Loading ...

Play interactive tourEdit tour

Analysis Report Facturas Pagadas al Vencimiento 6.exe

Overview

General Information

Sample Name:Facturas Pagadas al Vencimiento 6.exe
Analysis ID:433003
MD5:78c3e32a156e44865fcdf53b4783265b
SHA1:02f175cb27dcf85b810f40d3c0adc66de1467ca0
SHA256:4d1b07efb6e87b7c1379fc8f9eacef7443c54a57ab8e9d50c98053193316fd91
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Facturas Pagadas al Vencimiento 6.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Facturas Pagadas al Vencimiento 6.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Facturas Pagadas al Vencimiento 6.exeVirustotal: Detection: 51%Perma Link
    Source: Facturas Pagadas al Vencimiento 6.exeMetadefender: Detection: 40%Perma Link
    Source: Facturas Pagadas al Vencimiento 6.exeReversingLabs: Detection: 79%
    Source: Facturas Pagadas al Vencimiento 6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219BE78
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219A480
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021946D0
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021A0B0B
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219350B
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219355C
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021935A9
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021973A2
    Source: Facturas Pagadas al Vencimiento 6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe
    Source: Facturas Pagadas al Vencimiento 6.exeBinary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe
    Source: Facturas Pagadas al Vencimiento 6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
    Source: Facturas Pagadas al Vencimiento 6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: Facturas Pagadas al Vencimiento 6.exeVirustotal: Detection: 51%
    Source: Facturas Pagadas al Vencimiento 6.exeMetadefender: Detection: 40%
    Source: Facturas Pagadas al Vencimiento 6.exeReversingLabs: Detection: 79%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Facturas Pagadas al Vencimiento 6.exe, type: SAMPLE
    Source: Yara matchFile source: 0.2.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0040CA38 push ecx; ret
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_00406AE6 push ecx; ret
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_004064F2 push esp; retf
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_00409F62 push esp; iretd
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0040A938 push edi; ret
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219404C push FFFFFFC2h; retn 0004h
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_02199C17
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219BE78
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021A0B0B
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219A977 second address: 000000000219AA85 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, ebx 0x00000005 pushad 0x00000006 cmp dword ptr [ebp+0000014Ch], 00000000h 0x0000000d jne 00007F7CCC4CF4FAh 0x00000013 test ch, ch 0x00000015 mov eax, 2FD9C07Bh 0x0000001a nop 0x0000001b xor eax, 7E315320h 0x00000020 jmp 00007F7CCC4CF19Eh 0x00000022 test cx, cx 0x00000025 test dx, ax 0x00000028 xor eax, 1C1E277Ah 0x0000002d sub eax, 4DF6AEE8h 0x00000032 mov dword ptr [ebp+00000280h], esi 0x00000038 cmp edx, edx 0x0000003a mov esi, DA7E1005h 0x0000003f cmp ah, ch 0x00000041 xor esi, 59F02A12h 0x00000047 test dl, al 0x00000049 cmp bl, al 0x0000004b sub esi, D3DBBFD6h 0x00000051 sub esi, AFB279D5h 0x00000057 jmp 00007F7CCC4CF1A2h 0x00000059 test cl, bl 0x0000005b push esi 0x0000005c test bx, ax 0x0000005f mov esi, dword ptr [ebp+00000280h] 0x00000065 push 85A6F362h 0x0000006a cmp al, bl 0x0000006c pushad 0x0000006d mov eax, 000000B6h 0x00000072 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219F9E7 second address: 000000000219FA7C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ecx, ecx 0x0000000d cmp ebx, eax 0x0000000f test ecx, ebx 0x00000011 test al, 39h 0x00000013 mov esi, 33B6F880h 0x00000018 cmp edi, 44CF2B59h 0x0000001e xor esi, 8B0C370Ch 0x00000024 cmp dh, ah 0x00000026 xor esi, 7DFB8F97h 0x0000002c cmp ch, dh 0x0000002e cmp bx, cx 0x00000031 xor esi, C541B01Bh 0x00000037 test esi, 0E27938Eh 0x0000003d jmp 00007F7CCC39BE0Eh 0x0000003f cmp dh, ch 0x00000041 cmp eax, ebx 0x00000043 cmp cl, dl 0x00000045 pushad 0x00000046 lfence 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219FBC7 second address: 000000000219FCD9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+0000019Eh] 0x00000011 cmp ecx, ecx 0x00000013 push AE5BC5C3h 0x00000018 jmp 00007F7CCC4CF19Eh 0x0000001a cmp di, 6510h 0x0000001f add dword ptr [esp], FF06270Bh 0x00000026 xor dword ptr [esp], BF9532A6h 0x0000002d test bx, bx 0x00000030 test ebx, ecx 0x00000032 add dword ptr [esp], ED0B2198h 0x00000039 cmp bh, ch 0x0000003b mov dword ptr [ebp+000001A2h], ecx 0x00000041 mov ecx, esi 0x00000043 push ecx 0x00000044 cmp dh, ah 0x00000046 mov ecx, dword ptr [ebp+000001A2h] 0x0000004c cmp ch, dh 0x0000004e cmp bx, cx 0x00000051 test esi, 54BF3FE2h 0x00000057 mov dword ptr [ebp+000001F2h], edi 0x0000005d mov edi, 6ABD3267h 0x00000062 jmp 00007F7CCC4CF19Eh 0x00000064 cmp dh, ch 0x00000066 cmp eax, ebx 0x00000068 xor edi, 005A9092h 0x0000006e cmp cl, dl 0x00000070 xor edi, 0D36FEAFh 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeRDTSC instruction interceptor: First address: 000000000219FF21 second address: 000000000219FF5C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000172h], edx 0x00000009 mov edx, ecx 0x0000000b push edx 0x0000000c test bl, bl 0x0000000e mov edx, dword ptr [ebp+00000172h] 0x00000014 cmp ch, 00000072h 0x00000017 cmp ax, cx 0x0000001a mov dword ptr [ebp+000001E9h], ecx 0x00000020 mov ecx, esi 0x00000022 push ecx 0x00000023 test ecx, 875BEF8Bh 0x00000029 mov ecx, dword ptr [ebp+000001E9h] 0x0000002f cmp edi, 715ED056h 0x00000035 pushad 0x00000036 mov edx, 0000005Ch 0x0000003b rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_02199C17 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeAPI coverage: 5.1 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_02199C17 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219F023 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_0219F6FE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_021A0B0B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exeCode function: 0_2_02199B01 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Facturas Pagadas al Vencimiento 6.exe51%VirustotalBrowse
    Facturas Pagadas al Vencimiento 6.exe43%MetadefenderBrowse
    Facturas Pagadas al Vencimiento 6.exe79%ReversingLabsWin32.Trojan.Graftor

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:433003
    Start date:11.06.2021
    Start time:04:49:17
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 6s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:Facturas Pagadas al Vencimiento 6.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:31
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal92.rans.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 6% (good quality ratio 0%)
    • Quality average: 1.8%
    • Quality standard deviation: 4.2%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.463177731670157
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Facturas Pagadas al Vencimiento 6.exe
    File size:135168
    MD5:78c3e32a156e44865fcdf53b4783265b
    SHA1:02f175cb27dcf85b810f40d3c0adc66de1467ca0
    SHA256:4d1b07efb6e87b7c1379fc8f9eacef7443c54a57ab8e9d50c98053193316fd91
    SHA512:18fa858551003d425d3dc71e80fee12c6eb77bef6bcb1961212457e0b85c335ce757c6ae13c07ad90b14d337d009b648c71254f5610953ca2897ed56d4e2bfe9
    SSDEEP:1536:v9J+koIy03uySeJTFsn9FQsZ57DuAPxElSnEtG8z:vP+ko3ytF2nQa5Nzs
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L..._Q.`.....................0....................@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x4014bc
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x60BD515F [Sun Jun 6 22:51:11 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:54ea68151857c1f30c42224007018bf1

    Entrypoint Preview

    Instruction
    push 00401800h
    call 00007F7CCCE82955h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edi+edx*2-1CDD0D78h], dh
    add al, 46h
    xchg dword ptr [edi+42BD2432h], edx
    pushfd
    rol byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 73h
    jo 00007F7CCCE829CBh
    jc 00007F7CCCE829D1h
    arpl word ptr [eax+65h], bp
    je 00007F7CCCE829CBh
    arpl word ptr [ecx+64h], bp
    add byte ptr [ebx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    or dh, dl
    dec ebp
    xor ch, cl

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7840x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x9b8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x14c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1dcf80x1e000False0.334098307292data4.72155519745IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1f0000x12300x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x210000x9b80x1000False0.17822265625data2.11732977417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x218880x130data
    RT_ICON0x215a00x2e8data
    RT_ICON0x214780x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x214480x30data
    RT_VERSION0x211500x2f8dataSesotho (Sutu)South Africa

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaUI1Str, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0430 0x04b0
    LegalCopyrightTera data
    InternalNameAerogun6
    FileVersion1.00
    CompanyNameTera data
    LegalTrademarksTera data
    CommentsTera data
    ProductNameTera data
    ProductVersion1.00
    FileDescriptionTera data
    OriginalFilenameAerogun6.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    Sesotho (Sutu)South Africa

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:04:50:01
    Start date:11/06/2021
    Path:C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe'
    Imagebase:0x400000
    File size:135168 bytes
    MD5 hash:78C3E32A156E44865FCDF53B4783265B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >