Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Jaik.46242.3594.22390

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Jaik.46242.3594.22390 (renamed file extension from 22390 to exe)
Analysis ID:	431830
MD5:	99bbf83abe9d6e4ecc91493e32230833
SHA1:	b0bd6ba2dc10eb5552edc7a3460c80ee0eb1b11e
SHA256:	2b2a00650dc91d1a7ccfa4a62e3462762c62d8a092bddb75943f87074f1d56a5
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Jaik.46242.3594.exe (PID: 3920 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe' MD5: 99BBF83ABE9D6E4ECC91493E32230833)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Variant.Jaik.46242.3594.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Virustotal: Detection: 26%

Perma Link

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286A2E NtAllocateVirtualMemory,	0_2_02286A2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286C20 NtAllocateVirtualMemory,	0_2_02286C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286A78 NtAllocateVirtualMemory,	0_2_02286A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286AF8 NtAllocateVirtualMemory,	0_2_02286AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286B94 NtAllocateVirtualMemory,	0_2_02286B94

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00401C10	0_2_00401C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_004055F3	0_2_004055F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286A2E	0_2_02286A2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286629	0_2_02286629
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283238	0_2_02283238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283A30	0_2_02283A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283834	0_2_02283834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228B409	0_2_0228B409
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228341C	0_2_0228341C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228666C	0_2_0228666C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286A78	0_2_02286A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02284440	0_2_02284440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228185A	0_2_0228185A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022832A0	0_2_022832A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283AA0	0_2_02283AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022866B8	0_2_022866B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02284490	0_2_02284490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02286AF8	0_2_02286AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022834C0	0_2_022834C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022836DE	0_2_022836DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283925	0_2_02283925
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228173C	0_2_0228173C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283B30	0_2_02283B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228350C	0_2_0228350C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228450C	0_2_0228450C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228331C	0_2_0228331C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283714	0_2_02283714
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022833A4	0_2_022833A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022817B8	0_2_022817B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02283788	0_2_02283788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02284993	0_2_02284993
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022847ED	0_2_022847ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022843FB	0_2_022843FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022831D8	0_2_022831D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022839DC	0_2_022839DC

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721975031.00000000020B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000000.197037296.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Binary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Virustotal: Detection: 26%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00409C54 push es; iretd	0_2_00409C5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0040605F push 00000059h; retf	0_2_00406061
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00406E64 push eax; retf	0_2_00406E65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0040A065 pushad ; retf	0_2_0040A0B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00409E0D push edx; iretd	0_2_00409E12
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00409EF8 push ss; iretd	0_2_00409EFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00406AFE push es; iretd	0_2_00406B02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_004079CA push cs; iretd	0_2_004079CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00409387 push ss; iretd	0_2_004093A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00408D90 push cs; iretd	0_2_00408D9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_00403191 push dword ptr [ebp-44h]; ret	0_2_0041ECA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02285356 push edi; iretd	0_2_02285357

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	RDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	RDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	RDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	RDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Code function: 0_2_02284E28 rdtsc

0_2_02284E28

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe

Code function: 0_2_02284E28 rdtsc

0_2_02284E28

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_02284440 mov eax, dword ptr fs:[00000030h]	0_2_02284440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022864F9 mov eax, dword ptr fs:[00000030h]	0_2_022864F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022890F5 mov eax, dword ptr fs:[00000030h]	0_2_022890F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022836DE mov eax, dword ptr fs:[00000030h]	0_2_022836DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_0228993D mov eax, dword ptr fs:[00000030h]	0_2_0228993D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe	Code function: 0_2_022843FB mov eax, dword ptr fs:[00000030h]	0_2_022843FB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Jaik.46242.3594.exe	26%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431830
Start date:	09.06.2021
Start time:	11:46:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Jaik.46242.3594.22390 (renamed file extension from 22390 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.607689655560483
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Jaik.46242.3594.exe
File size:	147456
MD5:	99bbf83abe9d6e4ecc91493e32230833
SHA1:	b0bd6ba2dc10eb5552edc7a3460c80ee0eb1b11e
SHA256:	2b2a00650dc91d1a7ccfa4a62e3462762c62d8a092bddb75943f87074f1d56a5
SHA512:	0f6b9f9a843f491b925aab0af5d4f08024a2d430c41022c23afb46ce3abdf7881e8d87ac6d93f5adfc2f11aee0f0bb0ac28fa2500ec118bc1ed496281d3afec6
SSDEEP:	1536:Fttu3FssKUmvr9DJ1FJS1bQNZ6bp/+Dtr5m3XSt4lYS0eXJWUTFboob:ztu3alxx3fSQmbs55r4l6eXJWUB0ob
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......G.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401c10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47BBB203 [Wed Feb 20 04:52:19 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9b8686288ab82fdbf8ede30bc55c83b7

Entrypoint Preview

Instruction
push 0040205Ch
call 00007F7DFCCE22D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx-0Dh], bh
out dx, al
mov byte ptr [44508D06h], al
xchg eax, edx
popad
sbb al, C1h
int1
or eax, 0000BF8Ah
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
push 4203026Dh
jc 00007F7DFCCE2351h
outsb
imul ebp, dword ptr [edi+73h], 6Bh
outsd
jo 00007F7DFCCE2347h
jc 00007F7DFCCE234Bh
outsb
jc 00007F7DFCCE2352h
jnc 00007F7DFCCE22E3h
insd
add al, byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
cmovnle edi, dword ptr [ecx]
outsd
mov ecx, esp
call 00007F7DC353660Bh
pop edx
test byte ptr [edi+10h], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20f24	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x950	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x205e8	0x21000	False	0.356082800663	data	5.85827510304	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x950	0x1000	False	0.171875	data	2.03163651737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24820	0x130	data
RT_ICON	0x24538	0x2e8	data
RT_ICON	0x24410	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243e0	0x30	data
RT_VERSION	0x24150	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	TWINEMAKER
FileVersion	1.00
CompanyName	Mortagage
Comments	Mortagage
ProductName	Mortagage
ProductVersion	1.00
FileDescription	Mortagage
OriginalFilename	TWINEMAKER.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Jaik.46242.3594.exe PID: 3920 Parent PID: 5824

General

Start time:	11:47:01
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	99BBF83ABE9D6E4ECC91493E32230833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Jaik.46242.3594.exe PID: 3920 Parent PID: 5824 SecuriteInfo.com.Variant.Jaik.46242.3594.exeCOMMON

Executed Functions

Function 004055F3, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,66628F99,-2E424193), ref: 004058BB

Strings

C, xrefs: 00405703
q, xrefs: 0040567D
h, xrefs: 00405771
_, xrefs: 00405648
@, xrefs: 00405706

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID: @$C$_$h$q
API String ID: 4275171209-2839808294
Opcode ID: 19fe624886c6294c4c58a26b7dafc2999a74420af71b7e185235912bd1e8c7be
Instruction ID: a3173b0ce8ff531f604c310f99f4cbebd2c40a7e7461c0cd1247eb664b9aa9e4
Opcode Fuzzy Hash: 19fe624886c6294c4c58a26b7dafc2999a74420af71b7e185235912bd1e8c7be
Instruction Fuzzy Hash: 8351D4606663424AFFB81434C6E173E1596DB56304F70EE3BCA53EAECAC92EC5C15613

Uniqueness

Uniqueness Score: -1.00%

Function 00401C10, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401C15

Strings

VB5!6&*, xrefs: 00401C10

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 11329e3dcc9c63cd2251095cd26cf4cf7e3b32087ece2b2a0dc12fe29e45f2d2
Instruction ID: bc2b0363ddcc9f0738999dd3536d0f3544ba8b5e55dfad2faa39adb5ed85be73
Opcode Fuzzy Hash: 11329e3dcc9c63cd2251095cd26cf4cf7e3b32087ece2b2a0dc12fe29e45f2d2
Instruction Fuzzy Hash: 2EE1676144E7C28FD7079B708DA15A17FB0AE1331431E46EBC4C1DE1B3E22C6A5AD76A

Uniqueness

Uniqueness Score: -1.00%

Function 02286A2E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(280BB30F,0000013C), ref: 02286C76

Strings

c8W, xrefs: 02286A91

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: c8W
API String ID: 2167126740-2350576336
Opcode ID: 08b0511700217d172f8524e6a31c03d651040b6ee3d50a26974c3e368761ad59
Instruction ID: de4139a0ba560149d71ff7ba4aa137997467f71a76a6d53655e05e82806a30d0
Opcode Fuzzy Hash: 08b0511700217d172f8524e6a31c03d651040b6ee3d50a26974c3e368761ad59
Instruction Fuzzy Hash: 6F4123715253859FDB60EF64DC11BEE7BF2AF89310F45852EDD8A9B264D3348A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02286A78, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(280BB30F,0000013C), ref: 02286C76

Strings

c8W, xrefs: 02286A91

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: c8W
API String ID: 2167126740-2350576336
Opcode ID: e2d8ce444e0a82bd0f0001ae1f826050d0c2fc27cd1432129250eaa3c52e142f
Instruction ID: 8662707cae1735c5b25ad8759eff0492f656660c6bb8459c1c761f8491d73738
Opcode Fuzzy Hash: e2d8ce444e0a82bd0f0001ae1f826050d0c2fc27cd1432129250eaa3c52e142f
Instruction Fuzzy Hash: 014132705153859FDB20EFA8DD41BEE7BF2AF89314F44452EDD8A9B264D3388A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02286AF8, Relevance: 1.6, APIs: 1, Instructions: 99memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(280BB30F,0000013C), ref: 02286C76

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 98598c18812f95cf476d4415301629cda8ba8cb7a2760976b3ad1630b9182190
Instruction ID: e6c8ea3d8b97106f65ac155cb57604cbbff5f46373e6b2b491d2482e1639771f
Opcode Fuzzy Hash: 98598c18812f95cf476d4415301629cda8ba8cb7a2760976b3ad1630b9182190
Instruction Fuzzy Hash: A9411F705253848FDB20EF64DC51BEE7BF6AF59314F44442EDC499B264D3388A80CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02286B94, Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(280BB30F,0000013C), ref: 02286C76

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c9ad9ac8078c91af546ade16f134f5c27aa2e25339ac38ea018dc7d534ab9ce5
Instruction ID: b87c72e8e8ee4c4a3ea03dfce504b8e4ea834833fce327d7e241d826ec3e85ad
Opcode Fuzzy Hash: c9ad9ac8078c91af546ade16f134f5c27aa2e25339ac38ea018dc7d534ab9ce5
Instruction Fuzzy Hash: 3B31DA705113888FDB709FA4DD94BEEBBF2AF4A324F08052EDD499B2A0D3348A40CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02286C20, Relevance: 1.6, APIs: 1, Instructions: 59memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(280BB30F,0000013C), ref: 02286C76

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5156325a313f4d6f149bd6f4c7a95b710afaf04223730bf6abc23e83068f246b
Instruction ID: ef0cdd29fb1a6cc1c87699a17c0504b30b90295ff0c34eb241fe1f94cd558dd1
Opcode Fuzzy Hash: 5156325a313f4d6f149bd6f4c7a95b710afaf04223730bf6abc23e83068f246b
Instruction Fuzzy Hash: 8F21BB715153899FDB709FA4ED50BEE77B2AF19324F48012ADC089B2A0D7348A40CB01

Uniqueness

Uniqueness Score: -1.00%

Function 004030FE, Relevance: 491.2, APIs: 250, Strings: 29, Instructions: 3000COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401976), ref: 0041322E
__vbaAryConstruct2.MSVBVM60(?,00403CF0,00000011,?,?,?,?,00401976), ref: 0041327A
__vbaAryConstruct2.MSVBVM60(?,00403D0C,00000002,?,?,?,?,00401976), ref: 0041328E
__vbaVarDup.MSVBVM60 ref: 004132BB
#591.MSVBVM60(?), ref: 004132C8
__vbaStrMove.MSVBVM60 ref: 004132D6
__vbaStrCat.MSVBVM60(00403AEC,Strin,00000000), ref: 004132E7
__vbaStrMove.MSVBVM60 ref: 004132F5
__vbaStrCmp.MSVBVM60(00000000), ref: 004132FC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00413321
__vbaFreeVar.MSVBVM60(?,?,00401976), ref: 00413330
__vbaNew2.MSVBVM60(00403B10,004223CC,?,?,Function_00001976), ref: 0041335F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,00000014), ref: 004133C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000E8), ref: 00413431
__vbaStrMove.MSVBVM60 ref: 0041346B
__vbaFreeObj.MSVBVM60 ref: 00413477
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004134A7
__vbaStrMove.MSVBVM60 ref: 004134B5
__vbaFreeVar.MSVBVM60 ref: 004134C1
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 004134E8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413525
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B30,000000F8), ref: 00413576
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 004135A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004135DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B40,000000F0), ref: 0041362F
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041365A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413697
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B50,00000100), ref: 004136E8
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 00413713
__vbaChkstk.MSVBVM60(?), ref: 004137C9
__vbaChkstk.MSVBVM60(?), ref: 004137F8
__vbaChkstk.MSVBVM60(?), ref: 00413827
__vbaChkstk.MSVBVM60(?), ref: 00413856
__vbaChkstk.MSVBVM60(?), ref: 00413885
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,00000044), ref: 004138E7
__vbaChkstk.MSVBVM60 ref: 00413930
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00413963
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00413980
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,Function_00001976), ref: 00413999
#585.MSVBVM60(00000000,00000000,?,?,00401976), ref: 004139AD
__vbaFpR8.MSVBVM60(?,?,00401976), ref: 004139B3
__vbaNew2.MSVBVM60(00403B10,004223CC,?,?,?,?,?,?,?,?,?,Function_00001976), ref: 004139E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,00000014), ref: 00413A4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000E0), ref: 00413AB6
__vbaStrMove.MSVBVM60 ref: 00413AF0
__vbaFreeObj.MSVBVM60 ref: 00413AFC
#611.MSVBVM60 ref: 00413B09
__vbaStrMove.MSVBVM60 ref: 00413B14
#569.MSVBVM60(0000004E), ref: 00413B2A
#534.MSVBVM60(?,?,00401976), ref: 00413B3D
__vbaSetSystemError.MSVBVM60(00000000,?,?,00401976), ref: 00413B57
#536.MSVBVM60(00000002), ref: 00413B8F
__vbaStrMove.MSVBVM60 ref: 00413B9A
__vbaFreeVar.MSVBVM60 ref: 00413BA6
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 00413BC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,00000014), ref: 00413C2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000F8), ref: 00413C98
__vbaStrMove.MSVBVM60 ref: 00413CCF
__vbaFreeObj.MSVBVM60 ref: 00413CDB
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 00413D02
__vbaLateMemCallLd.MSVBVM60(00000002,?,vF5LV3hoE187,00000000), ref: 00413D3E
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_00001976), ref: 00413D48
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_00001976), ref: 00413D56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,0000000C), ref: 00413D95
__vbaFreeObj.MSVBVM60 ref: 00413DB3
__vbaFreeVar.MSVBVM60 ref: 00413DBF
__vbaStrCopy.MSVBVM60 ref: 00413DD7
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00413DE5
__vbaSetSystemError.MSVBVM60(00711E46,000773CF,?), ref: 00413E07
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00413E35
#554.MSVBVM60 ref: 00413E54
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 00413E74
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,00000014), ref: 00413EDD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000078), ref: 00413F40
__vbaFreeObj.MSVBVM60 ref: 00413F6C
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00413F8C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413FC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B74,00000130), ref: 0041401A
#532.MSVBVM60(?), ref: 00414039
__vbaFreeStr.MSVBVM60 ref: 00414045
__vbaFreeObj.MSVBVM60 ref: 00414051
__vbaRecUniToAnsi.MSVBVM60(00403610,?,?,00000000,00000000,?,?,?,?,?,00401976), ref: 00414075
__vbaRecUniToAnsi.MSVBVM60(004035F8,?,?,00000000,?,?,?,?,?,00401976), ref: 0041408F
__vbaStrToAnsi.MSVBVM60(?,00403B88,00000000,00000000,?,?,?,?,?,00401976), ref: 004140A4
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,00401976), ref: 004140BB
__vbaRecAnsiToUni.MSVBVM60(00403610,?,?,?,?,?,?,?,00401976), ref: 004140D4
__vbaRecAnsiToUni.MSVBVM60(004035F8,?,?,?,?,?,?,?,00401976), ref: 004140ED
__vbaFreeStr.MSVBVM60 ref: 00414110
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041413F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B00,0000004C), ref: 004141A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B8C,00000028), ref: 00414204
__vbaFreeObj.MSVBVM60 ref: 00414222
__vbaOnError.MSVBVM60(00000000), ref: 00414231
__vbaFpI4.MSVBVM60 ref: 00414244
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A8,00000064), ref: 0041427A
__vbaSetSystemError.MSVBVM60(00000000), ref: 004142A6
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 004142D6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B00,00000014), ref: 0041433F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000D8), ref: 004143A8
__vbaStrMove.MSVBVM60 ref: 004143E2
__vbaFreeObj.MSVBVM60 ref: 004143EE
#611.MSVBVM60 ref: 004143FB
__vbaStrMove.MSVBVM60 ref: 00414406
__vbaFpI4.MSVBVM60 ref: 00414419
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A8,000002C8), ref: 0041446B
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041449D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004144DA

Strings

", xrefs: 0041440C
}&h, xrefs: 00415608
C, xrefs: 00416732
}#j`h0;@, xrefs: 00416643
OMKRSLENS, xrefs: 0041565D
>]CK, xrefs: 004153CF, 004153D5
flyvske, xrefs: 00413DCC
}#jph(<@, xrefs: 00415D99
SHAMANERE, xrefs: 0041329B
vF5LV3hoE187, xrefs: 00413D2E
motorboatman, xrefs: 004160EE
}&h, xrefs: 0041465E
}&h, xrefs: 00414BAF
}#jpht;@, xrefs: 0041575C
k, xrefs: 00403184
}#jPh8<@, xrefs: 00415F05
}#h, xrefs: 004146D2
Strin, xrefs: 004132DD
}&h, xrefs: 004148B0
}#h, xrefs: 0041596C
}&h, xrefs: 004147F7
}#j`h(<@, xrefs: 00415ADF
}#h, xrefs: 004153F2
h:@, xrefs: 004132E2
Convulsibility, xrefs: 004148E2
QV, xrefs: 00416430
}#jXh, xrefs: 00416401
}#jph0;@, xrefs: 0041500B
}#h, xrefs: 004158ED

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$Chkstk$Ansi$Error$ListSystem$#611Construct2Late$#532#534#536#554#569#585#591#702AddrefCallCopy
String ID: "$>]CK$C$Convulsibility$OMKRSLENS$QV$SHAMANERE$Strin$flyvske$h:@$k$motorboatman$vF5LV3hoE187$}#h$}#h$}#h$}#h$}#jPh8<@$}#jXh$}#j`h(<@$}#j`h0;@$}#jph(<@$}#jph0;@$}#jpht;@$}&h$}&h$}&h$}&h$}&h
API String ID: 4048454160-2467377694
Opcode ID: 47e5a2b595849f4ee6bd017f6c19d9fcd144019be069c30672343e5280d4dd11
Instruction ID: 4d9fdfd051ab3ab139ead9ba8565c7c523504c3a2200f025a9675c587ad5023a
Opcode Fuzzy Hash: 47e5a2b595849f4ee6bd017f6c19d9fcd144019be069c30672343e5280d4dd11
Instruction Fuzzy Hash: C263F9B4A00218DFDB24DF50CD88FDAB7B9BB88305F1045E9E60AA7291DB745AC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420740, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042079E
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 004207B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004207D0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B30,0000016C), ref: 004207F3
__vbaFreeObj.MSVBVM60 ref: 004207FC
#692.MSVBVM60(?,Columellae,Arriage), ref: 00420810
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420828
__vbaFreeVar.MSVBVM60 ref: 0042083B
#535.MSVBVM60 ref: 00420843
#705.MSVBVM60(?,00000000), ref: 0042085E
__vbaStrMove.MSVBVM60 ref: 0042086F
__vbaFreeVar.MSVBVM60 ref: 00420874
#716.MSVBVM60(00000002,Legemsdelenes8,00000000), ref: 00420881
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 004208A9
__vbaFreeVar.MSVBVM60 ref: 004208B2
__vbaCyStr.MSVBVM60(00403E84), ref: 004208C1
__vbaFpCmpCy.MSVBVM60(00000000), ref: 004208CF
#535.MSVBVM60 ref: 004208DD
__vbaStrCat.MSVBVM60(:22,22:22), ref: 004208EF
__vbaStrMove.MSVBVM60 ref: 004208FA
#541.MSVBVM60(?,00000000), ref: 00420901
__vbaStrVarMove.MSVBVM60(?), ref: 0042090B
__vbaStrMove.MSVBVM60 ref: 00420916
__vbaFreeStr.MSVBVM60 ref: 0042091B
__vbaFreeVar.MSVBVM60 ref: 00420924
__vbaHresultCheckObj.MSVBVM60(00000000,004018F8,004033A8,000002B0), ref: 00420982
__vbaFreeStr.MSVBVM60(004209DC), ref: 004209C6
__vbaFreeObj.MSVBVM60 ref: 004209CB
__vbaFreeStr.MSVBVM60 ref: 004209D4
__vbaFreeStr.MSVBVM60 ref: 004209D9

Strings

22:22, xrefs: 004208E3
Legemsdelenes8, xrefs: 0042087B
Columellae, xrefs: 0042080A
:22, xrefs: 004208E8
Arriage, xrefs: 00420802

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$#535CheckHresult$#541#692#705#716CopyLateNew2
String ID: 22:22$:22$Arriage$Columellae$Legemsdelenes8
API String ID: 2203292901-4205766236
Opcode ID: 05807b0a17efc79295688dfbcdb00120506db890ef3aa94b228aed7fd84655ad
Instruction ID: 32ffba582070551e1e089978bdab66ee184d3ba65ddc1e1e07a782761440481a
Opcode Fuzzy Hash: 05807b0a17efc79295688dfbcdb00120506db890ef3aa94b228aed7fd84655ad
Instruction Fuzzy Hash: BF811B74E002199FDB04DFA4D988A9EBFB8FF48701F10812AE506B72A1DB745945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF60, Relevance: 45.3, APIs: 30, Instructions: 254COMMON

Download Yara Rule

APIs

#615.MSVBVM60 ref: 0041EFCA
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0041EFFD
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F01E
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0041F035
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041F059
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041F07E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000110), ref: 0041F0A8
__vbaStrMove.MSVBVM60 ref: 0041F0BD
__vbaFreeObj.MSVBVM60 ref: 0041F0C2
#611.MSVBVM60 ref: 0041F0C8
__vbaStrMove.MSVBVM60 ref: 0041F0D3
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041F0E8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F107
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,00000188), ref: 0041F12A
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041F143
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F15C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,00000178), ref: 0041F17F
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041F18F
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041F1AB
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,0000004C), ref: 0041F1D0
__vbaStrVarMove.MSVBVM60(00000002,?), ref: 0041F1E3
__vbaStrMove.MSVBVM60 ref: 0041F1EE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B8C,00000024), ref: 0041F20C
__vbaStrMove.MSVBVM60 ref: 0041F21B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F22B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041F243
__vbaFreeVar.MSVBVM60 ref: 0041F24F
__vbaFreeStr.MSVBVM60(0041F2BA), ref: 0041F2AD
__vbaFreeStr.MSVBVM60 ref: 0041F2B2
__vbaFreeStr.MSVBVM60 ref: 0041F2B7

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#611#615#660CallLate
String ID:
API String ID: 2982621179-0
Opcode ID: 6c188f0495d5d986989f1be6eec546790dd231c163e8a294426bb6b33695fd23
Instruction ID: 212263c585e0191d889badcfce94124c906a7027722b94b8e25875198e7ad192
Opcode Fuzzy Hash: 6c188f0495d5d986989f1be6eec546790dd231c163e8a294426bb6b33695fd23
Instruction Fuzzy Hash: 3DA13C71900219AFDB10DF94DD88EEEBBB9FB48B01F10452AF501B72A1DBB45946CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022836DE, Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66
IJG), xrefs: 022838D8

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl$IJG)
API String ID: 0-1572324026
Opcode ID: 50025a803021fe731bf84a49aaf37915eb7816d8b48712da628ee745624df99e
Instruction ID: 077a5095b8e45feac98c01ba59f69e68c4539ac57a2efdc4ee7dca076225884d
Opcode Fuzzy Hash: 50025a803021fe731bf84a49aaf37915eb7816d8b48712da628ee745624df99e
Instruction Fuzzy Hash: D622AE7161574A9FDB28EF68CC94BEAB7A1FF88300F45422ADC4D87384D770AA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02283714, Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66
IJG), xrefs: 022838D8

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl$IJG)
API String ID: 0-1572324026
Opcode ID: 25a9fc9654d8e725c3faf54c120f67788fdbc7ce0e18663fc6199029db1731b9
Instruction ID: a07f04779e83201703691dfc702de2cffb193b9410152983b24c1c61366f3ba4
Opcode Fuzzy Hash: 25a9fc9654d8e725c3faf54c120f67788fdbc7ce0e18663fc6199029db1731b9
Instruction Fuzzy Hash: 5CD1CD7161574A9FDB28DF68CC94BEAB7E6BF88700F45822ADC5D87380C770A951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02283788, Relevance: 2.8, Strings: 2, Instructions: 321COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66
IJG), xrefs: 022838D8

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl$IJG)
API String ID: 0-1572324026
Opcode ID: 0ac6e90d9ea36f29fb45385d274a3dea4bda734c118a7964cbc8136b3c9ebfcb
Instruction ID: b4fd00c47e4318f4b994a06db512b214023fe2eb2679adbd7b1b967a60a64f33
Opcode Fuzzy Hash: 0ac6e90d9ea36f29fb45385d274a3dea4bda734c118a7964cbc8136b3c9ebfcb
Instruction Fuzzy Hash: F2D1CD7161574A9FDB28DF69CC80BEAB7A6BF88700F45822ADC5D87384C770A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02283834, Relevance: 2.8, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66
IJG), xrefs: 022838D8

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl$IJG)
API String ID: 0-1572324026
Opcode ID: d374fa6ccb235cda87c54ff7dde5082233cabc69b530dce986c16183c67a33ec
Instruction ID: 89c59db1b2724b28a4237dfc9c49a5a2f0b684caff00d93b77bde48a48a7e1df
Opcode Fuzzy Hash: d374fa6ccb235cda87c54ff7dde5082233cabc69b530dce986c16183c67a33ec
Instruction Fuzzy Hash: E0C1BC71615746DFDB28EF69C884BEAB7A2BF88300F45822ADC5D87784C770A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02283925, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl
API String ID: 0-1830534777
Opcode ID: df0c8999193b4fc9c6d726d0f4d8883ab2dda63a9ae39eb58a3bbc26d601ce1a
Instruction ID: 5619951da20c1dd0241c99ded007b7ae55fe41b19f8dec34fd0eced694c9e3c3
Opcode Fuzzy Hash: df0c8999193b4fc9c6d726d0f4d8883ab2dda63a9ae39eb58a3bbc26d601ce1a
Instruction Fuzzy Hash: 9FB1CE7161564A9FDB38EF68CC847EAB7A2BF88300F45822ADC5D87385D7709951CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022839DC, Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl
API String ID: 0-1830534777
Opcode ID: cc40e5166888b8e9a3968d5da5e29c120918126e08fb4a6aee2c2d4e4a894a93
Instruction ID: b372bbc10976513944b11210511423c300acc4aba542b0345684f4f39e7d7620
Opcode Fuzzy Hash: cc40e5166888b8e9a3968d5da5e29c120918126e08fb4a6aee2c2d4e4a894a93
Instruction Fuzzy Hash: 4091EF716193469FDB38EF68CC807EAB3A6BF98300F45422ADC4D87395C7709951CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02283A30, Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl
API String ID: 0-1830534777
Opcode ID: a8bed1147dc4a8cebfa97c1f71c5be8df215eead3802646a5d3d8f831b6ae82e
Instruction ID: 568f66bdc27bab6c52cf8906bc0ae14b1bb1113a04a95aff4e1348d770dc1740
Opcode Fuzzy Hash: a8bed1147dc4a8cebfa97c1f71c5be8df215eead3802646a5d3d8f831b6ae82e
Instruction Fuzzy Hash: 5591F072615346DFDB38EF68CC847EAB3A6BF98700F45422ADC4987391C7709991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 022843FB, Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

,Eel, xrefs: 02284462

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,Eel
API String ID: 0-3783209504
Opcode ID: 4a00fa40d35df473488bed343f7d9f99d85e9821c91039950fbed8d67b3b53a0
Instruction ID: 5e0c91a64db50bffd3871b961ada3ed929376d19d02e67c3b47ab177b3ec9e63
Opcode Fuzzy Hash: 4a00fa40d35df473488bed343f7d9f99d85e9821c91039950fbed8d67b3b53a0
Instruction Fuzzy Hash: AB815771926341DFDB24AF78C848BEA77E1AF15310F45414EEC8A9B1EAC774DA80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02283AA0, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl
API String ID: 0-1830534777
Opcode ID: 82021e18d5b98ab916e2812742d8aa97792a6daa391efa80f1c27a97c0652476
Instruction ID: 7cb35cefe356c16f22a58eca681bc50c4813673862bc64a9983081fd2da72373
Opcode Fuzzy Hash: 82021e18d5b98ab916e2812742d8aa97792a6daa391efa80f1c27a97c0652476
Instruction Fuzzy Hash: 5A81DE71619346DFDB28EF68CC84BEAB3A2BF58300F45422AEC59C7395C770A950CB91

Uniqueness

Uniqueness Score: -1.00%

Function 022831D8, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

isZ, xrefs: 0228324A

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: isZ
API String ID: 0-864423535
Opcode ID: 59f31692e0b09c2fd687c5f874ace07b6c6da7af4364db8a031ffd17f6eca891
Instruction ID: e9acc641bb2273b66a7adf75e0cd2eb19ba647dd318b0104c502a7162369f492
Opcode Fuzzy Hash: 59f31692e0b09c2fd687c5f874ace07b6c6da7af4364db8a031ffd17f6eca891
Instruction Fuzzy Hash: EB615572A193989FDB309F698C883DBB7EABF98710F46401EDC4997354E3B09E45CA41

Uniqueness

Uniqueness Score: -1.00%

Function 02283B30, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

@Vnl, xrefs: 02283B66

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @Vnl
API String ID: 0-1830534777
Opcode ID: f7b587cf52ed5e9a6dbb9a1d6b92f6eb52b007dbc69b0490ebc8a700c66cf7fd
Instruction ID: 3e02e59fc2346ce6eecc4e135eaae4ef3b7456d4033b425452677b4173d83952
Opcode Fuzzy Hash: f7b587cf52ed5e9a6dbb9a1d6b92f6eb52b007dbc69b0490ebc8a700c66cf7fd
Instruction Fuzzy Hash: E6710F726157469FDB28EF68CC84BEAB3A2BF48700F05422AEC59C7395C770E950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02283238, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

isZ, xrefs: 0228324A

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: isZ
API String ID: 0-864423535
Opcode ID: f9ee9eb5a3f69260857839e14b731bb51e95be8e34134880c9e76bba8af4eec5
Instruction ID: d337632670954bda1d728754319d973fe160b28ba7fab0323d8b66a47eba543e
Opcode Fuzzy Hash: f9ee9eb5a3f69260857839e14b731bb51e95be8e34134880c9e76bba8af4eec5
Instruction Fuzzy Hash: B7614672A193989FDB309F698C883EBB7EAFF98710F45401EDC4997394D7B08A45CA41

Uniqueness

Uniqueness Score: -1.00%

Function 02284440, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

,Eel, xrefs: 02284462

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,Eel
API String ID: 0-3783209504
Opcode ID: fcb5f50251dfe4eed9c709b422ee8bd73b77a42e6d7b01c977df5a206b5b1f1d
Instruction ID: c1b2915c38e93923b52e4e99607b224f259d6b35e6a4d9127ad259ad19a73908
Opcode Fuzzy Hash: fcb5f50251dfe4eed9c709b422ee8bd73b77a42e6d7b01c977df5a206b5b1f1d
Instruction Fuzzy Hash: 11515771965305CFCB24AF74C998BEA77E5AF19310F06015EEC4A9B1AAD770CA40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02284993, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

=e, xrefs: 02284B9F

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: =e
API String ID: 0-1858160283
Opcode ID: b8160d2a9d445ed04fdfbebe0df67bd8fe6d60e4939b39f960482f67cbd34f8e
Instruction ID: e5de60fda74baa630202839a0356698f5a071550c0c7bcd633848f8b5da7f82f
Opcode Fuzzy Hash: b8160d2a9d445ed04fdfbebe0df67bd8fe6d60e4939b39f960482f67cbd34f8e
Instruction Fuzzy Hash: 895115B05223419FD764AFA8C884BEA77A0FF08314F11826DDC59CB2A9DB74DA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 022847ED, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

N]]c, xrefs: 0228487A

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: N]]c
API String ID: 0-3846528522
Opcode ID: 9f52ca7ba62dda8ce2516429098ad24f065d7342d3f45c1625515fb9d690d4ba
Instruction ID: 203cfdea82ce4a7a1158b975c0656da8cc3f1d5f54e99c9ba132d550f2415b85
Opcode Fuzzy Hash: 9f52ca7ba62dda8ce2516429098ad24f065d7342d3f45c1625515fb9d690d4ba
Instruction Fuzzy Hash: F8214B32AA5344DFF730EEA98C40AEA73E2FF95310F01841ADC86DB258C3308942CB52

Uniqueness

Uniqueness Score: -1.00%

Function 022832A0, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ca02b5bbd99aca333a63d4e9e23ccee03d89b8e3c96948fad4507efd99e8bd
Instruction ID: c9120b1f30a4bc57f9d650006b25c9331477f96d06339b0fc3ed6cd9c605af48
Opcode Fuzzy Hash: f6ca02b5bbd99aca333a63d4e9e23ccee03d89b8e3c96948fad4507efd99e8bd
Instruction Fuzzy Hash: 9A5133726193989FDB309F698C883EEB7AAFF88310F45401EEC4997354E7B09E45CA41

Uniqueness

Uniqueness Score: -1.00%

Function 02284490, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb8f0fd581daa0706dc46e17efd8b259e0045fa6f43694b6503399cd6ad6d04
Instruction ID: fc4ecd736f8c558d7fb1506844db82a63d3332be0a870fccb8ba99fb9789ffbf
Opcode Fuzzy Hash: 5fb8f0fd581daa0706dc46e17efd8b259e0045fa6f43694b6503399cd6ad6d04
Instruction Fuzzy Hash: 06517A71965305CFCB38AE74C988BEA77E5AF19310F05015EEC499B1A6D770CA40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0228331C, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ce3cdc725539b67ef3f1d14630a496d1a8829c705d351ea8280d1e0c5b82f1
Instruction ID: 293b231e9a719a8677d8268673bde01b777ef2fc500b27df51fb91ddbeeab42b
Opcode Fuzzy Hash: 89ce3cdc725539b67ef3f1d14630a496d1a8829c705d351ea8280d1e0c5b82f1
Instruction Fuzzy Hash: 80510E72A193949FDB309FA98C883EEB7AAFF88310F45401EEC4997254D3B08A45CA41

Uniqueness

Uniqueness Score: -1.00%

Function 0228B409, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429c93c9ec36d744488bb57ceedf9e37d58cf322fe309f28675a9618fe7898a5
Instruction ID: e7730f5eb8d783c765271c96ede630a646e6c37ab5a966cd70fbf98a1beed92b
Opcode Fuzzy Hash: 429c93c9ec36d744488bb57ceedf9e37d58cf322fe309f28675a9618fe7898a5
Instruction Fuzzy Hash: 55411231536706CEDF35AEB8C4643AA36A2AF45328F69812EC843C75D8C7B4D585CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0228450C, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553ebce58c56197a0904ca99e464cc616e962ec477bcdab5dcee523955cc698d
Instruction ID: d147fb611a6d6abd04152d9204b81cac9a82e8eb589b6a970ef13137fb208ef6
Opcode Fuzzy Hash: 553ebce58c56197a0904ca99e464cc616e962ec477bcdab5dcee523955cc698d
Instruction Fuzzy Hash: 545165B1925355DBDB347E7889987EE37E5AF59310F01011EEC4AAB1EAD7708A40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022833A4, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0138e182bb28480f7493defa3b2832b11a3f0ab396729c955e35aa3cfa1fc415
Instruction ID: 19eef43aeee62190ea92c6cc9d61b8350c56695a19f71aa07a61787f729a30c0
Opcode Fuzzy Hash: 0138e182bb28480f7493defa3b2832b11a3f0ab396729c955e35aa3cfa1fc415
Instruction Fuzzy Hash: 6C41E272A153949FDB309FA98C883EEB7AABF88710F45412AEC09D7250D7B05E458A51

Uniqueness

Uniqueness Score: -1.00%

Function 0228341C, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a1f518e088fbcaf8eacf38503ad66f9b4bf970989de6f608e7efd1847d230
Instruction ID: d9e338b536864b3866c73a8887c3dc9b16f78063061a9e9a083627c2fc7d6268
Opcode Fuzzy Hash: 6c2a1f518e088fbcaf8eacf38503ad66f9b4bf970989de6f608e7efd1847d230
Instruction Fuzzy Hash: 2641EE726153989FDB309FA98C883EEB7EABF98710F45401AEC0DDB250D3B09A458A51

Uniqueness

Uniqueness Score: -1.00%

Function 0228173C, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c801af1d2e250d7527638c888270b1d81684145bb56631a4b416afd71f84c94a
Instruction ID: 2cd40ac58fb2c8931f0dd24ebe4c772f31ea23f130fcc5fabeb43230bb3fce8e
Opcode Fuzzy Hash: c801af1d2e250d7527638c888270b1d81684145bb56631a4b416afd71f84c94a
Instruction Fuzzy Hash: D4310C304197C65AE722DBB8C8497DEBFA1AF42344F44C28EC849475CAC7B59159CB92

Uniqueness

Uniqueness Score: -1.00%

Function 022817B8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44ba4f166f35322544baee8d92d58747d79c3439fce76bda3aa93562e316699
Instruction ID: bb6bc995381ab736f6061ce145be3e26142619854d92fbfd6d4694eb204cc2e0
Opcode Fuzzy Hash: a44ba4f166f35322544baee8d92d58747d79c3439fce76bda3aa93562e316699
Instruction Fuzzy Hash: 0F213A314087C55AF762DB78C4097EEFFA1AF46354F84C2CEC8894648AC3B65159C792

Uniqueness

Uniqueness Score: -1.00%

Function 022834C0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0acf13aa71927383a9ef9f4362214d189c48187ad16dfa240a83eccead345e
Instruction ID: 5f25c7a04ab48d0d7ba5b0672603b8f9d0f491cde7c0c0859a1b60a7f0e521e5
Opcode Fuzzy Hash: 4d0acf13aa71927383a9ef9f4362214d189c48187ad16dfa240a83eccead345e
Instruction Fuzzy Hash: F321267262A3598BDF309FB98DC43DBB3E6BB5C714F45401EEC49D7240E3B48A448A41

Uniqueness

Uniqueness Score: -1.00%

Function 0228350C, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725a3c6f657457857139bea965f3816cbf8eaee6d7e2afa19dc761299f8ee9e8
Instruction ID: 04b854828bfd020c8e526b5fe203ffb677606474f2b975c37a128b9d0017a881
Opcode Fuzzy Hash: 725a3c6f657457857139bea965f3816cbf8eaee6d7e2afa19dc761299f8ee9e8
Instruction Fuzzy Hash: B02136726263588BDF705FB98DC47EFB3A6AB5C700F45402EED4DD7240E77049488640

Uniqueness

Uniqueness Score: -1.00%

Function 02286629, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22aa8e86cb12f5d7a4ac713c5dd02952a374365dd2ffe857b9029bbbd85341aa
Instruction ID: fe461dd0461e67be04ff6a891c3a6ce66b07ece8e8fe41a86a018f5cc527adaa
Opcode Fuzzy Hash: 22aa8e86cb12f5d7a4ac713c5dd02952a374365dd2ffe857b9029bbbd85341aa
Instruction Fuzzy Hash: B82138778122A4CFEF70CE658C107DBB6A6AFE5710F42811B9C4927318C3708D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0228666C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f26192db30540d340bab0c3354c8b4285e412feda3a26d0ca98d67eb50de43c
Instruction ID: e9a47233fbddbc761667c70777a0d11bcd52c94ffa70c5d60d103a390ba408c6
Opcode Fuzzy Hash: 7f26192db30540d340bab0c3354c8b4285e412feda3a26d0ca98d67eb50de43c
Instruction Fuzzy Hash: 6E2127778112A4CBEF70CE658C547DBB6AAAFA9610F82851BDC4937314C3708D45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 022866B8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9aadebf066f4b1b9f6bca57a5dbffea95d17b2e4288f4bf7a6ed361e26f47f
Instruction ID: 455a40676e97d024665edcd6eee9ec24dcf4dcca3fbc1e1873cf7ecf41e345f2
Opcode Fuzzy Hash: 8e9aadebf066f4b1b9f6bca57a5dbffea95d17b2e4288f4bf7a6ed361e26f47f
Instruction Fuzzy Hash: 021136779121A4CBEF74CEB58C406DBB6AAAFA4600F42852BDC8937314C3708D49CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0228185A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fc41ce22f17f858530d718ad3f9b8703b356f2aa1406ca0c725e294cb95f53
Instruction ID: 7d52fb28b9b37465ae606c8d9b61c84e74421cf7854f891b03f38ce05850bdf9
Opcode Fuzzy Hash: d6fc41ce22f17f858530d718ad3f9b8703b356f2aa1406ca0c725e294cb95f53
Instruction Fuzzy Hash: 6A11D620008BC665F363CB7DC5097AFFEA26F42354F84C3CD88854689AD7B66259C392

Uniqueness

Uniqueness Score: -1.00%

Function 0228993D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89059449d702ab570167fe92af2a2c813564f41d7c79d7b8040bbda494485742
Instruction ID: 1e8a11690465ed1e5a91657a37441354c5c2533b1b411cf0aba06ad4c394e085
Opcode Fuzzy Hash: 89059449d702ab570167fe92af2a2c813564f41d7c79d7b8040bbda494485742
Instruction Fuzzy Hash: 36F01C312265018FC734EF44C6C4FBAB3AAAB95710F554059E8458B7A9C370EC81CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02284E28, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d2ec8b290bd62f0dca89d752eaaa853c955f5c8f8e4c0cd1028c8f3a0363c0
Instruction ID: 4e21ec58812a969647d5a2d5bc55d352f3e244cb5601e4b05cd1fdc70d568e6a
Opcode Fuzzy Hash: 07d2ec8b290bd62f0dca89d752eaaa853c955f5c8f8e4c0cd1028c8f3a0363c0
Instruction Fuzzy Hash: 46C02B26A0131B87B7805AF18BC425C3E47B4DD1011C0D29C77254140CD3F8010486F8

Uniqueness

Uniqueness Score: -1.00%

Function 022890F5, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618d655a74973492dec4daa1209dc1b54dd6df729a7c612f1c7d579f1f7540a6
Instruction ID: e7431ff8aac6a8e09c2790a53de2cfd95d3b4d693f8b9b4a87011c5a74caf12d
Opcode Fuzzy Hash: 618d655a74973492dec4daa1209dc1b54dd6df729a7c612f1c7d579f1f7540a6
Instruction Fuzzy Hash: DBC09B74276541CFCE95DA59C194F7073F0BF05B40F011495E802CBB65C355D840C640

Uniqueness

Uniqueness Score: -1.00%

Function 022864F9, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8a15db9c6f8bd85a8d045e592066712a603a4c9c6e4f11067f08a430b7207a
Instruction ID: fad3fc80867583e5e00d83bfccf1461c82e8c1aa063124ea056e7600a9962161
Opcode Fuzzy Hash: 2a8a15db9c6f8bd85a8d045e592066712a603a4c9c6e4f11067f08a430b7207a
Instruction Fuzzy Hash: D8B092F62026818FFB41DF08C492B0073B0FB11A88B080490E402CB712C224E910CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00420A10, Relevance: 82.5, APIs: 39, Strings: 8, Instructions: 264COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420A63
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420A82
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B50,00000134), ref: 00420AC7
__vbaFreeObj.MSVBVM60 ref: 00420AD4
__vbaLenBstrB.MSVBVM60(00403EA8), ref: 00420ADF
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 00420B01
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 00420B26
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000138), ref: 00420B4F
__vbaFreeObj.MSVBVM60 ref: 00420B54
#690.MSVBVM60(Godset,Fourpounder,Nittenaarigt4,FILMDOM), ref: 00420B6E
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420B87
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420BA0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403BAC,00000120), ref: 00420BC3
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420BD8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420BF1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B74,00000130), ref: 00420C14
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00420C22
__vbaI4Var.MSVBVM60(00000000), ref: 00420C2C
__vbaInStr.MSVBVM60(00000000,?,PETHER,00000000), ref: 00420C40
__vbaFreeStr.MSVBVM60 ref: 00420C4F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00420C5F
__vbaFreeVar.MSVBVM60 ref: 00420C6B
__vbaStrCat.MSVBVM60(00403F64,00403F58,00000002), ref: 00420C85
__vbaStrMove.MSVBVM60 ref: 00420C96
__vbaInStr.MSVBVM60(00000000,00403F64,00000000), ref: 00420CA0
__vbaFreeStr.MSVBVM60 ref: 00420CB3
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00420CD4
__vbaStrMove.MSVBVM60 ref: 00420CDF
__vbaFreeVar.MSVBVM60 ref: 00420CEA
__vbaStrCat.MSVBVM60(00403F80,15:15:), ref: 00420CF6
__vbaStrMove.MSVBVM60 ref: 00420D01
#541.MSVBVM60(00000002,00000000), ref: 00420D08
__vbaStrVarMove.MSVBVM60(00000002), ref: 00420D12
__vbaStrMove.MSVBVM60 ref: 00420D1D
__vbaFreeStr.MSVBVM60 ref: 00420D22
__vbaFreeVar.MSVBVM60 ref: 00420D27
#580.MSVBVM60(Diaphysial,00000001), ref: 00420D30
__vbaFreeStr.MSVBVM60(00420D78), ref: 00420D70
__vbaFreeStr.MSVBVM60 ref: 00420D75

Strings

FILMDOM, xrefs: 00420B5A
Godset, xrefs: 00420B69
Fourpounder, xrefs: 00420B64
15:15:, xrefs: 00420CEC
PETHER, xrefs: 00420C38
Diaphysial, xrefs: 00420D2B
Nittenaarigt4, xrefs: 00420B5F
Afgiftsperioderne3, xrefs: 00420B2D

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#541#580#690#703BstrCallLateList
String ID: 15:15:$Afgiftsperioderne3$Diaphysial$FILMDOM$Fourpounder$Godset$Nittenaarigt4$PETHER
API String ID: 132566401-2679451372
Opcode ID: 9694ee7de29fbcb86fd65a011085db46a56452407ec42bdaefa9ba35b054fe6c
Instruction ID: 0406fbe539f3ea0ab513257deae6569ff52f6ac3ae3b50e256214ff09ae4ec71
Opcode Fuzzy Hash: 9694ee7de29fbcb86fd65a011085db46a56452407ec42bdaefa9ba35b054fe6c
Instruction Fuzzy Hash: 5E917171A00215AFDB14EFA4DE89FDE7BB8EF48705F10412AF501B72E1DA74A905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB60, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FBC1
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,004033A8,00000114), ref: 0041FBEA
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,004033A8,00000110), ref: 0041FC13
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041FC31
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041FC56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000110), ref: 0041FC7C
__vbaStrMove.MSVBVM60 ref: 0041FC8B
__vbaFreeObj.MSVBVM60 ref: 0041FC94
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041FCAD
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041FCD2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000130), ref: 0041FCF8
__vbaStrMove.MSVBVM60 ref: 0041FD07
__vbaFreeObj.MSVBVM60 ref: 0041FD10
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041FD29
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD42
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B30,00000128), ref: 0041FD69
_adj_fdiv_m64.MSVBVM60 ref: 0041FD8E
__vbaFpI4.MSVBVM60(43540000,?,42500000), ref: 0041FDBF
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,004033A8,000002C0,?,42500000), ref: 0041FDFE
__vbaFreeObj.MSVBVM60(?,42500000), ref: 0041FE03
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041FE16
#557.MSVBVM60(?), ref: 0041FE20
__vbaFreeVar.MSVBVM60(?,42500000), ref: 0041FE3D
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041FE5B
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041FE80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000D8), ref: 0041FEA6
__vbaStrMove.MSVBVM60 ref: 0041FEBB
__vbaFreeObj.MSVBVM60 ref: 0041FEC0
#535.MSVBVM60 ref: 0041FEC6
__vbaVarDup.MSVBVM60 ref: 0041FEE2
#667.MSVBVM60(?), ref: 0041FEEC
__vbaStrMove.MSVBVM60 ref: 0041FEF7
__vbaFreeVar.MSVBVM60 ref: 0041FEFC
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041FF11
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FF2A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403BE0,00000078), ref: 0041FF4B
__vbaFreeObj.MSVBVM60 ref: 0041FF56
__vbaFreeStr.MSVBVM60(0041FFA0), ref: 0041FF89
__vbaFreeStr.MSVBVM60 ref: 0041FF8E
__vbaFreeStr.MSVBVM60 ref: 0041FF93
__vbaFreeStr.MSVBVM60 ref: 0041FF98
__vbaFreeStr.MSVBVM60 ref: 0041FF9D

Strings

Udstyringer4, xrefs: 0041FED4

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#535#538#557#667Copy_adj_fdiv_m64
String ID: Udstyringer4
API String ID: 551562340-2591053628
Opcode ID: 008e25373a1c27b3dea89cfc20576aa38596cfb5da770e3f86f1d13a2c440969
Instruction ID: e40667c81948b9b4ddf1d1c10265d91da5e10a0c2963173d3821267610a6c809
Opcode Fuzzy Hash: 008e25373a1c27b3dea89cfc20576aa38596cfb5da770e3f86f1d13a2c440969
Instruction Fuzzy Hash: 76C18470A00219ABCB14DFA4DD88EDE7BB8FF48705F108526F505B71B1DB74A946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2E0, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00403D48,00403D40), ref: 0041F348
__vbaStrMove.MSVBVM60 ref: 0041F355
__vbaStrCat.MSVBVM60(00403D50,00000000), ref: 0041F35D
__vbaStrMove.MSVBVM60 ref: 0041F364
__vbaFreeStr.MSVBVM60 ref: 0041F36F
#514.MSVBVM60(?,00000002), ref: 0041F377
__vbaStrMove.MSVBVM60 ref: 0041F382
__vbaStrCmp.MSVBVM60(00403D50,00000000), ref: 0041F38A
__vbaFreeStr.MSVBVM60 ref: 0041F39D
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041F3BA
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041F3E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000E8), ref: 0041F413
__vbaStrMove.MSVBVM60 ref: 0041F424
__vbaFreeObj.MSVBVM60 ref: 0041F429
#536.MSVBVM60(?), ref: 0041F43E
__vbaStrMove.MSVBVM60 ref: 0041F449
__vbaFreeVar.MSVBVM60 ref: 0041F44E
#570.MSVBVM60(00000010), ref: 0041F456
__vbaStrCat.MSVBVM60(00403D60,00403D58), ref: 0041F47C
#632.MSVBVM60(?,?,00000002,00000002), ref: 0041F49A
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F4BF
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?), ref: 0041F4D6
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041F4FA
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041F51F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000C8), ref: 0041F548
__vbaFreeObj.MSVBVM60 ref: 0041F54D
#613.MSVBVM60(00000002,00000008), ref: 0041F566
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041F570
__vbaStrMove.MSVBVM60 ref: 0041F57B
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000002), ref: 0041F58A
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000B4,kombinationsuddannelse), ref: 0041F5A1

Strings

kombinationsuddannelse, xrefs: 0041F593

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$CheckHresult$ListNew2$#514#536#570#613#632FileOpen
String ID: kombinationsuddannelse
API String ID: 2582689820-1354069041
Opcode ID: bf847d65b6020f4a12a00229036e1d7ea2253aba349e20fa4d110f64e801ae0b
Instruction ID: 5a34a86923ac96ebe0f2e1e2ed926c6dcf3d643503e6705b2e8f722a2fbb10a5
Opcode Fuzzy Hash: bf847d65b6020f4a12a00229036e1d7ea2253aba349e20fa4d110f64e801ae0b
Instruction Fuzzy Hash: AA916E71D00218ABCB10DFA4DD89EEEBBB8FF58701F10412AE505B72A1DB745949CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F610, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 0041F68A
#610.MSVBVM60(?), ref: 0041F690
__vbaVarAdd.MSVBVM60(?,?,?,00000001,00000001), ref: 0041F6B5
#662.MSVBVM60(?,00403D9C,?,00000000), ref: 0041F6C9
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F6EA
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041F705
#536.MSVBVM60(?), ref: 0041F726
__vbaStrMove.MSVBVM60 ref: 0041F731
__vbaFreeVar.MSVBVM60 ref: 0041F73A
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0041F752
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0041F777
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,00000118), ref: 0041F7A4
__vbaI2I4.MSVBVM60 ref: 0041F7B0
__vbaFreeObj.MSVBVM60 ref: 0041F7B9
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041F7E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F7FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C38,00000180), ref: 0041F827
__vbaLateMemCall.MSVBVM60(?,cvJmrvNfRhBzOP3gU202,00000003), ref: 0041F89F
__vbaFreeObj.MSVBVM60 ref: 0041F8AB
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041F8C4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8DD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B50,00000134), ref: 0041F926
__vbaFreeObj.MSVBVM60 ref: 0041F92F
__vbaFreeStr.MSVBVM60(0041F978), ref: 0041F968
__vbaFreeObj.MSVBVM60 ref: 0041F971

Strings

cvJmrvNfRhBzOP3gU202, xrefs: 0041F87F
Subfreshman, xrefs: 0041F7D3

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$#610$#536#662CallLateListMove
String ID: Subfreshman$cvJmrvNfRhBzOP3gU202
API String ID: 214454802-1209823192
Opcode ID: 1cb7da89f4094e33f83857f0a027f2ef5a93b4a29be5c70d278844971156d477
Instruction ID: 63939e5bab10449c1c6f03a4c5bfd91aa6348c14f3b55b0390778504d953dfc8
Opcode Fuzzy Hash: 1cb7da89f4094e33f83857f0a027f2ef5a93b4a29be5c70d278844971156d477
Instruction Fuzzy Hash: EFA13DB1900218AFCB14DFA5DA49ADEFBB8FF48300F10816AE549B72A1D7746A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00420160, Relevance: 31.7, APIs: 21, Instructions: 171COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00403E28,00403E28), ref: 004201BC
#513.MSVBVM60(?,?,00000002), ref: 004201D6
__vbaVarTstNe.MSVBVM60(?,?), ref: 004201F2
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00420205
#610.MSVBVM60(00000008), ref: 0042021B
#552.MSVBVM60(?,00000008,00000001), ref: 0042022B
__vbaVarMove.MSVBVM60 ref: 00420237
__vbaFreeVar.MSVBVM60 ref: 00420246
#703.MSVBVM60(00000008,000000FF,000000FE,000000FE,000000FE), ref: 00420262
__vbaStrMove.MSVBVM60 ref: 0042026D
__vbaFreeVar.MSVBVM60 ref: 00420276
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 0042028A
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,0000004C), ref: 004202AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B8C,0000002C), ref: 004202F9
__vbaFreeObj.MSVBVM60 ref: 00420302
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0042031B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420334
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B50,00000090), ref: 0042035B
__vbaFreeObj.MSVBVM60 ref: 0042036A
__vbaFreeStr.MSVBVM60(004203AB), ref: 0042039B
__vbaFreeVar.MSVBVM60 ref: 004203A4

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#513#552#610#703List
String ID:
API String ID: 1404482011-0
Opcode ID: 5e4214437e4516cc83f32d667ce99974f238617823f200f0d97f482ab1097732
Instruction ID: 446a0602c1153549ed71e5be28ddf62d232014d1b1f22edcbf499bd21c1f7e2d
Opcode Fuzzy Hash: 5e4214437e4516cc83f32d667ce99974f238617823f200f0d97f482ab1097732
Instruction Fuzzy Hash: 70611670900218EFCB14DFA4DD89EAEBBB8FF48701F20862AE505B72A1DBB45945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420550, Relevance: 30.1, APIs: 20, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420593
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 004205A6
#557.MSVBVM60(?), ref: 004205B0
__vbaFreeVar.MSVBVM60 ref: 004205C7
__vbaNew2.MSVBVM60(00403B10,004223CC), ref: 004205E8
__vbaHresultCheckObj.MSVBVM60(00000000,0209EF84,00403B00,00000014), ref: 0042060D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B20,000000D8), ref: 00420637
__vbaStrMove.MSVBVM60 ref: 0042064C
__vbaFreeObj.MSVBVM60 ref: 00420651
#535.MSVBVM60 ref: 00420657
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420672
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042068B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B9C,00000050), ref: 004206AC
#667.MSVBVM60(?), ref: 004206C6
__vbaStrMove.MSVBVM60 ref: 004206D1
__vbaFreeObj.MSVBVM60 ref: 004206D6
__vbaFreeVar.MSVBVM60 ref: 004206DF
__vbaFreeStr.MSVBVM60(0042071F), ref: 00420712
__vbaFreeStr.MSVBVM60 ref: 00420717
__vbaFreeStr.MSVBVM60 ref: 0042071C

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#538#557#667Copy
String ID:
API String ID: 1266673281-0
Opcode ID: 0b8b4310f9604500780425a5961d308dd937a191053ea82a90073aa7ace5a4b9
Instruction ID: c94b97940b0d3b648a1696bb6648465a5dad4fb9d6ea2eaef17d4b7ddec19c54
Opcode Fuzzy Hash: 0b8b4310f9604500780425a5961d308dd937a191053ea82a90073aa7ace5a4b9
Instruction Fuzzy Hash: BF515175A00209ABCB14DFA4DD88EDEBBF8FF58701F504526E502B72A0D7746945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00420D90, Relevance: 13.6, APIs: 9, Instructions: 83COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401976), ref: 00420DAE
__vbaOnError.MSVBVM60(00000000,?,?,?,?,00401976), ref: 00420DEA
#677.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40100000,0000000A,0000000A), ref: 00420E30
__vbaFpR8.MSVBVM60 ref: 00420E36
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00420E75
__vbaOnError.MSVBVM60(000000FF,?,?,00401976), ref: 00420E8F
#593.MSVBVM60(0000000A), ref: 00420EAE
__vbaFreeVar.MSVBVM60 ref: 00420EBA
#570.MSVBVM60(000000B2), ref: 00420ED3

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$ErrorFree$#570#593#677ChkstkList
String ID:
API String ID: 520763419-0
Opcode ID: 4cb578577c89bdd3bd5576cc86bd2ab8ada6993498ce39718b94a1699ad81100
Instruction ID: c17dc67dd5b7b213cf664ae01157fa0224927c6ad502b6a4593bc83a41ee4210
Opcode Fuzzy Hash: 4cb578577c89bdd3bd5576cc86bd2ab8ada6993498ce39718b94a1699ad81100
Instruction Fuzzy Hash: 9F3117B0900308EBEB10DF90DA49BDEBBB4FF04744F208159F645BA2A1D7B95A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFD0, Relevance: 12.1, APIs: 8, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420029
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420048
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420064
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042007D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B50,00000048), ref: 0042009A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,000001EC), ref: 004200DA
__vbaFreeStr.MSVBVM60 ref: 004200E3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004200F3

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 481b8f7c039636d5e0dd0cadf8d3b55b9f7df5cfab4e7503d59f8f0b4130fcf3
Instruction ID: 38f1cf1ab6a561c988aa25ddb9308e814fdb55969018c80ac9b931cb81f2a658
Opcode Fuzzy Hash: 481b8f7c039636d5e0dd0cadf8d3b55b9f7df5cfab4e7503d59f8f0b4130fcf3
Instruction Fuzzy Hash: E4413B70A00214AFDB10DFA8D949F9EBBF8FB08B00F10856AF545F7261D7799945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004203E0, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028C0,00422010), ref: 00420433
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420452
__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0042046E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420487
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B30,00000148), ref: 004204AA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,000001EC), ref: 004204EA
__vbaFreeStr.MSVBVM60 ref: 004204F3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420503

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 5c79c81d945f297cfae2348c1f5557278eee59ae5d87e594c935664c692ae270
Instruction ID: 097bd1e6c8dbd51a305641ed9249ee7b03592d727f3c312a8fc954c18729ce93
Opcode Fuzzy Hash: 5c79c81d945f297cfae2348c1f5557278eee59ae5d87e594c935664c692ae270
Instruction Fuzzy Hash: 25314F70A00214AFC710EF68D949F9EBBF8FB08B00F50816AF545F72A1D6789946CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041F9E3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F9FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,000001EC), ref: 0041FA44
__vbaFreeObj.MSVBVM60 ref: 0041FA4D

Strings

Protozoers3, xrefs: 0041FA13

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Protozoers3
API String ID: 1645334062-1714416233
Opcode ID: 3041969da444d25454f22b742f2c8909f70692160ed90cca69e686b698522fdf
Instruction ID: e1f3f7b08d435c252fdb1a5a3817d3278de6dd04fa164589960e2948f5064e67
Opcode Fuzzy Hash: 3041969da444d25454f22b742f2c8909f70692160ed90cca69e686b698522fdf
Instruction Fuzzy Hash: 8F115EB0A40305ABD710EF68CE49F9ABBB8FB08701F108539F545F7690D7789905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA80, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028C0,00422010), ref: 0041FAC3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041FADC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B74,000001D0), ref: 0041FB1F
__vbaFreeObj.MSVBVM60 ref: 0041FB28

Memory Dump Source

Source File: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.721529384.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.721596246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.721606835.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 488a9930500eb70c876f90bf563eb5497f453fb6a0344b1974956ecacd96d938
Instruction ID: 85e6d034e2dbb839688450bf1fd3147e6fb3231b18e889acf1ef36d6dbcf42d9
Opcode Fuzzy Hash: 488a9930500eb70c876f90bf563eb5497f453fb6a0344b1974956ecacd96d938
Instruction Fuzzy Hash: 261191B4A00305AFD714DF68CA49F9ABBB8FB08700F10853AF945F3690D7786945CBA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Jaik.46242.3594.22390

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Jaik.46242.3594.exe PID: 3920 Parent PID: 5824

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SecuriteInfo.com.Variant.Jaik.46242.3594.exe PID: 3920 Parent PID: 5824 SecuriteInfo.com.Variant.Jaik.46242.3594.exeCOMMON

Executed Functions