fe9a71e364d1c0795cae4e405
Instruction Fuzzy Hash: 193163B0A40204DBCB00EF94CDC5EDABBB8FF48701F10842AE655A7290D7789985CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Razy.845229.20225.25607

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120 Parent PID: 5800

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120 Parent PID: 5800 SecuriteInfo.com.Variant.Razy.845229.20225.exeCOMMON

Executed Functions

Function 004127B0, Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 780COMMON

Function 00413C50, Relevance: 105.4, APIs: 50, Strings: 10, Instructions: 434COMMON

Function 00413A10, Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 149COMMON

Function 00409834, Relevance: 2.6, Strings: 2, Instructions: 116
COMMONCrypto