Analysis Report Facturas Pagadas Al Vencimiento.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_1 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Code function: | 0_2_004014BC |
Source: | Process created: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00406C4C | |
Source: | Code function: | 0_2_0040A4F6 | |
Source: | Code function: | 0_2_0040B902 | |
Source: | Code function: | 0_2_004018AD | |
Source: | Code function: | 0_2_0040CD42 | |
Source: | Code function: | 0_2_0040AD2E | |
Source: | Code function: | 0_2_0040DE6D | |
Source: | Code function: | 0_2_0040C2DE | |
Source: | Code function: | 0_2_0040C2DE | |
Source: | Code function: | 0_2_0040CAD2 | |
Source: | Code function: | 0_2_00405EC8 | |
Source: | Code function: | 0_2_0040D6F1 | |
Source: | Code function: | 0_2_0040BA92 | |
Source: | Code function: | 0_2_004082BD | |
Source: | Code function: | 0_2_0040976D | |
Source: | Code function: | 0_2_00409F92 | |
Source: | Code function: | 0_2_00409F92 | |
Source: | Code function: | 0_2_0040780E |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection2 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection2 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | Virustotal | Browse | ||
49% | Metadefender | Browse | ||
70% | ReversingLabs | Win32.Trojan.Midie |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433561 |
Start date: | 12.06.2021 |
Start time: | 15:15:46 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Facturas Pagadas Al Vencimiento.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.rans.troj.winEXE@3/8@0/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11522 |
Entropy (8bit): | 3.7779875477893152 |
Encrypted: | false |
SSDEEP: | 96:E0WeR7FA3gQzFD7DcSpXIQcQ5c6ScE4cw3M+HbHg/TVG4rmMoVazWbSmnFdOyPnn:V/RZKC0HnWSZja0I/u7sBS274ItSBH |
MD5: | 4B4AAAB6AA87EE3404CD940DAFFD5E10 |
SHA1: | 9D8F2B8D18BB78CE8FA09F90FFB6CF1AA7B0633B |
SHA-256: | 60A9774D4EAE77F5E8FEA37CDC7A02F19AD6D43A828CDEB930846AE9ED8F5639 |
SHA-512: | CE4A08AAC1F739181241AE00918C2E98871697520D655A187CC5AAF3CB2F3044E3CBEE17BDE38D347A593F146889A9F70A2F15F2187234FD771DB48B7412F8DF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11522 |
Entropy (8bit): | 3.7742938090874323 |
Encrypted: | false |
SSDEEP: | 96:t6GRK3gQzFD7fcSpXIQcQNc6LmgcEdcw3++HbHg/TVG4rmMoVazWbSmnFdOyPnri:sGRs+0HDOgHTja0I/u7sBS274ItSBu |
MD5: | 8260AD2649897CE3374067EF099A5818 |
SHA1: | 4F6FD36E5C60F25339EC5B4875FACF7FA5657B9D |
SHA-256: | 41C4BD73CDC2CAB31F0D1CE35988A27921BEADE4B3C247A184F70E1F97E1D605 |
SHA-512: | B78DA89F6631DFEDF6D4468A22519810FACA74DF1AEC319DEBF84FCA179744636A6B5D13DF7FABEE05C81787EA16CA712BB5A3D86F7348F9ED79B47EB6600B43 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51454 |
Entropy (8bit): | 2.2977818654342994 |
Encrypted: | false |
SSDEEP: | 192:CIht6jjRywPqC8vPl/SM4Lek2kIZm2Gi8mzF9Vm2gOf73qTf5ByX:RD6AqV8vPlKM22TZ6uY2U5I |
MD5: | 40BA2704DA382E2ED63FDA445C8C5137 |
SHA1: | FE7AA8F39E0CD12428DFF528EF7B98C703F56187 |
SHA-256: | 9E1F43BC1230C158B5E0AC5B5C1D40F66331BD39DD442F4865515EA77A6F1F63 |
SHA-512: | A701B0AAA880183C72FBC1F1CC453A8DCD4B53AD12E14946A4142139F68A57D3F7FD5CC71506BBEC2F5527E2E7998DCA406AAE55B3467695F1C3376A282A3758 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8388 |
Entropy (8bit): | 3.697296467124024 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNipiD6IDNLMecp6YSISUuUn95ksgmfo0vFSBWCpr+89bILsfw4m:RrlsNip+6IDa6Y9SUPnjgmfo0NSvIQfW |
MD5: | A5F48B31EED215788A3E197603FB151A |
SHA1: | E5DE19D278B807DF7BB2CCF62B5BD36A9EA1D014 |
SHA-256: | 308D44600633D8C49F628B22BB7FB449651E45201EDE94024F48391CB5BA4E57 |
SHA-512: | 687D5ABC5F672398B06A05851BF4FD205F03D0CF5EE8D9E9FFE7C4017C9FE5AB82E60555BE04CAD5B59DEA930EB198EED8CFE7286ECC29A0D5F1ABE0AAB07E3F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4741 |
Entropy (8bit): | 4.500617379796648 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zskJgtWI9tpWSC8B28fm8M4JXT7/SIFAo+q8a7lIclCzX3XH8Pd:uITfiqYSNFJHNlEHHgd |
MD5: | 82480489627A469CB8B64F9F25FBA641 |
SHA1: | AF29C719D34F13F8177C9801C1B02782035AF5B5 |
SHA-256: | DB82AA4A5A7E71C2110B36F53DEC4A46B11A12F9279757444E5D15CB4FA982C6 |
SHA-512: | 7853DFE8AD7648CBBFC4F180D9995173884D689F6591218C37C9F0E99F72CE4C46215C5A4D524725D777A3D3BC14E306B1BAA098BDAFF5CAF1A433E6C874D725 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46842 |
Entropy (8bit): | 2.142337644740741 |
Encrypted: | false |
SSDEEP: | 192:TIh/7xjYsPSk2kIZi270hF8mzF3hp8yDOQOSObI5ehZrL2:s97vPp2TlQwudOI5GG |
MD5: | 4C981AA79224125A1E780F9D1015A72B |
SHA1: | 85C83302C1E9528E18916BD10692C77DA2E53EF4 |
SHA-256: | 34B661D83ACF83D81780724FCC6CE328D8E21BEFF02EF9F37A693B3F93C8E5D5 |
SHA-512: | 5D823E8792151DED4C21678212301893B9C633508BCE07FD1CAFB30515A3AA6D8810CA4788C78BD0461FAB06475DA533D6AB2B1BE5A6BCFECBC06EF76787F019 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8394 |
Entropy (8bit): | 3.7033486108502083 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNipiH6IDChcp6YS9SUTnCZgmfo0jFSKCpDW89bbLsfVpm:RrlsNipa6IDD6YYSUTncgmfo05SlbQfC |
MD5: | F5C74121B5DC9EE9131757F8F2AFE6A4 |
SHA1: | 4FF4B4382606315D7340C280370D0243AF67A8CD |
SHA-256: | 25F595AB58251EDA060DD93BFCFE1C0070E007F5AEF3F5B1F08AD57D3A09A1B7 |
SHA-512: | CF911D20F34F8F87D18CFE32B1D431E35AFFC0ABA46C4DBD00B185E2A06620F2234E4B7051AD24BA5DAA104E8EC1D2CC0AA75ACFB1A288FA74713AC5945A8AA1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4741 |
Entropy (8bit): | 4.499433919214349 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zskJgtWI9tpWSC8BNs8fm8M4JXT7/SWFGm+q8a7l2clCzX3XH8Pd:uITfiqYSN3RJrTlEHHgd |
MD5: | 247823C0DFE1056D126DCFEFF884585A |
SHA1: | E5795350EAAE9A34C6E9D540BC0BFDF6345CBA37 |
SHA-256: | 31458DB04F33FEB4CC874E0F39C370A98C637DA7FE1A95D00CB04AFA209ADFEA |
SHA-512: | F35626524A9F16C3B863B3CE2EA6C66584994FE1CE9699EB15985EE807469C7E1B477C7BFCB84ED33B5AE6C77539D5043DE4CFB58659D8D98AF4881F399CC115 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.463887810480926 |
TrID: |
|
File name: | Facturas Pagadas Al Vencimiento.exe |
File size: | 135168 |
MD5: | c8d357afda8635441bc5838244ca0029 |
SHA1: | 026b3b6bafa462c763860afeb21b3cfe05aeb600 |
SHA256: | 94bfbe95a21d987080ac95825abde8cf1aa7955fa711c8daeea32ba18590979d |
SHA512: | 0630394ea500b46626aeb13033d6d6c213c79f1d7babc187e3bc62e4dc43272b57863fe1cdd33d83312866374801f47b4975f2631c44c96aa23f48150b8498bd |
SSDEEP: | 1536:8r2A295OAR92knLfapZm5sXu0dtyb/vxG8A:9A295OAR9ffUb+3m |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...hO.`.....................0....................@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4014bc |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x60BD4F68 [Sun Jun 6 22:42:48 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 54ea68151857c1f30c42224007018bf1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00401764h |
call 00007FCBE49FFB95h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ch, ah |
leave |
cmp al, 4Fh |
push esi |
arpl word ptr [ebp-32207EBAh], bp |
cmp dword ptr fs:[esi+0000B89Ah], esp |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
inc edx |
add byte ptr [esi], al |
push eax |
add dword ptr [ecx], 61h |
outsd |
jo 00007FCBE49FFC16h |
imul esi, dword ptr [esi+66h], 646C726Fh |
jc 00007FCBE49FFC07h |
outsb |
jnc 00007FCBE49FFBA3h |
add byte ptr [eax], al |
pushad |
jle 00007FCBE49FFBBEh |
add eax, dword ptr [eax] |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
or ah, dl |
xchg eax, ebp |
sub bl, al |
jne 00007FCBE49FFB55h |
jnp 00007FCBE49FFBE9h |
call far 4E1Ch : 67233F9Ch |
out dx, eax |
daa |
sahf |
stosb |
jmp far AE85h : 4982311Ah |
dec ebp |
xchg eax, esp |
pop esp |
push cs |
push es |
or dword ptr [edx], edi |
dec edi |
lodsd |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xchg eax, ebp |
add dword ptr [eax], eax |
add byte ptr [edi+00h], cl |
add byte ptr [eax], al |
add byte ptr [ebx], cl |
add byte ptr [edi+ecx*2+52h], dl |
push ebx |
dec ecx |
dec edi |
inc edi |
push edx |
inc ecx |
push eax |
dec eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1e604 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x9b8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x14c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1db78 | 0x1e000 | False | 0.337109375 | data | 4.7219788122 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x1f000 | 0x1230 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x21000 | 0x9b8 | 0x1000 | False | 0.178466796875 | data | 2.11818351755 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x21888 | 0x130 | data | ||
RT_ICON | 0x215a0 | 0x2e8 | data | ||
RT_ICON | 0x21478 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x21448 | 0x30 | data | ||
RT_VERSION | 0x21150 | 0x2f8 | data | Sesotho (Sutu) | South Africa |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaUI1Str, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0430 0x04b0 |
LegalCopyright | Tera data |
InternalName | GRFTNING |
FileVersion | 1.00 |
CompanyName | Tera data |
LegalTrademarks | Tera data |
Comments | Tera data |
ProductName | Tera data |
ProductVersion | 1.00 |
FileDescription | Tera data |
OriginalFilename | GRFTNING.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Sesotho (Sutu) | South Africa |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 12, 2021 15:16:26.804151058 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:26.856765985 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:28.003192902 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:28.053436995 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:28.896166086 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:28.948915005 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:30.230477095 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:30.296926975 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:31.388452053 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:31.441940069 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:32.537820101 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:32.599221945 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:33.900259972 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:33.962090969 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:35.027460098 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:35.077635050 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:36.140914917 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:36.193645000 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:37.293864965 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:37.353868961 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:38.251410007 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:38.302751064 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:39.179737091 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:39.240017891 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:40.652875900 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:40.704669952 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:41.557509899 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:41.607686043 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:44.318110943 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:44.370758057 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:45.829204082 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:45.879513979 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:46.316755056 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:46.370966911 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:47.035818100 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:47.096365929 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:16:58.042124033 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:16:58.105380058 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:01.257519960 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:01.319787979 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:04.113409996 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:04.204963923 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:19.246231079 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:19.313440084 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:21.740040064 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:21.800991058 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:22.149930000 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:22.211107969 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:17:31.109142065 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:17:31.170680046 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:18:09.008579016 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:18:09.067521095 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:18:10.114607096 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:18:10.173486948 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:21.747770071 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:21.894028902 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:22.618247986 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:22.746741056 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:23.453610897 CEST | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:23.512445927 CEST | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:23.957577944 CEST | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:24.019500971 CEST | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:24.609534979 CEST | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:24.671161890 CEST | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:25.215337038 CEST | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:25.274247885 CEST | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:25.794810057 CEST | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:25.853364944 CEST | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:26.720243931 CEST | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:26.780031919 CEST | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:27.780113935 CEST | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:27.838810921 CEST | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jun 12, 2021 15:19:28.327281952 CEST | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 12, 2021 15:19:28.389535904 CEST | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:16:32 |
Start date: | 12/06/2021 |
Path: | C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 135168 bytes |
MD5 hash: | C8D357AFDA8635441BC5838244CA0029 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | low |
General |
---|
Start time: | 15:16:43 |
Start date: | 12/06/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbb0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | high |
General |
---|
Start time: | 15:16:56 |
Start date: | 12/06/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbb0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 6.9% |
Dynamic/Decrypted Code Coverage: | 3.5% |
Signature Coverage: | 0.9% |
Total number of Nodes: | 227 |
Total number of Limit Nodes: | 12 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C630, Relevance: 161.7, APIs: 73, Strings: 19, Instructions: 730COMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D630, Relevance: 15.1, APIs: 10, Instructions: 95COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D9C0, Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E4F0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E3E0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DE40, Relevance: 10.5, APIs: 7, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DF6C, Relevance: 10.5, APIs: 7, Instructions: 27COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D200, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |