Play interactive tour

Edit tour

Analysis Report RFQ 35465756.exe

Overview

General Information

Sample Name:	RFQ 35465756.exe
Analysis ID:	412180
MD5:	a00e24b88a7ffa3e82d9fca15e0c46f1
SHA1:	acb2d22c4a94ffa77422868a24118fe943f7526e
SHA256:	0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

RFQ 35465756.exe (PID: 5636 cmdline: 'C:\Users\user\Desktop\RFQ 35465756.exe' MD5: A00E24B88A7FFA3E82D9FCA15E0C46F1)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
RFQ 35465756.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000000.235938120.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.RFQ 35465756.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.RFQ 35465756.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RFQ 35465756.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s"}

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ 35465756.exe	Virustotal: Detection: 34%			Perma Link
Source: RFQ 35465756.exe	ReversingLabs: Detection: 71%

Source: RFQ 35465756.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A33F8 NtProtectVirtualMemory,		0_2_022A33F8
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A1BF3 NtAllocateVirtualMemory,		0_2_022A1BF3

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407159	0_2_00407159
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407175	0_2_00407175
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00401579	0_2_00401579
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004071B4	0_2_004071B4
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407262	0_2_00407262
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040720E	0_2_0040720E
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004072B3	0_2_004072B3
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040734A	0_2_0040734A
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00401768	0_2_00401768
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407368	0_2_00407368
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407304	0_2_00407304
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004073E8	0_2_004073E8
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407391	0_2_00407391
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004017B5	0_2_004017B5
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3B0E	0_2_022A3B0E
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3080	0_2_022A3080

Source: RFQ 35465756.exe, 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe
Source: RFQ 35465756.exe, 00000000.00000002.760663714.0000000002260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ 35465756.exe
Source: RFQ 35465756.exe, 00000000.00000002.761291141.00000000022F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSilure2.exeFE2X vs RFQ 35465756.exe
Source: RFQ 35465756.exe	Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe

Source: RFQ 35465756.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFQ 35465756.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF0971D5C732263ABC.TMP

Jump to behavior

Source: RFQ 35465756.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ 35465756.exe	Virustotal: Detection: 34%
Source: RFQ 35465756.exe	ReversingLabs: Detection: 71%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: RFQ 35465756.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.235938120.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00405C23 pushad ; retf	0_2_00405C2B
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040532B push eax; retf	0_2_0040534F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A17A8 push 233953B7h; iretd	0_2_022A23A3
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A238A push 233953B7h; iretd	0_2_022A23A3

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A0CE1

0_2_022A0CE1

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\RFQ 35465756.exe

RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ 35465756.exe	RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\RFQ 35465756.exe	RDTSC instruction interceptor: First address: 00000000022A1ADD second address: 00000000022A1ADD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6A804AF6A9h 0x0000001d popad 0x0000001e call 00007F6A804AE244h 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A1ADA rdtsc

0_2_022A1ADA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A1ADA rdtsc

0_2_022A1ADA

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A2AB7 mov eax, dword ptr fs:[00000030h]	0_2_022A2AB7
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A0CE1 mov eax, dword ptr fs:[00000030h]	0_2_022A0CE1
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A2CCE mov eax, dword ptr fs:[00000030h]	0_2_022A2CCE
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A196F mov eax, dword ptr fs:[00000030h]	0_2_022A196F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A116F mov eax, dword ptr fs:[00000030h]	0_2_022A116F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3147 mov eax, dword ptr fs:[00000030h]	0_2_022A3147

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A295F cpuid

0_2_022A295F

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ 35465756.exe	34%	Virustotal		Browse
RFQ 35465756.exe	71%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412180
Start date:	12.05.2021
Start time:	13:20:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ 35465756.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 24 Number of non-executed functions: 19
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.699599734903516
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ 35465756.exe
File size:	81920
MD5:	a00e24b88a7ffa3e82d9fca15e0c46f1
SHA1:	acb2d22c4a94ffa77422868a24118fe943f7526e
SHA256:	0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
SHA512:	ba1d74f77c12a96914f47ad7d309c624d4bc3cda436242b5af2384b7926748b3c4fece81e234edc5bcf5ee31af35e79d5dc46fc41984c61b494f16b5e2edc814
SSDEEP:	768:+ED42sgavsrBktS2lW8NXfOz9TnnQD7DJYyVTDckBYYqDirMiYngfD:5D43gahhNXfOzO/1YyVTD5qDirMinfD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0............... ....@................

File Icon


Icon Hash:	b09298b8cc8a19c6

Static PE Info

General
Entrypoint:	0x4013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6099A205 [Mon May 10 21:13:41 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ec8e962978786706cf0189109090c85e

Entrypoint Preview

Instruction
push 00401F14h
call 00007F6A808A5673h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [D6A068AFh], cl
add eax, 75BF4B14h
leave
jo 00007F6A808A56D4h
or bl, FFFFFFCBh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push eax
imul ebp, dword ptr [esi+6Bh], 6F747265h
outsb
imul esi, dword ptr [ebx+6Dh], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
push es
or esp, ebp
stosd
sar byte ptr [ebx-33h], cl
inc ebx
mov dl, 20h
mov ebx, A7C8268Bh
loopne 00007F6A808A56DAh
jmp 00007F6A58A34396h
sbb eax, dword ptr [ebx-66h]
pslld mm1, mm0
mov dl, B9h
pop esp
imul edi, dword ptr [edx], 9933AD4Fh
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb cl, byte ptr [edx]
add byte ptr [eax], al
adc al, 09h
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+ebp*2+64h], ah
jc 00007F6A808A56EDh
outsb
add byte ptr [di], cl
add dword ptr [ecx], ecx
add byte ptr [ebp+6Eh], dl
jnc 00007F6A808A56E7h
arpl word ptr [ebp+00h], si

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11044	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xc04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x158	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10644	0x11000	False	0.422076056985	data	6.18336201538	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x11f4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0xc04	0x1000	False	0.2880859375	data	3.00528047699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1435c	0x8a8	data
RT_GROUP_ICON	0x14348	0x14	data
RT_VERSION	0x140f0	0x258	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Silure2
FileVersion	1.00
CompanyName	Asso Filler
ProductName	Asso Filler
ProductVersion	1.00
FileDescription	Asso Filler
OriginalFilename	Silure2.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: RFQ 35465756.exe PID: 5636 Parent PID: 5708

General

Start time:	13:20:59
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\RFQ 35465756.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ 35465756.exe'
Imagebase:	0x400000
File size:	81920 bytes
MD5 hash:	A00E24B88A7FFA3E82D9FCA15E0C46F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.235938120.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ 35465756.exe PID: 5636 Parent PID: 5708 RFQ 35465756.exeCOMMON

Executed Functions

Function 022A1BF3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 022A1CB4

Strings

0, xrefs: 022A1D90

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 0
API String ID: 2167126740-4108050209
Opcode ID: 87ffc53549a925fb0d5294df34ae831305159ba9eca66dda57b2056da2a98bd3
Instruction ID: b00b5f2d270a1b018dd6639a863be6e9dcd88f13fcc28e90c05505b41b51d8e2
Opcode Fuzzy Hash: 87ffc53549a925fb0d5294df34ae831305159ba9eca66dda57b2056da2a98bd3
Instruction Fuzzy Hash: E13112306153499FEB359E79DCA07DE37E6EF0A324F44022DEC4ECA290D77589408B02

Uniqueness

Uniqueness Score: -1.00%

Function 00407175, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

V8, xrefs: 004071DD

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: V8
API String ID: 0-2235191475
Opcode ID: ca94ace91b6ab9ce733a4d96efc9a9fed406aeacd317f8752de9f41a56992258
Instruction ID: 87abd8453e96f0ddb805382faa4378637dc485a4356d9b6b66785a25d3954f28
Opcode Fuzzy Hash: ca94ace91b6ab9ce733a4d96efc9a9fed406aeacd317f8752de9f41a56992258
Instruction Fuzzy Hash: 2A818762F0DB1549FF362068CAD05AD6503DB82340F32863BCE9B63DC5973E18C6568B

Uniqueness

Uniqueness Score: -1.00%

Function 00407159, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

V8, xrefs: 004071DD

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: V8
API String ID: 0-2235191475
Opcode ID: c38ab130128e7a720e1aed81d5a5da3afd1f7a98004827c669e74990ff61d73e
Instruction ID: ece0381a93e6a2e397e4488b902d3991679f3512c3abb37da79ab8cd815aeaaa
Opcode Fuzzy Hash: c38ab130128e7a720e1aed81d5a5da3afd1f7a98004827c669e74990ff61d73e
Instruction Fuzzy Hash: EE818962F0DB1495FF362064C9E05AD6503DB82340F32863BCE9B63DC5973E59C6568B

Uniqueness

Uniqueness Score: -1.00%

Function 004071B4, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Strings

V8, xrefs: 004071DD

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID: V8
API String ID: 4275171209-2235191475
Opcode ID: ab224a1ae6acecef7783e44f8bce45db29c2a215588a482d784e27d6f24b2164
Instruction ID: 1dc8fb59b7ec9ce3c35e57d922bae46b98b5df86b8e65855c58604ca060cc04e
Opcode Fuzzy Hash: ab224a1ae6acecef7783e44f8bce45db29c2a215588a482d784e27d6f24b2164
Instruction Fuzzy Hash: BD814462F0DB1595FF362064CAE05AE6503DB82340F32863BCE9B63DC55B3E19C6568B

Uniqueness

Uniqueness Score: -1.00%

Function 022A33F8, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022A31BB,00000040,022A01CE,00000000,00000000,00000000,00000000,?,00000000,00000000,022A2320), ref: 022A3411

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 0040720E, Relevance: 1.5, APIs: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 09bbe21ed0acf8999cdf619ebc16b00f781e650100061bb4be3dd5ba01e8bd49
Instruction ID: 2eeefc7d8a426e6e2b9ba2550fcb24659ab9795db6aa5e6637e25a5ca48267c8
Opcode Fuzzy Hash: 09bbe21ed0acf8999cdf619ebc16b00f781e650100061bb4be3dd5ba01e8bd49
Instruction Fuzzy Hash: 51714562F0DB1485FF352468CAE05AD6503DB82340F32863BCE9B63DC55B3E19C6668B

Uniqueness

Uniqueness Score: -1.00%

Function 00407262, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: baef00d021a4c751ca99d409514a3a8c49f8d1cc6f307d60dfc770862455002d
Instruction ID: 01976f18fe906a011853473cbfc2ac2921771e82bc2564c6f5120eb84fead12f
Opcode Fuzzy Hash: baef00d021a4c751ca99d409514a3a8c49f8d1cc6f307d60dfc770862455002d
Instruction Fuzzy Hash: 5B614562F0DB1485FF362064C9E05AE6403DB82341F32863BCE9B63DC55B3E19C6668B

Uniqueness

Uniqueness Score: -1.00%

Function 00407304, Relevance: 1.5, APIs: 1, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6b2e9b048622cc1f1c268f40dcf8a82b31df68069077d55445f3a2d269a8794b
Instruction ID: 1749182bdfcd7f4842910dd314a84a06e85108a42bf4806543aab636b9ac8426
Opcode Fuzzy Hash: 6b2e9b048622cc1f1c268f40dcf8a82b31df68069077d55445f3a2d269a8794b
Instruction Fuzzy Hash: AC5125A2F09A1495FF752064CAE05BD6403DB82341F32863BCE9B63DD55B3E18C6668B

Uniqueness

Uniqueness Score: -1.00%

Function 0040734A, Relevance: 1.5, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b51ffcb183ce98b39a576f2bf17b99c4f0cefa41c02494dd0d5d8d203fb3f1
Instruction ID: dbb08f97ebe123a245daef835640500f6475cfa813992b6f96c272b5d82cc7b5
Opcode Fuzzy Hash: 71b51ffcb183ce98b39a576f2bf17b99c4f0cefa41c02494dd0d5d8d203fb3f1
Instruction Fuzzy Hash: 5E617B62F09B1449FF752564CAE056E7443DB82340F32853BCE9B63DC5973E18C6668B

Uniqueness

Uniqueness Score: -1.00%

Function 004072B3, Relevance: 1.4, APIs: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6de4adfc456c18407143523b5f1e127034eee2ed18e7ef3badb967e257369da0
Instruction ID: 8fa8fb16fc9f0d3aaaa31a6f7ddb65812a1b2aa046431a4d6e0dc8a8b48045c9
Opcode Fuzzy Hash: 6de4adfc456c18407143523b5f1e127034eee2ed18e7ef3badb967e257369da0
Instruction Fuzzy Hash: 58616B63F09B1546FF752064C9E45AD6003DB82350F32863BCE9B23DD55B3E18C25A8B

Uniqueness

Uniqueness Score: -1.00%

Function 00407391, Relevance: 1.4, APIs: 1, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2694fd4d84b56d6f4a282924cb5310b528f4b4866bb5842e3c4d25fe6c3b3c7a
Instruction ID: 5a21442d61bdf12444374b7a0b66b8e669d76037bd1f2efa9a25bd6a97af9bf3
Opcode Fuzzy Hash: 2694fd4d84b56d6f4a282924cb5310b528f4b4866bb5842e3c4d25fe6c3b3c7a
Instruction Fuzzy Hash: 37512663F09A0496FF752464C9E05AD6013DB81341F32863BCE5B23DC55B3E18C66A8B

Uniqueness

Uniqueness Score: -1.00%

Function 00407368, Relevance: 1.4, APIs: 1, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e70039733a1610863d775de7402c6ecd7d4b84b962a75710ef7a72f5ebd10c00
Instruction ID: 460b2036c886305c9dfc7817579f3490924e47f9689feb0cb986311690fb62ca
Opcode Fuzzy Hash: e70039733a1610863d775de7402c6ecd7d4b84b962a75710ef7a72f5ebd10c00
Instruction Fuzzy Hash: 2B5146A2F09A0495FF752064CAE05BD6013DB82341F32863BCE9B63DD55B3E18C6668B

Uniqueness

Uniqueness Score: -1.00%

Function 004073E8, Relevance: 1.4, APIs: 1, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0fbc1d2a9bbf9ab1eea159501a3606fa34e23269e6c49ad4d4a53562193ce6fb
Instruction ID: 3eb49cf2378a2da020b6e7e0cde11cd7f1b2121bcfa9667238459b160f6c6ce7
Opcode Fuzzy Hash: 0fbc1d2a9bbf9ab1eea159501a3606fa34e23269e6c49ad4d4a53562193ce6fb
Instruction Fuzzy Hash: 64514763F59A0455FF7620A4CAE05AD1413EB82350F36863BCE9B63DC49B3E14C6568B

Uniqueness

Uniqueness Score: -1.00%

Function 004082B4, Relevance: 198.8, APIs: 104, Strings: 9, Instructions: 1073COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 004082D2
__vbaAryConstruct2.MSVBVM60(?,004031D8,00000003,?,?,?,?,004011F6), ref: 0040830C
__vbaStrCat.MSVBVM60(00402FC4,00402FC4,?,004031D8,00000003,?,?,?,?,004011F6), ref: 0040831B
#617.MSVBVM60(?,00000008,00000001), ref: 00408340
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008,00000001), ref: 00408367
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408383
#536.MSVBVM60(00000002), ref: 004083B5
__vbaStrMove.MSVBVM60(00000002), ref: 004083C2
__vbaFreeVar.MSVBVM60(00000002), ref: 004083CD
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 004083F5
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 004083FF
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 0040840A
__vbaFpI4.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 00408415
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AC4,00000064), ref: 00408447
#536.MSVBVM60(00000002), ref: 00408476
__vbaStrMove.MSVBVM60(00000002), ref: 00408483
__vbaFreeVar.MSVBVM60(00000002), ref: 0040848E
__vbaSetSystemError.MSVBVM60(?,00000002), ref: 004084A5
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004084CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 0040852F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000C0), ref: 00408591
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,000000C0), ref: 004085B9
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004085D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 00408636
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000F8), ref: 00408698
__vbaStrMove.MSVBVM60(00000000,?,00402FF8,000000F8), ref: 004086CB
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,000000F8), ref: 004086D6
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004086EE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,0000001C), ref: 00408753
__vbaChkstk.MSVBVM60(?), ref: 00408791
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403008,00000054), ref: 004087D7
__vbaChkstk.MSVBVM60(00000000,?,00403008,00000054), ref: 00408817
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00408830
__vbaFreeObj.MSVBVM60(?,00000000), ref: 0040883B
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00408846
__vbaSetSystemError.MSVBVM60(008966DA), ref: 0040885B
__vbaNew2.MSVBVM60(00402FE8,004123C0,008966DA), ref: 00408883
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 004088E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,00000110), ref: 0040894A
__vbaStrMove.MSVBVM60(00000000,?,00402FF8,00000110), ref: 0040897D
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,00000110), ref: 00408988
#535.MSVBVM60(00000000,?,00402FF8,00000110), ref: 0040898D
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004089A8
__vbaObjSetAddref.MSVBVM60(?,00401180), ref: 004089DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000010), ref: 00408A16
__vbaFreeObj.MSVBVM60(00000000,?,00402FD8,00000010), ref: 00408A30
__vbaSetSystemError.MSVBVM60(004C5969,008966DA), ref: 00408A45
__vbaNew2.MSVBVM60(00402FE8,004123C0,004C5969,008966DA), ref: 00408A6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 00408AD2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,00000108), ref: 00408B34
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,00000108), ref: 00408B59
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 00408B71
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 00408BD6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000C8), ref: 00408C38
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,000000C8), ref: 00408C60
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 00408C78
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,0000001C), ref: 00408CDD
__vbaChkstk.MSVBVM60(00000000,?,00402FD8,0000001C), ref: 00408D14
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403008,00000060), ref: 00408D5F
__vbaFreeObj.MSVBVM60(00000000,?,00403008,00000060), ref: 00408D79
__vbaHresultCheckObj.MSVBVM60(?,00401180,00402AF4,000006FC,?,?,?,004C5969,008966DA), ref: 00408E5C
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,000006F8), ref: 00408EC8
__vbaStrCopy.MSVBVM60(00000000,00401180,00402AF4,000006F8), ref: 00408EF0
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00408F38
__vbaFreeStr.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00408F5E
__vbaStrCopy.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00408F6E
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00408FB6
__vbaFreeStr.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00408FDC
__vbaNew2.MSVBVM60(00402448,00412010), ref: 00408FF4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409030
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030C0,000001B8), ref: 0040907D
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 004090A2
__vbaStrVarMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 004090F0
__vbaStrMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 004090FD
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,000006FC), ref: 0040913A
__vbaFreeStr.MSVBVM60(00000000,00401180,00402AF4,000006FC), ref: 0040915D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00409172
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,004011F6), ref: 00409180
__vbaNew2.MSVBVM60(00402448,00412010,?,?,?,?,?,?,?,?,?,004011F6), ref: 00409198
__vbaObjSet.MSVBVM60(?,00000000), ref: 004091D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030D0,00000100), ref: 00409221
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00409246
__vbaI4Var.MSVBVM60(?), ref: 00409275
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,000006FC), ref: 004092D1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004092FE
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00402448,00412010,?,?,?,?,?,?,?,?,0000002C), ref: 0040930C
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AC4,000002B4), ref: 00409343
__vbaNew2.MSVBVM60(00402448,00412010,00008003,?,?,00000002,?), ref: 0040936A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004093A6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030C0,00000150), ref: 004093F3
__vbaStrMove.MSVBVM60(00000000,00000000,004030C0,00000150), ref: 00409426
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 0040946E
__vbaFreeStr.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 00409494
__vbaFreeObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 0040949F
__vbaNew2.MSVBVM60(00402448,00412010,00000000,00401180,00402AF4,00000700), ref: 004094B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004094F3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030C0,00000150), ref: 00409540
__vbaStrMove.MSVBVM60(00000000,00000000,004030C0,00000150), ref: 00409573
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 004095BB
__vbaFreeStr.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 004095DE
__vbaFreeObj.MSVBVM60(00000000,00401180,00402AF4,00000700), ref: 004095E9
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00409617
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00409624
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 0040964B

Strings

X, xrefs: 004084AA
LYDIA, xrefs: 00408F63
JUVENILT, xrefs: 00408EE5
Holmberry5, xrefs: 00408E20
Receptionsassistenter4, xrefs: 00408D25
V8, xrefs: 00409663
SLAVESJLENE, xrefs: 00409295
Enervous, xrefs: 00408DC0
disuniter, xrefs: 00408E93

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$Chkstk$ErrorLateListSystem$#536CallCopy$#535#617#703AddrefConstruct2
String ID: Enervous$Holmberry5$JUVENILT$LYDIA$Receptionsassistenter4$SLAVESJLENE$V8$X$disuniter
API String ID: 2543599168-4126512791
Opcode ID: f78f1d64f05c960da359ccdc6af5f98ffcda7547d1cfde42a242938a81fc03a7
Instruction ID: 73954f9566aabec5e71b8f3a21f27a45803158063abfa2d2ce8ac16320aea95e
Opcode Fuzzy Hash: f78f1d64f05c960da359ccdc6af5f98ffcda7547d1cfde42a242938a81fc03a7
Instruction Fuzzy Hash: B9B21670901628AFEB62DF50CD45BDEB7B8BB08705F0050EAE509B62A1DBB85BD4DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00410408, Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00410415
#645.MSVBVM60(?,00000000), ref: 00410420
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041042A
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00410432
__vbaFreeStr.MSVBVM60(00410462,?,00000000), ref: 00410454
__vbaFreeStr.MSVBVM60(00410462,?,00000000), ref: 0041045C

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#645Move
String ID:
API String ID: 3481341938-0
Opcode ID: 3ff4c75a7c437e163b72ba843037186a1adb7887433192929a0398aa866b400e
Instruction ID: e3b5a862b8245815e8a6d9c9b2354eed75f4dec8e966478efe2947333a0da979
Opcode Fuzzy Hash: 3ff4c75a7c437e163b72ba843037186a1adb7887433192929a0398aa866b400e
Instruction Fuzzy Hash: D4E0A531D101199ADF04EBA1D892EEDB735BF10704F80452EE602724E1EF78594ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 004013F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013F5

Strings

VB5!6&*, xrefs: 004013F0

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e74f8bf93053678216154bc09b27a7b8b7a6c111ba37ae0698c3fb085c42404a
Instruction ID: aa61cf28d83c3c92772438136adfa3cd7c747b49c6325ee8f227517fe2612b9e
Opcode Fuzzy Hash: e74f8bf93053678216154bc09b27a7b8b7a6c111ba37ae0698c3fb085c42404a
Instruction Fuzzy Hash: C611CD6244E7C04FD70347309D662827FB0AB57228B4A02EBC4A1DE5F3E62C580AD36A

Uniqueness

Uniqueness Score: -1.00%

Function 0040748C, Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: be899b8b6380c832275ef70450407f0074baeddd7eb8d22e83855195ee5a8f72
Instruction ID: 5af05512c5776e99ce2c96e481909318320cf4c033c4d31acaac927893b16433
Opcode Fuzzy Hash: be899b8b6380c832275ef70450407f0074baeddd7eb8d22e83855195ee5a8f72
Instruction Fuzzy Hash: 56417AA2F0D6044AFF322164CAE45AD2523DB81340F32827BCA4B26CCA563F14C7568B

Uniqueness

Uniqueness Score: -1.00%

Function 00407476, Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f5d1ba480c7b07e8426610ebf639ec70d1fb5ef7154dc112997c585d7cc98c21
Instruction ID: 7cf3d10ad5d99c3ed28fe221ab24b3efe90c1f210a82408364104c18922e3146
Opcode Fuzzy Hash: f5d1ba480c7b07e8426610ebf639ec70d1fb5ef7154dc112997c585d7cc98c21
Instruction Fuzzy Hash: 334134A2F0DA0455FF7620A4CAE45AD1417DB82341F32C63BCE5B23DC95B3E14C6669B

Uniqueness

Uniqueness Score: -1.00%

Function 004074E3, Relevance: 1.4, APIs: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f3b175950dc759e4129c61d69b44d09c54e7978ed98d841c3f54091010a2811
Instruction ID: f4b3bbdcda08f5c05b04509282060763641920d1115131cb07472cbbd48e72d7
Opcode Fuzzy Hash: 5f3b175950dc759e4129c61d69b44d09c54e7978ed98d841c3f54091010a2811
Instruction Fuzzy Hash: 71414562F09A0485FF363164CAE05BD2117DB82341F32823BCA4B23DD95B3E15C26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 00407585, Relevance: 1.4, APIs: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 05f9e73d28bac2982f216f05c6d639c59e26f36017bd212c826fc296dbd4cfd6
Instruction ID: 91e61c1064d113136bf711f953ff9f7f1772989300c97b3df2a744bb5409a578
Opcode Fuzzy Hash: 05f9e73d28bac2982f216f05c6d639c59e26f36017bd212c826fc296dbd4cfd6
Instruction Fuzzy Hash: 164158A2E0DF0046FF322569C5E447C1646CB92374F368A3FCA67329D15A3F24C6529B

Uniqueness

Uniqueness Score: -1.00%

Function 00407533, Relevance: 1.4, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 636e8219a9ad4474e1a2c96522b6a4ac2fa565ff6ce7f4e0e52085ce00ce50e9
Instruction ID: 8a2427a186e44c28f6ea6d36315f857707767b88855a022fdf87544271000e2e
Opcode Fuzzy Hash: 636e8219a9ad4474e1a2c96522b6a4ac2fa565ff6ce7f4e0e52085ce00ce50e9
Instruction Fuzzy Hash: 743104A3F49A0446FF7520A4CAE45BD1007DB82351F32863BCE4B22DD85B3F15C2669B

Uniqueness

Uniqueness Score: -1.00%

Function 004075D5, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8c99c091d671c993a19fe69330ee8e9113da8be387270a5e7e48ee99b74f98b
Instruction ID: 9485d65f68fa2af9b6a90b3e1e367a8d21502e0c81be8148d8714851185a4ba0
Opcode Fuzzy Hash: d8c99c091d671c993a19fe69330ee8e9113da8be387270a5e7e48ee99b74f98b
Instruction Fuzzy Hash: FD2136A2F49A0449FF7531A4C6E49BD5006CB81351F32C63BCB4B22DD41A3F55C65697

Uniqueness

Uniqueness Score: -1.00%

Function 00407628, Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63e81dd4c0a9a3f6886ce9d97dba11d45346607468991d77214fcddc5b3bdaf9
Instruction ID: 4a612093b220bf9dc32a892ea6f902912c7a9b2e6ac9cac45b19c272cde89cc1
Opcode Fuzzy Hash: 63e81dd4c0a9a3f6886ce9d97dba11d45346607468991d77214fcddc5b3bdaf9
Instruction Fuzzy Hash: A72136A2F09B0149FF3536B8C5E44BD6102CB82370F32873BCA67228E45A3E19C591A3

Uniqueness

Uniqueness Score: -1.00%

Function 0040767F, Relevance: 1.3, APIs: 1, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-FFF5B501,00008000,-00000001FFE54E4F,00044F96), ref: 004076B7

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1012ecd26116a74efbcc2e295530c1a053291ece4dc9c18742c50dbaf5755e7b
Instruction ID: 30e185a3ece79224e947632bf38e928b3c36d845f34ac063f8f2a87cae0281ad
Opcode Fuzzy Hash: 1012ecd26116a74efbcc2e295530c1a053291ece4dc9c18742c50dbaf5755e7b
Instruction Fuzzy Hash: D3112362F0D6048AFF3535A0C6E457D6006CB41791F32C13FCA8762DD55A3E69C1A687

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022A116F, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

w0[B, xrefs: 022A11C8

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w0[B
API String ID: 0-844760714
Opcode ID: b2b86eafa3d677bdf950591e7038c43b61db3b75598557afb2a9be227257a13b
Instruction ID: 7c4259c32af19e784f546bd4f2062cd9c282b9f6ad482c7bd8bb4bf763fbdbe7
Opcode Fuzzy Hash: b2b86eafa3d677bdf950591e7038c43b61db3b75598557afb2a9be227257a13b
Instruction Fuzzy Hash: A0112230304301AFFB369BA4CDE9B98BAD2BF05720F248065F806DB6D5D7B5E8848A45

Uniqueness

Uniqueness Score: -1.00%

Function 022A0CE1, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a644ccac31bf632c6844b62b41e4e48386d11ee8c7ee0af5e3438ab804787e
Instruction ID: 8461948f28cf25a49d0299c255156569ac02a7787e0e835565d9317b1a9256b5
Opcode Fuzzy Hash: c7a644ccac31bf632c6844b62b41e4e48386d11ee8c7ee0af5e3438ab804787e
Instruction Fuzzy Hash: B0D1F171710712AFE724EFA8CCA0BD5B7A6FF08320F554229EC9993A44D775A894CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 022A3080, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edcd653830f84773ff48fe2c5f5025a2bd60876a692a0e6cfc087500458fa60
Instruction ID: 82ba15135d4d82511a7826c1a27b0904706c9cd0d6f18ea39c24430169a0c287
Opcode Fuzzy Hash: 3edcd653830f84773ff48fe2c5f5025a2bd60876a692a0e6cfc087500458fa60
Instruction Fuzzy Hash: A581CE369AD7968FD727DEB88C552C9BBB2ED522943484AAEC490CB997D3128109C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 022A3147, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 938831e8608b6adba28ab6d87d68a439255d5c4a157f70cf6c74a3529ffc4324
Instruction ID: c251eb41162524c1ae8b278d2478c61280b43d10ee518d8be3cf00b6af8ff950
Opcode Fuzzy Hash: 938831e8608b6adba28ab6d87d68a439255d5c4a157f70cf6c74a3529ffc4324
Instruction Fuzzy Hash: 5A81B5349187838FDB25DF6884A4756BBA1EF92360F08C2D9CDA58F6DAD770C442C762

Uniqueness

Uniqueness Score: -1.00%

Function 00401579, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 022A3B0E, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597c1a26944c567855a5419c14629f82b17e6f6f0d10500aadb6bff1b30113d8
Instruction ID: fe252dd394feb4575ed639507217fbfdd9b4ee36100fda16bbc528ee3309a0fb
Opcode Fuzzy Hash: 597c1a26944c567855a5419c14629f82b17e6f6f0d10500aadb6bff1b30113d8
Instruction Fuzzy Hash: D3414D715ED2A75FC727DDB85CA52DABBB2985562438C44BEC480CBD87D306814EC7C0

Uniqueness

Uniqueness Score: -1.00%

Function 022A2CCE, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8a19f450940fb75b0cda15ec1f24ba31a034fa32c1dbb6c87cb58ecfbf024
Instruction ID: a1fd52830b1fe3589dda4605cb6c61fc1cb0677c2528360eae83a2beaeb45c40
Opcode Fuzzy Hash: c1e8a19f450940fb75b0cda15ec1f24ba31a034fa32c1dbb6c87cb58ecfbf024
Instruction Fuzzy Hash: 1111B234721702DBDB18AEB499A0BAE32A79F457A0F518A25FC41C7959D725CC84CA21

Uniqueness

Uniqueness Score: -1.00%

Function 004017B5, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 022A295F, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2761a8a2f92a444a9fa0b65a9a639dfed795fc7ea14e4a2830cc29fe1fd4b688
Instruction ID: 2c75853d3295b5d8c194f88085400138e11a2872d7fe53336eb9b95ac3767d38
Opcode Fuzzy Hash: 2761a8a2f92a444a9fa0b65a9a639dfed795fc7ea14e4a2830cc29fe1fd4b688
Instruction Fuzzy Hash: FBF0F4B2610301DFE739AB94C995B6BB396FF11710FA48A6CF44687B2AD728DC40A711

Uniqueness

Uniqueness Score: -1.00%

Function 00401768, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 022A196F, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16611b997776d8b77af30103510b6b17d9e045ef071f2e5de659a298b94fdf0b
Instruction ID: 82e8f4bfb593e926cba551cfedd24ca781abebb90b41d5392114119a04cb274c
Opcode Fuzzy Hash: 16611b997776d8b77af30103510b6b17d9e045ef071f2e5de659a298b94fdf0b
Instruction Fuzzy Hash: 1CC048BA6019818FEB01DA0CC982B4073A1BB51658BC80A90E0238BBA6D228E904CA00

Uniqueness

Uniqueness Score: -1.00%

Function 022A1ADA, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 022A2AB7, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeea0b7bebd9ee769a5d1e92140d4594e1574e343b84102d3b90182d1db966cf
Instruction ID: a8f171f42157a45bca8c3c1b812379a4a158a20138df594f8dd99fad1fca0306
Opcode Fuzzy Hash: eeea0b7bebd9ee769a5d1e92140d4594e1574e343b84102d3b90182d1db966cf
Instruction Fuzzy Hash: 0FB00235651540DFDA55CA59D194E4073A5B754650B855491E4118BA51D264E940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00410489, Relevance: 57.4, APIs: 38, Instructions: 368COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 004104A7
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 004104D1
__vbaStrCat.MSVBVM60(00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 004104E2
__vbaStrMove.MSVBVM60(00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 004104EC
#616.MSVBVM60(00000000,00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 004104F2
__vbaStrMove.MSVBVM60(00000000,00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 004104FC
__vbaStrCmp.MSVBVM60(00402FC4,00000000,00000000,00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 00410507
__vbaFreeStrList.MSVBVM60(00000002,00402FC4,00402FC4,00402FC4,00000000,00000000,00402FC4,00402FC4,00000001,?,?,?,?,004011F6), ref: 00410525
__vbaNew2.MSVBVM60(00402FE8,004123C0,?,?,004011F6), ref: 0041054F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 004105B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 0041060D
__vbaStrMove.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 00410637
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 0041063F
__vbaNew2.MSVBVM60(00402448,00412010), ref: 00410657
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410690
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040314C,00000048), ref: 004106D4
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004106FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 0041075D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,00000138), ref: 004107BA
__vbaFreeStr.MSVBVM60(00000000,?,00402FF8,00000138), ref: 004107D1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004107E0
__vbaNew2.MSVBVM60(00402448,00412010,?,?,?,?,?,004011F6), ref: 004107FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410834
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040314C,00000050), ref: 00410878
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 0041089F
__vbaChkstk.MSVBVM60(?), ref: 0041092D
__vbaChkstk.MSVBVM60(?), ref: 00410941
__vbaChkstk.MSVBVM60(?), ref: 00410955
__vbaChkstk.MSVBVM60(?), ref: 00410966
__vbaChkstk.MSVBVM60(?), ref: 00410977
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000044), ref: 004109BA
__vbaChkstk.MSVBVM60(00000000,?,00402FD8,00000044), ref: 004109EE
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00410A01
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00410A09
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 00410A18
__vbaFreeStr.MSVBVM60(00410A7E), ref: 00410A68
__vbaFreeStr.MSVBVM60(00410A7E), ref: 00410A70
__vbaFreeObj.MSVBVM60(00410A7E), ref: 00410A78

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2$ListMove$#616CopyLate
String ID:
API String ID: 709077215-0
Opcode ID: 80fabb119bd9da23b3136088aeee59b848afff5af0a9780aca4b239fd7bab1e5
Instruction ID: 0199ccd42ab3efed521bf4ffe2e3a11089f99b464f013ed8fa0d4ed6a25a90f8
Opcode Fuzzy Hash: 80fabb119bd9da23b3136088aeee59b848afff5af0a9780aca4b239fd7bab1e5
Instruction Fuzzy Hash: 8FF12670900318EFDB20DFA0C945BDDB7B6BF09304F1040AAE909BB2A1D7B95AD59F59

Uniqueness

Uniqueness Score: -1.00%

Function 00401B86, Relevance: 43.8, APIs: 29, Instructions: 301COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 004105B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 0041060D
__vbaStrMove.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 00410637
__vbaFreeObj.MSVBVM60(00000000,?,00402FF8,000000E0), ref: 0041063F
__vbaNew2.MSVBVM60(00402448,00412010), ref: 00410657
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410690
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040314C,00000048), ref: 004106D4
__vbaNew2.MSVBVM60(00402FE8,004123C0), ref: 004106FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 0041075D

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$FreeMove
String ID:
API String ID: 1941556934-0
Opcode ID: 82d378020f5f831093e7d97634776e8c6412df37dcb96e6703995cfd9303ba23
Instruction ID: 7558c58b83f681e1b2b3f1d776d264a60028c2b46f0fa693e9a6811bb8e0428a
Opcode Fuzzy Hash: 82d378020f5f831093e7d97634776e8c6412df37dcb96e6703995cfd9303ba23
Instruction Fuzzy Hash: 0FD10530900318EFDB20EF91C945BDDB7B2BF09304F1044AAE909BB2A1D7B95AD59F19

Uniqueness

Uniqueness Score: -1.00%

Function 00410D2C, Relevance: 42.2, APIs: 28, Instructions: 178COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410D4A
__vbaVarCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410D77
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410D87
__vbaVarCopy.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410D99
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,004011F6), ref: 00410DAE
__vbaLenVar.MSVBVM60(?,?,00000002,00000002), ref: 00410DFC
__vbaVarForInit.MSVBVM60(?,?,?,00000000,?,?,00000002,00000002), ref: 00410E14
__vbaVarAdd.MSVBVM60(?,?,00000008,0000000A,00000001,00000001), ref: 00410F4E
#650.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410F54
__vbaVarMove.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410F72
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A,00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410F87
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,0041101C,?,?,?,?,?,?,?,?,004011F6), ref: 00410FE3
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00410FEE
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00410FF6
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00410FFE
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411006
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041100E
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411016

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CopyList$#650ChkstkInitMove
String ID:
API String ID: 4075068740-0
Opcode ID: 163c143edfe89ad75afab0fd8e0ab8e4ea954f5eade16feae4daeadbcb4dfa68
Instruction ID: 3edb8630e1fdb9f4548d0092668da7cd0b699e9c56c201b43530bfbd138ad131
Opcode Fuzzy Hash: 163c143edfe89ad75afab0fd8e0ab8e4ea954f5eade16feae4daeadbcb4dfa68
Instruction Fuzzy Hash: 1B71C0B180021C9ADB61DB91CD86FDEB7BCAF04304F5041EBA549F6191EF78AB898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA5, Relevance: 19.6, APIs: 13, Instructions: 125COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410AC0
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410AD8
__vbaNew2.MSVBVM60(00402FE8,004123C0,?,?,?,?,004011F6), ref: 00410AF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000014), ref: 00410B34
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF8,000000E8), ref: 00410B75
__vbaStrMove.MSVBVM60 ref: 00410B93
__vbaFreeObj.MSVBVM60 ref: 00410B9B
__vbaNew2.MSVBVM60(00402448,00412010), ref: 00410BB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410BE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030D0,000000F8), ref: 00410C15
__vbaFreeObj.MSVBVM60 ref: 00410C2E
__vbaFreeStr.MSVBVM60(00410C5C), ref: 00410C4E
__vbaFreeStr.MSVBVM60(00410C5C), ref: 00410C56

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkCopyMove
String ID:
API String ID: 4110455518-0
Opcode ID: d4fc7a5dd1d631e30b6bf2a8c669d66d172ff2bdd6ed12793395f179829a47c6
Instruction ID: 8d055706842a2e1e8be1d845050facc447bdf87ef2d560dda49ce33818c9fdac
Opcode Fuzzy Hash: d4fc7a5dd1d631e30b6bf2a8c669d66d172ff2bdd6ed12793395f179829a47c6
Instruction Fuzzy Hash: 0B51F370900209EFDB00DFE4C985BDDBBB5BF08708F20852AF511B76A0D7B86995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5E, Relevance: 13.6, APIs: 9, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?), ref: 00410977
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FD8,00000044), ref: 004109BA
__vbaChkstk.MSVBVM60(00000000,?,00402FD8,00000044), ref: 004109EE
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00410A01
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00410A09
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 00410A18
__vbaFreeStr.MSVBVM60(00410A7E), ref: 00410A68
__vbaFreeStr.MSVBVM60(00410A7E), ref: 00410A70
__vbaFreeObj.MSVBVM60(00410A7E), ref: 00410A78

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Chkstk$CheckHresultLateList
String ID:
API String ID: 625434179-0
Opcode ID: 3091641e7400f291daf2530c7eddfa26bf55b651c64b210ec9acdff9690caa97
Instruction ID: cc6e1ff3ffd6343073f2698c46cefc86655e839b42706594059c818c7a1570e1
Opcode Fuzzy Hash: 3091641e7400f291daf2530c7eddfa26bf55b651c64b210ec9acdff9690caa97
Instruction Fuzzy Hash: 4D217F71C003189FDB12DFA1CD52BDD77B2AF09314F1001AAF905BB1E2D7B91A858B15

Uniqueness

Uniqueness Score: -1.00%

Function 00410C79, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410C95
#536.MSVBVM60(00000002), ref: 00410CCB
__vbaStrMove.MSVBVM60(00000002), ref: 00410CD5
__vbaFreeVar.MSVBVM60(00000002), ref: 00410CDD
__vbaFreeStr.MSVBVM60(00410D05,00000002), ref: 00410CFF

Memory Dump Source

Source File: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.759078422.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.759123881.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#536ChkstkMove
String ID:
API String ID: 2104488870-0
Opcode ID: 8014fd92afab6d6d8cae0a8ffa75d0b783d68dd5662338ee14d20d444ed8f9d7
Instruction ID: 25fef30f2d95bbae38ed568582fe090ab1f2e4df649ff4e816741cebec6afa85
Opcode Fuzzy Hash: 8014fd92afab6d6d8cae0a8ffa75d0b783d68dd5662338ee14d20d444ed8f9d7
Instruction Fuzzy Hash: F5014F71910208ABDB04EF95DD86FDEBBB4BF08704F40842AF901BB1A1DB7C5544CB59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ 35465756.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: RFQ 35465756.exe PID: 5636 Parent PID: 5708

General

Chronological Activities

Disassembly

Code Analysis