Play interactive tour

Edit tour

Analysis Report Facturas Pagadas al Vencimiento 6.exe

Overview

General Information

Sample Name:	Facturas Pagadas al Vencimiento 6.exe
Analysis ID:	433003
MD5:	78c3e32a156e44865fcdf53b4783265b
SHA1:	02f175cb27dcf85b810f40d3c0adc66de1467ca0
SHA256:	4d1b07efb6e87b7c1379fc8f9eacef7443c54a57ab8e9d50c98053193316fd91
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Facturas Pagadas al Vencimiento 6.exe (PID: 4628 cmdline: 'C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe' MD5: 78C3E32A156E44865FCDF53B4783265B)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Facturas Pagadas al Vencimiento 6.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Facturas Pagadas al Vencimiento 6.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY"}

Multi AV Scanner detection for submitted file

Show sources

Source: Facturas Pagadas al Vencimiento 6.exe	Virustotal: Detection: 51%	Perma Link
Source: Facturas Pagadas al Vencimiento 6.exe	Metadefender: Detection: 40%	Perma Link
Source: Facturas Pagadas al Vencimiento 6.exe	ReversingLabs: Detection: 79%

Source: Facturas Pagadas al Vencimiento 6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219BE78	0_2_0219BE78
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219A480	0_2_0219A480
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021946D0	0_2_021946D0
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021A0B0B	0_2_021A0B0B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219350B	0_2_0219350B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219355C	0_2_0219355C
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021935A9	0_2_021935A9
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021973A2	0_2_021973A2

Source: Facturas Pagadas al Vencimiento 6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe
Source: Facturas Pagadas al Vencimiento 6.exe	Binary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe

Source: Facturas Pagadas al Vencimiento 6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0

Source: Facturas Pagadas al Vencimiento 6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Facturas Pagadas al Vencimiento 6.exe	Virustotal: Detection: 51%
Source: Facturas Pagadas al Vencimiento 6.exe	Metadefender: Detection: 40%
Source: Facturas Pagadas al Vencimiento 6.exe	ReversingLabs: Detection: 79%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Facturas Pagadas al Vencimiento 6.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0040CA38 push ecx; ret	0_2_0040CAE8
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_00406AE6 push ecx; ret	0_2_00406AE7
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_004064F2 push esp; retf	0_2_004064F3
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_00409F62 push esp; iretd	0_2_00409F63
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0040A938 push edi; ret	0_2_0040A940
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219404C push FFFFFFC2h; retn 0004h	0_2_021940B4

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_02199C17	0_2_02199C17
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219BE78	0_2_0219BE78
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021A0B0B	0_2_021A0B0B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219A977 second address: 000000000219AA85 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, ebx 0x00000005 pushad 0x00000006 cmp dword ptr [ebp+0000014Ch], 00000000h 0x0000000d jne 00007F7CCC4CF4FAh 0x00000013 test ch, ch 0x00000015 mov eax, 2FD9C07Bh 0x0000001a nop 0x0000001b xor eax, 7E315320h 0x00000020 jmp 00007F7CCC4CF19Eh 0x00000022 test cx, cx 0x00000025 test dx, ax 0x00000028 xor eax, 1C1E277Ah 0x0000002d sub eax, 4DF6AEE8h 0x00000032 mov dword ptr [ebp+00000280h], esi 0x00000038 cmp edx, edx 0x0000003a mov esi, DA7E1005h 0x0000003f cmp ah, ch 0x00000041 xor esi, 59F02A12h 0x00000047 test dl, al 0x00000049 cmp bl, al 0x0000004b sub esi, D3DBBFD6h 0x00000051 sub esi, AFB279D5h 0x00000057 jmp 00007F7CCC4CF1A2h 0x00000059 test cl, bl 0x0000005b push esi 0x0000005c test bx, ax 0x0000005f mov esi, dword ptr [ebp+00000280h] 0x00000065 push 85A6F362h 0x0000006a cmp al, bl 0x0000006c pushad 0x0000006d mov eax, 000000B6h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219F9E7 second address: 000000000219FA7C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ecx, ecx 0x0000000d cmp ebx, eax 0x0000000f test ecx, ebx 0x00000011 test al, 39h 0x00000013 mov esi, 33B6F880h 0x00000018 cmp edi, 44CF2B59h 0x0000001e xor esi, 8B0C370Ch 0x00000024 cmp dh, ah 0x00000026 xor esi, 7DFB8F97h 0x0000002c cmp ch, dh 0x0000002e cmp bx, cx 0x00000031 xor esi, C541B01Bh 0x00000037 test esi, 0E27938Eh 0x0000003d jmp 00007F7CCC39BE0Eh 0x0000003f cmp dh, ch 0x00000041 cmp eax, ebx 0x00000043 cmp cl, dl 0x00000045 pushad 0x00000046 lfence 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219FBC7 second address: 000000000219FCD9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+0000019Eh] 0x00000011 cmp ecx, ecx 0x00000013 push AE5BC5C3h 0x00000018 jmp 00007F7CCC4CF19Eh 0x0000001a cmp di, 6510h 0x0000001f add dword ptr [esp], FF06270Bh 0x00000026 xor dword ptr [esp], BF9532A6h 0x0000002d test bx, bx 0x00000030 test ebx, ecx 0x00000032 add dword ptr [esp], ED0B2198h 0x00000039 cmp bh, ch 0x0000003b mov dword ptr [ebp+000001A2h], ecx 0x00000041 mov ecx, esi 0x00000043 push ecx 0x00000044 cmp dh, ah 0x00000046 mov ecx, dword ptr [ebp+000001A2h] 0x0000004c cmp ch, dh 0x0000004e cmp bx, cx 0x00000051 test esi, 54BF3FE2h 0x00000057 mov dword ptr [ebp+000001F2h], edi 0x0000005d mov edi, 6ABD3267h 0x00000062 jmp 00007F7CCC4CF19Eh 0x00000064 cmp dh, ch 0x00000066 cmp eax, ebx 0x00000068 xor edi, 005A9092h 0x0000006e cmp cl, dl 0x00000070 xor edi, 0D36FEAFh 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	RDTSC instruction interceptor: First address: 000000000219FF21 second address: 000000000219FF5C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000172h], edx 0x00000009 mov edx, ecx 0x0000000b push edx 0x0000000c test bl, bl 0x0000000e mov edx, dword ptr [ebp+00000172h] 0x00000014 cmp ch, 00000072h 0x00000017 cmp ax, cx 0x0000001a mov dword ptr [ebp+000001E9h], ecx 0x00000020 mov ecx, esi 0x00000022 push ecx 0x00000023 test ecx, 875BEF8Bh 0x00000029 mov ecx, dword ptr [ebp+000001E9h] 0x0000002f cmp edi, 715ED056h 0x00000035 pushad 0x00000036 mov edx, 0000005Ch 0x0000003b rdtsc

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Code function: 0_2_02199C17 rdtsc

0_2_02199C17

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

API coverage: 5.1 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe

Code function: 0_2_02199C17 rdtsc

0_2_02199C17

Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219F023 mov eax, dword ptr fs:[00000030h]	0_2_0219F023
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_0219F6FE mov eax, dword ptr fs:[00000030h]	0_2_0219F6FE
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_021A0B0B mov eax, dword ptr fs:[00000030h]	0_2_021A0B0B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe	Code function: 0_2_02199B01 mov eax, dword ptr fs:[00000030h]	0_2_02199B01

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Facturas Pagadas al Vencimiento 6.exe	51%	Virustotal		Browse
Facturas Pagadas al Vencimiento 6.exe	43%	Metadefender		Browse
Facturas Pagadas al Vencimiento 6.exe	79%	ReversingLabs	Win32.Trojan.Graftor

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433003
Start date:	11.06.2021
Start time:	04:49:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Facturas Pagadas al Vencimiento 6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 6% (good quality ratio 0%) Quality average: 1.8% Quality standard deviation: 4.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.463177731670157
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Facturas Pagadas al Vencimiento 6.exe
File size:	135168
MD5:	78c3e32a156e44865fcdf53b4783265b
SHA1:	02f175cb27dcf85b810f40d3c0adc66de1467ca0
SHA256:	4d1b07efb6e87b7c1379fc8f9eacef7443c54a57ab8e9d50c98053193316fd91
SHA512:	18fa858551003d425d3dc71e80fee12c6eb77bef6bcb1961212457e0b85c335ce757c6ae13c07ad90b14d337d009b648c71254f5610953ca2897ed56d4e2bfe9
SSDEEP:	1536:v9J+koIy03uySeJTFsn9FQsZ57DuAPxElSnEtG8z:vP+ko3ytF2nQa5Nzs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L..._Q.`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4014bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60BD515F [Sun Jun 6 22:51:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	54ea68151857c1f30c42224007018bf1

Entrypoint Preview

Instruction
push 00401800h
call 00007F7CCCE82955h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+edx*2-1CDD0D78h], dh
add al, 46h
xchg dword ptr [edi+42BD2432h], edx
pushfd
rol byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 73h
jo 00007F7CCCE829CBh
jc 00007F7CCCE829D1h
arpl word ptr [eax+65h], bp
je 00007F7CCCE829CBh
arpl word ptr [ecx+64h], bp
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or dh, dl
dec ebp
xor ch, cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e784	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x9b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x14c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1dcf8	0x1e000	False	0.334098307292	data	4.72155519745	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x1230	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x9b8	0x1000	False	0.17822265625	data	2.11732977417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x21888	0x130	data
RT_ICON	0x215a0	0x2e8	data
RT_ICON	0x21478	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x21448	0x30	data
RT_VERSION	0x21150	0x2f8	data	Sesotho (Sutu)	South Africa

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaUI1Str, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0430 0x04b0
LegalCopyright	Tera data
InternalName	Aerogun6
FileVersion	1.00
CompanyName	Tera data
LegalTrademarks	Tera data
Comments	Tera data
ProductName	Tera data
ProductVersion	1.00
FileDescription	Tera data
OriginalFilename	Aerogun6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sesotho (Sutu)	South Africa

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Facturas Pagadas al Vencimiento 6.exe PID: 4628 Parent PID: 5696

General

Start time:	04:50:01
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe'
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	78C3E32A156E44865FCDF53B4783265B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Facturas Pagadas al Vencimiento 6.exe PID: 4628 Parent PID: 5696 Facturas Pagadas al Vencimiento 6.exeCOMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	58%
Signature Coverage:	30.9%
Total number of Nodes:	314
Total number of Limit Nodes:	2

Executed Functions

Function 0041C7B0, Relevance: 73.9, APIs: 28, Strings: 14, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60 ref: 0041C896
#557.MSVBVM60(?), ref: 0041C8A3
__vbaFreeVar.MSVBVM60 ref: 0041C8BD
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,0000071C), ref: 0041C8E7
__vbaStrCopy.MSVBVM60 ref: 0041C912
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,000006F8), ref: 0041C951
__vbaFreeStr.MSVBVM60 ref: 0041C959
__vbaStrCopy.MSVBVM60 ref: 0041C9AD
__vbaFreeStr.MSVBVM60 ref: 0041C9DB
__vbaStrCopy.MSVBVM60 ref: 0041C9F5
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,000006FC), ref: 0041CA37
__vbaFreeStr.MSVBVM60 ref: 0041CA3F
__vbaStrCopy.MSVBVM60 ref: 0041CA6F
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,00000700), ref: 0041CAB8
__vbaFreeStr.MSVBVM60 ref: 0041CAC0
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,00000704), ref: 0041CB0B
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,00000708), ref: 0041CB7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,0000070C), ref: 0041CBB0
__vbaStrCopy.MSVBVM60 ref: 0041CBBD
__vbaFreeStr.MSVBVM60 ref: 0041CBF7
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,00000710), ref: 0041CC5C
__vbaStrCopy.MSVBVM60 ref: 0041CCB0
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402604,00000714), ref: 0041CCE5
__vbaFreeStr.MSVBVM60 ref: 0041CCED
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,004025D4,000002B4), ref: 0041CD0E
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0041CD42
__vbaVarMove.MSVBVM60 ref: 0041CD49
__vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041CD6A

Strings

MAXILNGDES, xrefs: 0041CC67
Rabarbergrdens1, xrefs: 0041CA64
Mentation5, xrefs: 0041CBCF
Underlivssygdoms, xrefs: 0041CA81
vd, xrefs: 0041CB34
Forhindringslbene5, xrefs: 0041CA0A
inchamber, xrefs: 0041CBB2
n], xrefs: 0041CB3E
FAGBEVGELSER, xrefs: 0041C9C9
7-7-7, xrefs: 0041C882
ECHESSTRIKKEGARNERNE, xrefs: 0041C9B8, 0041CC87
Generablenessbitnivea, xrefs: 0041C9EA
stakkequantisesamphi, xrefs: 0041C91D, 0041C961
Abhorlagerstyringer8, xrefs: 0041C907, 0041C9A2, 0041CB20

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Copy$#557Move
String ID: 7-7-7$Abhorlagerstyringer8$ECHESSTRIKKEGARNERNE$FAGBEVGELSER$Forhindringslbene5$Generablenessbitnivea$MAXILNGDES$Mentation5$Rabarbergrdens1$Underlivssygdoms$inchamber$n]$stakkequantisesamphi$vd
API String ID: 1267258746-2487779393
Opcode ID: ddd08c0d7e97625125403577147d377ea54a4fd3a902d7807057bc946b4400c5
Instruction ID: 361fae68542eab6bcbe660f3c8bb3b0b7b427dd290654eaeea9a084850c098ed
Opcode Fuzzy Hash: ddd08c0d7e97625125403577147d377ea54a4fd3a902d7807057bc946b4400c5
Instruction Fuzzy Hash: 26F16FB0940619AFDB24DF54CD88FDAB7B8FF48305F1045EAE249A7180DBB46A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004014BC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014C1

Strings

VB5!6&*, xrefs: 004014BC

Memory Dump Source

Source File: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 16e453182858942501f48c80791f5e5c8615eff8f2bf65b9d668a6173b283620
Instruction ID: 6524a968a2050ee8b4c8b89f62b6cc3893f7cc034de3ca27ff62e46cb409f239
Opcode Fuzzy Hash: 16e453182858942501f48c80791f5e5c8615eff8f2bf65b9d668a6173b283620
Instruction Fuzzy Hash: C49120A284E7D19FC3078BB04D6A5A2BFB4AE1321171E46DBC4C2CE0F3D21C591AD766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021A0B0B, Relevance: 5.2, Strings: 3, Instructions: 1438COMMON

Download Yara Rule

Strings

H{SF, xrefs: 02198B44
]g'8, xrefs: 021A16EF
{F, xrefs: 02197C1B

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: H{SF$]g'8${F
API String ID: 0-302411050
Opcode ID: a8dcbd0fcd77e331a5998bc07df19939b1a5af05fa5b7e48b04040ee1187a3a2
Instruction ID: a1c02deda71f94e44d8ccc5b9bd2aa54d7427970264ea1a28ada55837f860402
Opcode Fuzzy Hash: a8dcbd0fcd77e331a5998bc07df19939b1a5af05fa5b7e48b04040ee1187a3a2
Instruction Fuzzy Hash: 1BB29D756443469FDF349E38CDA47EA7BA2AF12360F96826DCCDA8B195D3348481CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0219BE78, Relevance: 4.9, Strings: 3, Instructions: 1143COMMON

Download Yara Rule

Strings

H{SF, xrefs: 02198B44
#zq, xrefs: 0219BFD1
{F, xrefs: 02197C1B

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: H{SF${F$#zq
API String ID: 0-2452091416
Opcode ID: a5e2c7b5d430bce739f1032f9f706ad6409a6d6ceb2236e22ec2344fe0677237
Instruction ID: d5027cbdca36705c171dacdd783884ef890acc446cc8eec458cdabb5d8d26cfa
Opcode Fuzzy Hash: a5e2c7b5d430bce739f1032f9f706ad6409a6d6ceb2236e22ec2344fe0677237
Instruction Fuzzy Hash: BB9255B064434ADFDF389E78CD957EA77A3AF56350F96422DDC8A87240D3358982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0219355C, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

|40, xrefs: 021935DD
2Oe{, xrefs: 02193705

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: 2Oe{$|40
API String ID: 0-1795958494
Opcode ID: dcbcfcf3fef957b0f77ff53615139eff5e45ed97835a539090dcd06257554f34
Instruction ID: 2c8a2f0ea227ffdab731cc2d2f4969b9c535952c4a8954f375c28f3bbd765744
Opcode Fuzzy Hash: dcbcfcf3fef957b0f77ff53615139eff5e45ed97835a539090dcd06257554f34
Instruction Fuzzy Hash: FE7126786043869FDF349E68C9A5BEB3BB5AF597D0F05026DDC99AB240D7318A02CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0219350B, Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

|40, xrefs: 021935DD
2Oe{, xrefs: 02193705

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: 2Oe{$|40
API String ID: 0-1795958494
Opcode ID: 2305a10bfd5e0fbc097448a107eabe97146da32267a4378b9839a6d22128ed9b
Instruction ID: 68a373b2b9380cd850f170024901a6f552b5a7a065d2b13a9b2fbcc36e4b9955
Opcode Fuzzy Hash: 2305a10bfd5e0fbc097448a107eabe97146da32267a4378b9839a6d22128ed9b
Instruction Fuzzy Hash: 6F513379604386DFDF389E28C9A5BEB37B6BF497D0F45012D9C99A7280D7314A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021935A9, Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

|40, xrefs: 021935DD
2Oe{, xrefs: 02193705

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: 2Oe{$|40
API String ID: 0-1795958494
Opcode ID: d8ccd94ca3828c423a245147d53b1b743c8408af29718c1dab128183bb671c04
Instruction ID: e494df45c2ba6fa70f02a399d0b68855e8210762fc9534408461b85e82fcbc29
Opcode Fuzzy Hash: d8ccd94ca3828c423a245147d53b1b743c8408af29718c1dab128183bb671c04
Instruction Fuzzy Hash: DB5101786043868FDF349E28CDA5BEB37A6BF997D0F4502299C99AB280D7315A01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021946D0, Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

\G=<, xrefs: 02194839

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: \G=<
API String ID: 0-2429403258
Opcode ID: abed0965e3b10dad5386ddff4031c2ed5f2150b2aaa984055a7c2fee0b98b3e9
Instruction ID: 47a5424899e2ea1b618463553fb1f3050a709c1d246ea17f410e2de41bc3f4ed
Opcode Fuzzy Hash: abed0965e3b10dad5386ddff4031c2ed5f2150b2aaa984055a7c2fee0b98b3e9
Instruction Fuzzy Hash: 5B519D345893499FCF24AEA8D8E47FA37F3AF56744F46011ECC9A97215D7324982CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02199C17, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

4N, xrefs: 02199D16

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID: 4N
API String ID: 0-1258314070
Opcode ID: 944a2a7b1eb43544a94ca81a9a05934432f6efffda835c5fc72981639e5bdfaa
Instruction ID: ffe9e99fd0c56d0a8c92c0fd4e4bc863ddd0617f12ff05d45bf20d484ec397fb
Opcode Fuzzy Hash: 944a2a7b1eb43544a94ca81a9a05934432f6efffda835c5fc72981639e5bdfaa
Instruction Fuzzy Hash: B8F02471B052184EEF7D45788D913ED20D79FC2260F61422E9D1ED2289EBBA85C0C101

Uniqueness

Uniqueness Score: -1.00%

Function 0219A480, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d757d3d1058c6ee8d3ece3b088a8dc3486b7293fd8928ed6b4c06dc4d4b4faa
Instruction ID: ddf065b5bcd5f128072a9508daa7ce3b3c7f2e6834f2f5624672656a50f1d6fe
Opcode Fuzzy Hash: 3d757d3d1058c6ee8d3ece3b088a8dc3486b7293fd8928ed6b4c06dc4d4b4faa
Instruction Fuzzy Hash: B93138B6A442159FDF3C9E648CA57FB76ABAF94340F8A802FDC4B97241C7301A85C742

Uniqueness

Uniqueness Score: -1.00%

Function 021973A2, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f327da821f270ed39799352a825fd1d9374280029e158b6b3643887bc9e6742f
Instruction ID: 59fc99de19c93509877eb0636399de59f027d8bfe5d4fae9cb558c38e7821a0e
Opcode Fuzzy Hash: f327da821f270ed39799352a825fd1d9374280029e158b6b3643887bc9e6742f
Instruction Fuzzy Hash: ED212375608301CFD7596E708AA67EBBAE6BF1A390F830A1DDEC643456E3314981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0219F6FE, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a749f0cd0be0494bbe77c697ed0c91060c61093e0bb8f24794a972d11c74344
Instruction ID: a0ee58f5cb8e3476a502253259e81090ce3af87b29f54a373955a212ee619fbc
Opcode Fuzzy Hash: 8a749f0cd0be0494bbe77c697ed0c91060c61093e0bb8f24794a972d11c74344
Instruction Fuzzy Hash: 50F05E34354241EFCB2CCF08C5D4F9573A1AB59710FA2466AE956CB6A5C331D942CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02199B01, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ef896633675a675381882a3a438dfe694da797c54b97afb027cd7354525cbc
Instruction ID: ff678b572f987065c8a44ede89a8eccc45d2f8a1d0a8b402c5e5dfc19e20d228
Opcode Fuzzy Hash: f5ef896633675a675381882a3a438dfe694da797c54b97afb027cd7354525cbc
Instruction Fuzzy Hash: 94B092BA2015808FEB02CE08C4C1B0073B6F706644B860490E406CBB51C328ED44CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0219F023, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721714240.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf5e24749be8989b344407b7d12498d61ad51b9d6d071649696efc163827a71
Instruction ID: 364ab0da88f034ffd05401964857ec8f4bee43e921e2cb697bea9e09e9bbef47
Opcode Fuzzy Hash: fdf5e24749be8989b344407b7d12498d61ad51b9d6d071649696efc163827a71
Instruction Fuzzy Hash: 0EB09238256A40CFCA59CA08C480E4073B4B704A20FC606C0E4228BFA5C328E800CE00

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60 ref: 0041E0DA
#591.MSVBVM60(?), ref: 0041E0E4
__vbaStrMove.MSVBVM60 ref: 0041E0F5
__vbaStrCmp.MSVBVM60(String,00000000), ref: 0041E0FD
__vbaFreeStr.MSVBVM60 ref: 0041E110
__vbaFreeVar.MSVBVM60 ref: 0041E119
__vbaNew2.MSVBVM60(00402CA0,0041F3C0), ref: 0041E136
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,0000004C), ref: 0041E15B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D14,00000024), ref: 0041E189
__vbaStrMove.MSVBVM60 ref: 0041E198
__vbaFreeObj.MSVBVM60 ref: 0041E19D
__vbaFreeStr.MSVBVM60(0041E1D0), ref: 0041E1C9

Strings

String, xrefs: 0041E0F8
stakkequantisesamphi, xrefs: 0041E0CC, 0041E16F
AIRPORT, xrefs: 0041E16A

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$CheckHresultMove$#591New2
String ID: AIRPORT$String$stakkequantisesamphi
API String ID: 1960000165-2758877968
Opcode ID: 866bc89fc07bf0eab76444cc517bb9a2b53d3a3ba47905b8cb7dc5fdc612d555
Instruction ID: 96f17b4c81df45c5b20c5e5337a2515f7c5083fa0239f5e1099d30d77b6a98e0
Opcode Fuzzy Hash: 866bc89fc07bf0eab76444cc517bb9a2b53d3a3ba47905b8cb7dc5fdc612d555
Instruction Fuzzy Hash: DE316D74900219EFCB00DF95DE49AEEBBB8FF58704F10412AE901F32A0D7B85945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D480, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 0041D4E7
__vbaI4Str.MSVBVM60(00402CD4), ref: 0041D4F2
#608.MSVBVM60(?,00000000), ref: 0041D4FD
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041D519
__vbaFreeVar.MSVBVM60 ref: 0041D525
__vbaNew2.MSVBVM60(00402CA0,0041F3C0), ref: 0041D546
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,00000044), ref: 0041D61C
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041D653
__vbaFreeVar.MSVBVM60 ref: 0041D65C
__vbaFreeObj.MSVBVM60(0041D6A0), ref: 0041D690
__vbaFreeStr.MSVBVM60 ref: 0041D699

Strings

,@, xrefs: 0041D5F8
Abhorlagerstyringer8, xrefs: 0041D5F1

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#608CheckCopyHresultLateNew2
String ID: Abhorlagerstyringer8$,@
API String ID: 1142404513-3622403661
Opcode ID: 06e2efba301047cf41dd1a35494c64062a35d745ec3644171aee33b3b9125436
Instruction ID: 8d2764329bcd8962fe2a95772a7d671e8d4f8ff4e4d2b0119504e325c22d1906
Opcode Fuzzy Hash: 06e2efba301047cf41dd1a35494c64062a35d745ec3644171aee33b3b9125436
Instruction Fuzzy Hash: F761F5B0D012189FCB04DFA8DA89A9DBBB4FB48704F20C16AE509AB351D7759946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD80, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 0041DDD8
__vbaVarDup.MSVBVM60 ref: 0041DE03
#629.MSVBVM60(?,?,00000001,?), ref: 0041DE13
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041DE38
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041DE4E
__vbaVarDup.MSVBVM60 ref: 0041DE70
#600.MSVBVM60(?,00000002), ref: 0041DE78
__vbaFreeVar.MSVBVM60 ref: 0041DE83
__vbaFreeStr.MSVBVM60(0041DEB7), ref: 0041DEB0

Strings

Generablenessbitnivea, xrefs: 0041DE62
FGFG, xrefs: 0041DDF5

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#600#629CopyList
String ID: FGFG$Generablenessbitnivea
API String ID: 3038482304-923814605
Opcode ID: 458b8fd6ed2de39e5597b796f810ef0f35d0bb08436a092b428149d6783c4567
Instruction ID: 0cffc96e5b2a4485457dd3674565ceec3cc0d978b9627a136334c6ada1e7872d
Opcode Fuzzy Hash: 458b8fd6ed2de39e5597b796f810ef0f35d0bb08436a092b428149d6783c4567
Instruction Fuzzy Hash: EA31D6B1C10228EFCB10DFA4DD89ADDBBB8FB58704F10815AE105A7291DBB45949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D920, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D960
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D968
__vbaStrToAnsi.MSVBVM60(?,Indtrykker4,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D973
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D981
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D99A
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D9B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025D4,000002C8,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D9E6
__vbaFreeStr.MSVBVM60(0041DA16), ref: 0041DA0E
__vbaFreeStr.MSVBVM60 ref: 0041DA13

Strings

Indtrykker4, xrefs: 0041D96A

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$Copy$AnsiCheckErrorHresultSystem
String ID: Indtrykker4
API String ID: 2456558797-126329048
Opcode ID: a3f2585b840f3a0bee6e0f65f0c0bdb7c59b9d78b4bc70530c3f234d4b2a7e00
Instruction ID: e11c87a1e707751d877b8a1d2ef517ccadc1ce563f47a5893495cf133e144a3b
Opcode Fuzzy Hash: a3f2585b840f3a0bee6e0f65f0c0bdb7c59b9d78b4bc70530c3f234d4b2a7e00
Instruction Fuzzy Hash: E921C2B1C00219ABCB14DF61DE49DEEBB78FF18780F114026FA41B72A0CB741945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA40, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#673.MSVBVM60(00000000,40280000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?), ref: 0041DA9B
__vbaFpR8.MSVBVM60 ref: 0041DAA1
__vbaFreeVar.MSVBVM60 ref: 0041DACA
__vbaVarDup.MSVBVM60 ref: 0041DAE5
#667.MSVBVM60(00000002), ref: 0041DAEF
__vbaStrMove.MSVBVM60 ref: 0041DAFA
__vbaFreeVar.MSVBVM60 ref: 0041DB03
__vbaFreeStr.MSVBVM60(0041DB21), ref: 0041DB1A

Strings

Generablenessbitnivea, xrefs: 0041DAD7

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#667#673Move
String ID: Generablenessbitnivea
API String ID: 1795453576-1714275343
Opcode ID: 5252931e87387409d73e9cd901064278deca583fb53fd56a0f3dbf4b885eb7bb
Instruction ID: 8f1f19a21395d2aed026689190fd1456c6156e1341eea7a4b899c816bb0b0776
Opcode Fuzzy Hash: 5252931e87387409d73e9cd901064278deca583fb53fd56a0f3dbf4b885eb7bb
Instruction Fuzzy Hash: 8E214F71800109ABCB04DFA4DE89BEEB7B8FB08745F204169E502B22A4D7746E45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7B0, Relevance: 15.1, APIs: 10, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#512.MSVBVM60(00402D04,00000002), ref: 0041D7F1
__vbaStrMove.MSVBVM60 ref: 0041D7FC
__vbaStrCmp.MSVBVM60(00402D10,00000000), ref: 0041D808
__vbaFreeStr.MSVBVM60 ref: 0041D81B
__vbaNew2.MSVBVM60(00402CA0,0041F3C0), ref: 0041D83C
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,0000004C), ref: 0041D861
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D14,0000001C), ref: 0041D8A5
__vbaObjSet.MSVBVM60(?,?), ref: 0041D8BA
__vbaFreeObj.MSVBVM60 ref: 0041D8C3
__vbaFreeObj.MSVBVM60(0041D8FE), ref: 0041D8F7

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#512MoveNew2
String ID:
API String ID: 2567612295-0
Opcode ID: e475d5089c89bf89e10180dda254fb9a2a82a47a0363932fb2e67b4900636f27
Instruction ID: 63f5fdbbe8f8172190c1b4eabbdd1cd20ab07b311573aa695cb11e48f1dc7fea
Opcode Fuzzy Hash: e475d5089c89bf89e10180dda254fb9a2a82a47a0363932fb2e67b4900636f27
Instruction Fuzzy Hash: 313152B0900218EBDB04DF95DE49ADEBBB4FF48701F20412AE555F72A0D7785945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC80, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DCB9
#618.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,004012D6), ref: 0041DCC5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DCD0
__vbaStrCmp.MSVBVM60(00402D64,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 0041DCDC
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DCEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025D4,00000084,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DD2E
__vbaFreeStr.MSVBVM60(0041DD57), ref: 0041DD50

Strings

var, xrefs: 0041DCAB

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#618CheckCopyHresultMove
String ID: var
API String ID: 592353017-1842382598
Opcode ID: 96bb6f7f7540ae65e84f3b67886794817f10582e8e5969ffa3a2ad276666cc9a
Instruction ID: 2fc48ceac819be181093cb6d18cb1d53f5cde3e7bff8b9bc1b60b8b53dafc0e0
Opcode Fuzzy Hash: 96bb6f7f7540ae65e84f3b67886794817f10582e8e5969ffa3a2ad276666cc9a
Instruction Fuzzy Hash: BD218174D40105EBCB149F54DE49AEEBB78FF18700F20456AE542F31E0CB780985CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6D0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D707
__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D71F
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,00000014,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D744
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CC0,00000138,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D771
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D77A
__vbaFreeStr.MSVBVM60(0041D79B,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D794

Strings

penetrancy, xrefs: 0041D751

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2
String ID: penetrancy
API String ID: 3978771648-2862842630
Opcode ID: 91f2177cd724fd618b021bd029feaaef94bcad7767018ee055e40eb9c1157327
Instruction ID: e9f011272aa7636626b49981071435103528549038dc7e8383908f181407477f
Opcode Fuzzy Hash: 91f2177cd724fd618b021bd029feaaef94bcad7767018ee055e40eb9c1157327
Instruction Fuzzy Hash: F4112EB1940205ABCB04DF54CE8AEEEBBB8FB58741F204126F551B31E0D6785585CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E290, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E2CA
__vbaVarDup.MSVBVM60 ref: 0041E2E4
#557.MSVBVM60(?), ref: 0041E2EE
__vbaFreeVar.MSVBVM60 ref: 0041E305
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402604,0000071C), ref: 0041E32C
__vbaFreeStr.MSVBVM60(0041E35C), ref: 0041E355

Strings

7-7-7, xrefs: 0041E2D6

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#557CheckCopyHresult
String ID: 7-7-7
API String ID: 400132357-1053354141
Opcode ID: 4af4bfa6e6a6b99454207489abb534a2375d72450d4a45c6eb718ec6e85541e2
Instruction ID: 2628199000a06d9b8ad597a67ba0634a8e226d78e2026738a742a2c24d1c2978
Opcode Fuzzy Hash: 4af4bfa6e6a6b99454207489abb534a2375d72450d4a45c6eb718ec6e85541e2
Instruction Fuzzy Hash: 69118474C01209EBCB04DFA5DA89ADEBBB8FF14B04F50812AF811B76A0D7785945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E470, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaLenBstrB.MSVBVM60(00402DAC), ref: 0041E4BB
__vbaVarDup.MSVBVM60 ref: 0041E4DA
#666.MSVBVM60(?,?), ref: 0041E4E8
__vbaVarMove.MSVBVM60 ref: 0041E4F4
__vbaFreeVar.MSVBVM60 ref: 0041E4FD
__vbaFreeVar.MSVBVM60(0041E52F), ref: 0041E528

Strings

Amagermadders3, xrefs: 0041E4CC

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#666BstrMove
String ID: Amagermadders3
API String ID: 2589103371-518441997
Opcode ID: f5e19c21a24a376ce5c79ce7207f8de5f0ba40b5a9f9019d7316c3d09fac64b7
Instruction ID: 1d6fbd21122aba814c5bfb48c8e0eff7985b5a8ea55e4ba3878607cc2b213461
Opcode Fuzzy Hash: f5e19c21a24a376ce5c79ce7207f8de5f0ba40b5a9f9019d7316c3d09fac64b7
Instruction Fuzzy Hash: 2211C9B4C00249EBCB00DFD4DA89ACDBFB8FF48705F10805AF401B6665D7B81985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB40, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 0041DB8F
__vbaVarDup.MSVBVM60 ref: 0041DBA9
#522.MSVBVM60(?,?), ref: 0041DBB7
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041DBD3
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041DBE6
__vbaHresultCheckObj.MSVBVM60(00000000,00401208,004025D4,00000084), ref: 0041DC25
__vbaFreeStr.MSVBVM60(0041DC55), ref: 0041DC4E

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$#522CheckCopyHresultList
String ID:
API String ID: 101959151-0
Opcode ID: cb4ae9d35b98a8c3c3e50fa2ce7e41e01c1c8fe4e686c3d8ef28dabb46ea15e9
Instruction ID: 8c4b9e8a4741fdf3913f1400c8626c9467c40b898100dff34e21c73aa9932243
Opcode Fuzzy Hash: cb4ae9d35b98a8c3c3e50fa2ce7e41e01c1c8fe4e686c3d8ef28dabb46ea15e9
Instruction Fuzzy Hash: 37312AB0C00249ABCB10DF94D989ADEFFB8FF58704F10451AE545B72A0D7B45589CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E560, Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E59A
#516.MSVBVM60(00402CE0,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E5A5
__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E5C7
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,0000004C), ref: 0041E5EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D14,0000002C), ref: 0041E629
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E632
__vbaFreeStr.MSVBVM60(0041E653,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E64C

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#516CopyNew2
String ID:
API String ID: 742114213-0
Opcode ID: f1a2462502e3e3d94a2cf35f44f0ccf952fd11926a18f986f41dd9e0d2b86583
Instruction ID: 8ab6d04181890b57d821e5cb24fab6d5dadfb6759c1115d2a5caea9a7e116bdf
Opcode Fuzzy Hash: f1a2462502e3e3d94a2cf35f44f0ccf952fd11926a18f986f41dd9e0d2b86583
Instruction Fuzzy Hash: 6B219174900205EBDB04DF95CA49ADEBBB4FF18700F60802BE905F72A0D7785885CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E670, Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaVarErrI4.MSVBVM60(?,0000648E,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E6B6
#559.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E6BD
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E6D4
__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E6F1
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,0000001C), ref: 0041E716
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CB0,00000050), ref: 0041E736
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E73F

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#559New2
String ID:
API String ID: 3171936532-0
Opcode ID: a2ed2ef3ffd7313335aff2e5b68ff41c4eaa1f76ebbe0adeff4e43cebf24e18e
Instruction ID: 9b085fe7b54f27d1e8e62bf7916a8db80ac94c37797e5fd156b37036e07e7e0d
Opcode Fuzzy Hash: a2ed2ef3ffd7313335aff2e5b68ff41c4eaa1f76ebbe0adeff4e43cebf24e18e
Instruction Fuzzy Hash: A7219D78900244ABDB00AFA5CE49AEEBBB8FF48700F10402BF501F35E0D77854858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041E380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E3C4
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,00000014,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E3E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CC0,00000118,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E413
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E41C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E425

Strings

*:>K, xrefs: 0041E42C

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: *:>K
API String ID: 4261391273-1744597861
Opcode ID: 3fcf6760a049a77f9feda5be28ee1cb1bad7d5c98f610de63fee2e1290e7a8be
Instruction ID: f35e56bf71a076cdf5fece3502bffefb051013c1f1ad50f2e8da73ee155c27b3
Opcode Fuzzy Hash: 3fcf6760a049a77f9feda5be28ee1cb1bad7d5c98f610de63fee2e1290e7a8be
Instruction Fuzzy Hash: E8116374940218ABCB04DF95CE49EEEBBB8FB18705F14402BF915F32A0D67864858BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFC0, Relevance: 10.5, APIs: 7, Instructions: 43COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DFFA
#539.MSVBVM60(?,00000001,00000001,00000001,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E00A
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E014
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E01F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E028
__vbaFreeStr.MSVBVM60(0041E057), ref: 0041E04F
__vbaFreeStr.MSVBVM60 ref: 0041E054

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Free$Move$#539Copy
String ID:
API String ID: 602717009-0
Opcode ID: de0d5a46068007d835a4a367c04c690c57c90dffcc10571f13e013657d0e1602
Instruction ID: afe9d5dc07b617d4a23c82e0b0c8fea390ada8d76d3343b65ac675ae7bea415e
Opcode Fuzzy Hash: de0d5a46068007d835a4a367c04c690c57c90dffcc10571f13e013657d0e1602
Instruction Fuzzy Hash: F1011E75D00249DFCB04DFA5DE49BDEBB74EB18701F10802AE512B71A0EB745945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DF2C
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,00000014,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DF51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CC0,00000138,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DF7E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DF87

Strings

Generablenessbitnivea, xrefs: 0041DF5E

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: Generablenessbitnivea
API String ID: 4261391273-1714275343
Opcode ID: 01be1006230f1bcedb8d334086fd289f4033e94c2d25fe41662ac842e4b38420
Instruction ID: bf7288f783e5c1d3d76b78825245bd60caefa85570576f342316b25351deee46
Opcode Fuzzy Hash: 01be1006230f1bcedb8d334086fd289f4033e94c2d25fe41662ac842e4b38420
Instruction Fuzzy Hash: A7113DB4940204BBCB009F95CE4AFDABBB8FB54704F20406BF545F72E0D6B85586CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C700, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402B5C,00000011), ref: 0041C750
__vbaUI1Str.MSVBVM60(00402B34), ref: 0041C75B
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000027,dikteringers), ref: 0041C770
__vbaAryDestruct.MSVBVM60(00000000,?,0041C791), ref: 0041C78A

Strings

dikteringers, xrefs: 0041C765

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$Construct2DestructFileOpen
String ID: dikteringers
API String ID: 1429767298-700272923
Opcode ID: 0cdbb48806a598a0f51adcedbdb89c3d8cc30fe6809b3357790c7dc48a0d55c2
Instruction ID: 1698f67f0930dfa05ffb6cf0e559c6027ec64b37a55cff0092c05c039d5b6d43
Opcode Fuzzy Hash: 0cdbb48806a598a0f51adcedbdb89c3d8cc30fe6809b3357790c7dc48a0d55c2
Instruction Fuzzy Hash: CB012171980308ABCB14DFA8CE4AFCEBF74EB08B50F10816AF555BA2D4C3B85541CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041D380, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402CA0,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D3C4
__vbaHresultCheckObj.MSVBVM60(00000000,0218EDD4,00402C90,00000014), ref: 0041D3E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CC0,00000100), ref: 0041D413
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D42E
#568.MSVBVM60(000000B3,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D43E

Memory Dump Source

Source File: 00000000.00000002.720336578.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.720221025.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.720239305.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.720361748.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Facturas Pagadas al Vencimiento 6.jbxd

Similarity

API ID: __vba$CheckHresult$#568FreeNew2
String ID:
API String ID: 575755541-0
Opcode ID: 55eb4606ab71cda27587c7db220d89d18a88670e93d0404e541927e20ccd7809
Instruction ID: f626ac595c046e404a3ec50fab700b849e5e2c7445e6d2eba32f43aaea7aa71a
Opcode Fuzzy Hash: 55eb4606ab71cda27587c7db220d89d18a88670e93d0404e541927e20ccd7809
Instruction Fuzzy Hash: 7721C674D40214ABCB00DB55CD49FDEB7B8FF58701F248027F815F32A0D3B868818AA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Facturas Pagadas al Vencimiento 6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Facturas Pagadas al Vencimiento 6.exe PID: 4628 Parent PID: 5696

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Facturas Pagadas al Vencimiento 6.exe PID: 4628 Parent PID: 5696 Facturas Pagadas al Vencimiento 6.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 0041C7B0, Relevance: 73.9, APIs: 28, Strings: 14, Instructions: 394COMMON

Function 0041C7B0, Relevance: 73.9, APIs: 28, Strings: 14, Instructions: 394
COMMON

Function 004014BC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 250
COMMON

Function 0041E080, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 97
COMMON

Function 0041D480, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
COMMON

Function 0041DD80, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83
COMMON

Function 0041D920, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71
COMMON

Function 0041DA40, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
COMMON

Function 0041D7B0, Relevance: 15.1, APIs: 10, Instructions: 95
COMMON

Function 0041DC80, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66
COMMON

Function 0041D6D0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Function 0041E290, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
COMMON

Function 0041E470, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMON

Function 0041DB40, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Function 0041E560, Relevance: 10.6, APIs: 7, Instructions: 73
COMMON