Analysis Report Facturas Pagadas Al Vencimiento.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_1 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | Binary or memory string: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Code function: | 0_2_004014BC |
Source: | Process created: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00406C4C | |
Source: | Code function: | 0_2_0040A4F6 | |
Source: | Code function: | 0_2_0040B902 | |
Source: | Code function: | 0_2_004018AD | |
Source: | Code function: | 0_2_0040CD42 | |
Source: | Code function: | 0_2_0040AD2E | |
Source: | Code function: | 0_2_0040DE6D | |
Source: | Code function: | 0_2_0040C2DE | |
Source: | Code function: | 0_2_0040C2DE | |
Source: | Code function: | 0_2_0040CAD2 | |
Source: | Code function: | 0_2_00405EC8 | |
Source: | Code function: | 0_2_0040D6F1 | |
Source: | Code function: | 0_2_0040BA92 | |
Source: | Code function: | 0_2_004082BD | |
Source: | Code function: | 0_2_0040976D | |
Source: | Code function: | 0_2_00409F92 | |
Source: | Code function: | 0_2_00409F92 | |
Source: | Code function: | 0_2_0040780E |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection2 | Virtualization/Sandbox Evasion1 | Input Capture1 | Security Software Discovery1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection2 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | Virustotal | Browse | ||
49% | Metadefender | Browse | ||
70% | ReversingLabs | Win32.Trojan.Midie |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433561 |
Start date: | 12.06.2021 |
Start time: | 15:09:33 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Facturas Pagadas Al Vencimiento.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.rans.troj.winEXE@3/8@0/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:10:33 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11524 |
Entropy (8bit): | 3.776556767599868 |
Encrypted: | false |
SSDEEP: | 96:UYX3IxwgNFA3gQzFD7DcSpXIQcQ5c6ScE4cw3M+HbHg/TVG4rmMoVazWbSmnFdOx:r4xwg/KC0HnWSZja0I/u7sXS274ItSBw |
MD5: | 9EA029D2DEC2DAC1871DA0DE53099B26 |
SHA1: | EC7F053B9C4D11B27BA47633298867D30D4348AE |
SHA-256: | DA4F27E735FEA5ECF5F676004681DC59A448345BBB6EA095624B160C2BF7C63A |
SHA-512: | FD3C3369C289ED666F47C10EE187B42B089B25C9E49762FD003A5F944B3C8CE00897077152FCC3165F29115C55B02E0DE3B31D6247D5F24F25631B15DBDC9FBD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11526 |
Entropy (8bit): | 3.7729071083685213 |
Encrypted: | false |
SSDEEP: | 192:4G7zwgC+0HDOgHTja0I/u7sXS274ItSBC:b7zwgCNDHHTjO/u7sXX4ItSw |
MD5: | A29547129D5A2CB01A0ACB99A9CDC563 |
SHA1: | C9AFB5880D3BCA7B7F8D44895DAAECCA6FA30BA5 |
SHA-256: | 35C3B671447641B38440405ABA08AC6B6296BE017A0CE7F9A1D4E394B0C86DB7 |
SHA-512: | 2C3199487863F9191D8BAF336C42F5368241DB588D030449C51DC287E757519F231481CE60D0B5652DBC15CFA3CB07455A38F7D8EC64737FB85BA51635627963 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45970 |
Entropy (8bit): | 2.4100728525187844 |
Encrypted: | false |
SSDEEP: | 192:yOh/DVldZ7UACdPlSlCyaLbHT1yn/X2iZs2wbGVfZNMdk3/bS5JdUwa0IkM:LdLLdCdPl1yIcej9/dqDStS0+ |
MD5: | 1631B17E646B5ABB302115F47F42516A |
SHA1: | 6B9FA3B6E2E47306B33C4622A993A43446ACF02E |
SHA-256: | 635BAF95212741218C99B5A61B6E547E1DB55CC61C49A900BAE3751D9049964B |
SHA-512: | 8E83BFF4B35A75032CD9F5FE5273A51FFF4AA62A99D8623AF97D86D471935712CBCC40B2FCDF115B1DAFE52BDE5B1F44CE722B110394F45A717B06C7FDA27B49 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8386 |
Entropy (8bit): | 3.693798672862176 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiZu6IDP6YSySUqFgmfo0vFSBiCprV89btMsfpvm:RrlsNiA6IDP6YXSUqFgmfo0NSOtffM |
MD5: | 6E948DEB4BF5FCA5846D52C14CEB2F19 |
SHA1: | 98419967C462534BCBD83F4D5992DCFBFD2018B3 |
SHA-256: | E78B92EC4695D4C464298740C0A83F09392971B5A99D945FE41D2AC318F3841D |
SHA-512: | 04D3A57C5D51C87FDEBB41DC9D24A49D9369D199F704FE0985A6090D1367CBE6E755DA739EAD1E561E8F1A5AE523E58A4CBFD47B28071E067A09A8C7F44AD5C9 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4741 |
Entropy (8bit): | 4.490976525072211 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsKJgtWI9NpWSC8Bws8fm8M4JXT7/SIFK0C+q8a7lIGCzX3XqPd:uITfYuYSNeJutEHSd |
MD5: | 5C690A8607E83CF1AC15D11729446481 |
SHA1: | C1E5152E057B266A70454F0D541FE284F165CE74 |
SHA-256: | A712512A506D92FC2E5EA1BF56026954E8D67CF61AD60C1CDAA6AED6527858F2 |
SHA-512: | CA694FD5649DBAB675DCC0B6167867DB16867EDB91607C5B98E29FDC66B954F49D3780A33F9563EBCB2C2ED50F7C7445BB4E62CE5C6600AC460A6DEA67B0EB73 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46862 |
Entropy (8bit): | 2.140785403689248 |
Encrypted: | false |
SSDEEP: | 192:sOhCRR2dm20T1yn/72Zhw8mz2EUlSAqzF8ZUU2JSY:BM2opcKZfu7GSDzMJY |
MD5: | 740B80A74D73165741D221C663BF2747 |
SHA1: | F9CA62EE3CCA562211EC55E79D567EBB8FD44A22 |
SHA-256: | 4A265581BA51892FC94B803C6E776FF2B2E3FD5004B6E5E7E07FEA1A8F8B8AEC |
SHA-512: | 5462DC6E03F806A9D063BFA3B7C007C6BBAB750036E861DAF29A248C5D570F09F66C7B503998D015F69572747B0CE24EBDE4DC8443CB39298494C8F6A540D570 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8394 |
Entropy (8bit): | 3.6980242405197026 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiZf6ID9o6YSfSU8Ajgmfo0jFSeCpDi89bBMsfsrm:RrlsNih6ID9o6Y6SU8Ajgmfo05SlBffN |
MD5: | F922260DAAF05B490EB120AEF46E81FE |
SHA1: | 47DA4C10A2B4B214357A85DC16824168DB99251C |
SHA-256: | 839A6D242FE912CC16F82DF24F0D0214F1F0E20D7816B49B9FAEA715A575A93A |
SHA-512: | A619DF416750571E521ABA7F5621A7A8E94239FF26DD07B034C65C37F1B5B06E518D8483EAF160004188C0E670B15D1E59208E208863530EC5C9E227E96F6120 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4741 |
Entropy (8bit): | 4.493586948294421 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsKJgtWI9NpWSC8BZ8fm8M4JXT7/SWFlL+q8a7l2GCzX3XqPd:uITfYuYSN4J3vEHSd |
MD5: | E02DDF099C74EDBE4B94FCE2858DFE5D |
SHA1: | 050B6AA8F3393539E468BD039BA4C76DFF46D763 |
SHA-256: | 93E8E1A1BED1CE09C3229858CCE21C853F7F958E1B6A29063875123220844AA6 |
SHA-512: | 63BD92AAA8079571025B78252D1A3002482EDCB79EEEAA3E50FA7D0A104BB22E39F647C16904392FBD51247BBC3DA2669BCFC7EAD6494BE27B3773FA310487C2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.463887810480926 |
TrID: |
|
File name: | Facturas Pagadas Al Vencimiento.exe |
File size: | 135168 |
MD5: | c8d357afda8635441bc5838244ca0029 |
SHA1: | 026b3b6bafa462c763860afeb21b3cfe05aeb600 |
SHA256: | 94bfbe95a21d987080ac95825abde8cf1aa7955fa711c8daeea32ba18590979d |
SHA512: | 0630394ea500b46626aeb13033d6d6c213c79f1d7babc187e3bc62e4dc43272b57863fe1cdd33d83312866374801f47b4975f2631c44c96aa23f48150b8498bd |
SSDEEP: | 1536:8r2A295OAR92knLfapZm5sXu0dtyb/vxG8A:9A295OAR9ffUb+3m |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...hO.`.....................0....................@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4014bc |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x60BD4F68 [Sun Jun 6 22:42:48 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 54ea68151857c1f30c42224007018bf1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00401764h |
call 00007F53D0B73E05h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ch, ah |
leave |
cmp al, 4Fh |
push esi |
arpl word ptr [ebp-32207EBAh], bp |
cmp dword ptr fs:[esi+0000B89Ah], esp |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
inc edx |
add byte ptr [esi], al |
push eax |
add dword ptr [ecx], 61h |
outsd |
jo 00007F53D0B73E86h |
imul esi, dword ptr [esi+66h], 646C726Fh |
jc 00007F53D0B73E77h |
outsb |
jnc 00007F53D0B73E13h |
add byte ptr [eax], al |
pushad |
jle 00007F53D0B73E2Eh |
add eax, dword ptr [eax] |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
or ah, dl |
xchg eax, ebp |
sub bl, al |
jne 00007F53D0B73DC5h |
jnp 00007F53D0B73E59h |
call far 4E1Ch : 67233F9Ch |
out dx, eax |
daa |
sahf |
stosb |
jmp far AE85h : 4982311Ah |
dec ebp |
xchg eax, esp |
pop esp |
push cs |
push es |
or dword ptr [edx], edi |
dec edi |
lodsd |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xchg eax, ebp |
add dword ptr [eax], eax |
add byte ptr [edi+00h], cl |
add byte ptr [eax], al |
add byte ptr [ebx], cl |
add byte ptr [edi+ecx*2+52h], dl |
push ebx |
dec ecx |
dec edi |
inc edi |
push edx |
inc ecx |
push eax |
dec eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1e604 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x9b8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x14c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1db78 | 0x1e000 | False | 0.337109375 | data | 4.7219788122 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x1f000 | 0x1230 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x21000 | 0x9b8 | 0x1000 | False | 0.178466796875 | data | 2.11818351755 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x21888 | 0x130 | data | ||
RT_ICON | 0x215a0 | 0x2e8 | data | ||
RT_ICON | 0x21478 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x21448 | 0x30 | data | ||
RT_VERSION | 0x21150 | 0x2f8 | data | Sesotho (Sutu) | South Africa |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaUI1Str, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0430 0x04b0 |
LegalCopyright | Tera data |
InternalName | GRFTNING |
FileVersion | 1.00 |
CompanyName | Tera data |
LegalTrademarks | Tera data |
Comments | Tera data |
ProductName | Tera data |
ProductVersion | 1.00 |
FileDescription | Tera data |
OriginalFilename | GRFTNING.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Sesotho (Sutu) | South Africa |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 12, 2021 15:10:12.102142096 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:12.160832882 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:12.318170071 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:12.369839907 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:12.452097893 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:12.512283087 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:13.467622995 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:13.520572901 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:14.403872013 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:14.454022884 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:15.351442099 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:15.406727076 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:16.326603889 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:16.382205009 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:17.639139891 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:17.692406893 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:18.781671047 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:18.831770897 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:20.404968977 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:20.457632065 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:22.030080080 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:22.080522060 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:22.960958004 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:23.013819933 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:25.462291002 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:25.513123035 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:26.380023956 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:26.430704117 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:27.581918955 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:27.633286953 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:28.657243013 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:28.716032982 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:29.591808081 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:29.650279045 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:30.867782116 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:30.920933008 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:31.782145977 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:31.815999985 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:31.832814932 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:31.868969917 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:32.765168905 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:32.816920042 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:42.059823990 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:42.110271931 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:46.943970919 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:47.005245924 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:10:51.072354078 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:10:51.147378922 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:11:05.160324097 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:11:05.229918957 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:11:08.037477970 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:11:08.096488953 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:11:17.419631004 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:11:17.483326912 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:11:47.839689970 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:11:47.909065008 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:11:48.306693077 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:11:48.376354933 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:12:12.693031073 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:12:12.753371954 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:10:18 |
Start date: | 12/06/2021 |
Path: | C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 135168 bytes |
MD5 hash: | C8D357AFDA8635441BC5838244CA0029 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | low |
General |
---|
Start time: | 15:10:30 |
Start date: | 12/06/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x180000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | high |
General |
---|
Start time: | 15:10:41 |
Start date: | 12/06/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x180000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 6.9% |
Dynamic/Decrypted Code Coverage: | 3.5% |
Signature Coverage: | 0.9% |
Total number of Nodes: | 227 |
Total number of Limit Nodes: | 12 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C630, Relevance: 161.7, APIs: 73, Strings: 19, Instructions: 730COMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D630, Relevance: 15.1, APIs: 10, Instructions: 95COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D9C0, Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E4F0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E3E0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DE40, Relevance: 10.5, APIs: 7, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DF6C, Relevance: 10.5, APIs: 7, Instructions: 27COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D200, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |