Play interactive tour

Edit tour

Windows Analysis Report fN2QHk2XYG.exe

Overview

General Information

Sample Name:	fN2QHk2XYG.exe
Analysis ID:	434546
MD5:	3d900d56e0e8284f5fea7752051fe727
SHA1:	bf0e7023d260fb580b0ad196d6135d4e5f34968c
SHA256:	686b8fac1748af72f6e0a35af456c7f473de446ba5df5430411c9ffd4c8943a0
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

fN2QHk2XYG.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\fN2QHk2XYG.exe' MD5: 3D900D56E0E8284F5FEA7752051FE727)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/agent_RgbAiUJQ186.bin, https://meatflesh.com/b/agent_RgbAiUJQ186.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: fN2QHk2XYG.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/agent_RgbAiUJQ186.bin, https://meatflesh.com/b/agent_RgbAiUJQ186.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: fN2QHk2XYG.exe	Virustotal: Detection: 35%			Perma Link
Source: fN2QHk2XYG.exe	ReversingLabs: Detection: 23%

Source: fN2QHk2XYG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://theater.expodium.net/wp-content/plugins/m/agent_RgbAiUJQ186.bin, https://meatflesh.com/b/agent_RgbAiUJQ186.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_004018A4		0_2_004018A4
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040572D		0_2_0040572D

Source: fN2QHk2XYG.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exeFE2X, vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exeFE2X vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xt> vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xq< vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xz: vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe, 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBidragssatsen.exe vs fN2QHk2XYG.exe
Source: fN2QHk2XYG.exe	Binary or memory string: OriginalFilenameBidragssatsen.exe vs fN2QHk2XYG.exe

Source: fN2QHk2XYG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0

Source: fN2QHk2XYG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fN2QHk2XYG.exe	Virustotal: Detection: 35%
Source: fN2QHk2XYG.exe	ReversingLabs: Detection: 23%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_004018A4 push es; retf 1207h	0_2_00401B43
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040B067 push esp; ret	0_2_0040B066
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040B011 push esp; ret	0_2_0040B066
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040C488 pushad ; ret	0_2_0040C490
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040D16E push esi; retf	0_2_0040D183
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_004099CC pushad ; iretd	0_2_004099D0
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040DECC push ds; iretd	0_2_0040DF0F
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_00409EB8 push esp; ret	0_2_00409F1A
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_00402F13 push dword ptr [ebp-1Ch]; ret	0_2_0041B584
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Code function: 0_2_0040B31C push esp; ret	0_2_0040B37A

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe

RDTSC instruction interceptor: First address: 0000000002182C1D second address: 0000000002182C1D instructions: 0x00000000 rdtsc 0x00000002 mov eax, A66414CFh 0x00000007 xor eax, 581F58E6h 0x0000000c sub eax, 229E4046h 0x00000011 sub eax, DBDD0BE2h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F8734D7F3D2h 0x0000001b test ebx, DCDA3E5Bh 0x00000021 call 00007F8734D7F39Ah 0x00000026 lfence 0x00000029 mov edx, 484CC6CEh 0x0000002e add edx, 19EAE7DAh 0x00000034 xor edx, 3A01ADFCh 0x0000003a xor edx, 27C80340h 0x00000040 mov edx, dword ptr [edx] 0x00000042 lfence 0x00000045 ret 0x00000046 sub edx, esi 0x00000048 ret 0x00000049 cmp edx, ecx 0x0000004b pop ecx 0x0000004c cmp bh, dh 0x0000004e add edi, edx 0x00000050 dec ecx 0x00000051 cmp ecx, 00000000h 0x00000054 jne 00007F8734D7F33Fh 0x00000056 test ecx, eax 0x00000058 mov dword ptr [ebp+00000237h], edx 0x0000005e mov edx, ecx 0x00000060 push edx 0x00000061 mov edx, dword ptr [ebp+00000237h] 0x00000067 jmp 00007F8734D7F3BEh 0x00000069 cmp al, cl 0x0000006b call 00007F8734D7F3BBh 0x00000070 call 00007F8734D7F403h 0x00000075 lfence 0x00000078 mov edx, 484CC6CEh 0x0000007d add edx, 19EAE7DAh 0x00000083 xor edx, 3A01ADFCh 0x00000089 xor edx, 27C80340h 0x0000008f mov edx, dword ptr [edx] 0x00000091 lfence 0x00000094 ret 0x00000095 mov esi, edx 0x00000097 pushad 0x00000098 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\fN2QHk2XYG.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fN2QHk2XYG.exe	36%	Virustotal		Browse
fN2QHk2XYG.exe	24%	ReversingLabs	Win32.Trojan.Graftor
fN2QHk2XYG.exe	100%	Avira	HEUR/AGEN.1134908

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.fN2QHk2XYG.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134908		Download File
0.0.fN2QHk2XYG.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134908		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	434546
Start date:	15.06.2021
Start time:	08:36:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fN2QHk2XYG.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.2% (good quality ratio 15.7%) Quality average: 19.8% Quality standard deviation: 23.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.8068117659035945
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fN2QHk2XYG.exe
File size:	147456
MD5:	3d900d56e0e8284f5fea7752051fe727
SHA1:	bf0e7023d260fb580b0ad196d6135d4e5f34968c
SHA256:	686b8fac1748af72f6e0a35af456c7f473de446ba5df5430411c9ffd4c8943a0
SHA512:	2e41dd45b4ca614fea7e4129b99365d795546931b24a11681bdf123547a7923c7baf3fc95dad4a362ab3a748651aa019f1ce934bbee908796e5300b2592c05ef
SSDEEP:	1536:odUkRSto0lSTokgoofDDTTMpK31whjEVsZCmsRfJeyftNB6zy:0GoFgX//31whqsZafJR9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....G.W.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4018a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57AB47F9 [Wed Aug 10 15:27:53 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2c08d8f9644132654eb702b279083d5c

Entrypoint Preview

Instruction
push 00401CDCh
call 00007F8734B4CCD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
cdq
jecxz 00007F8734B4CC94h
test al, FFh
stosb
inc edi
mov al, A0h
mul dword ptr [00234A8Ch+ecx*8]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, al
insb
inc byte ptr [edx]
jne 00007F8734B4CD50h
outsb
je 00007F8734B4CD4Bh
je 00007F8734B4CD4Eh
outsb
jnc 00007F8734B4CD56h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
setb byte ptr [edi+4Ah]
sbb eax, 450F6C20h
lea ecx, dword ptr [ebx-43949032h]
aad 67h
jne 00007F8734B4CD5Ch
in eax, AAh
call far 8A1Bh : BC4B29D2h
jmp far ebx
xor ebx, dword ptr [ecx+36h]
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
scasb
add al, byte ptr [eax]
add byte ptr [ecx+00h], dl
add byte ptr [eax], al
add byte ptr [ecx], dl
add byte ptr [eax+65h], dl
outsb
jnc 00007F8734B4CD4Bh
outsd
outsb
jnc 00007F8734B4CD56h
imul ebp, dword ptr [esp+ebp*2+67h], 73746567h
add byte ptr [00000001h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21624	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x948	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1dc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20cfc	0x21000	False	0.381495620265	data	6.06044220649	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1278	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x948	0x1000	False	0.172607421875	data	2.02366150258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24818	0x130	data
RT_ICON	0x24530	0x2e8	data
RT_ICON	0x24408	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243d8	0x30	data
RT_VERSION	0x24150	0x288	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Bidragssatsen
FileVersion	1.00
CompanyName	Workday
Comments	Workday
ProductName	Workday
ProductVersion	1.00
FileDescription	Workday
OriginalFilename	Bidragssatsen.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: fN2QHk2XYG.exe PID: 6652 Parent PID: 5984

General

Start time:	08:37:36
Start date:	15/06/2021
Path:	C:\Users\user\Desktop\fN2QHk2XYG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\fN2QHk2XYG.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	3D900D56E0E8284F5FEA7752051FE727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: fN2QHk2XYG.exe PID: 6652 Parent PID: 5984 fN2QHk2XYG.exeCOMMON

Executed Functions

Function 004018A4, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 472COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004018A9

Strings

VB5!6&*, xrefs: 00401CDC, 004018A4

Memory Dump Source

Source File: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: d6ca0f73f2671064917578a86edcff4f909173dba54becaf24b66c13f322fd96
Instruction ID: 0274abe5d779fb5cc7b62b5fe18af55f88075164d31aae32160a53008f98cd6c
Opcode Fuzzy Hash: d6ca0f73f2671064917578a86edcff4f909173dba54becaf24b66c13f322fd96
Instruction Fuzzy Hash: 3BE1576144E3C29FD7078B709DA65A27FB0AE1321031E41EBC4C1DE5B3E22C5A5AD776

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAD0, Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 237COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041AB34
#679.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0041AB6A
__vbaFpR8.MSVBVM60 ref: 0041AB70
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041ABA3
__vbaVarDup.MSVBVM60 ref: 0041AC00
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041AC25
__vbaStrMove.MSVBVM60 ref: 0041AC30
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041AC57
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041AC6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AC88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A4C,000001E8), ref: 0041ACB5
__vbaFreeObj.MSVBVM60 ref: 0041ACBE
__vbaVarDup.MSVBVM60 ref: 0041ACE1
#553.MSVBVM60(?,?), ref: 0041ACEF
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AD14
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AD2A
__vbaVarDup.MSVBVM60 ref: 0041AD84
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041ADA9
__vbaStrMove.MSVBVM60 ref: 0041ADB4
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041ADDB
__vbaFreeStr.MSVBVM60(0041AE32), ref: 0041AE25
__vbaFreeStr.MSVBVM60 ref: 0041AE2A
__vbaFreeStr.MSVBVM60 ref: 0041AE2F

Strings

hoT, xrefs: 0041AC5C, 0041AC65, 0041AC75
Maumeenondesignateunlimited, xrefs: 0041ABEC
Skrivelrer1, xrefs: 0041AD70
01/01/01, xrefs: 0041ACCD

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#596Move$#553#679CheckCopyHresultNew2
String ID: 01/01/01$Maumeenondesignateunlimited$Skrivelrer1$hoT
API String ID: 207475868-1041230145
Opcode ID: 154105e4c2b4a77e446daf8eee2fa76d0d6915522a205f37f3b545adc447ad99
Instruction ID: a817381a26c0285c8374b066ec04e3ac3c706ba6ed97bbee9f1e24f2fa052296
Opcode Fuzzy Hash: 154105e4c2b4a77e446daf8eee2fa76d0d6915522a205f37f3b545adc447ad99
Instruction Fuzzy Hash: C9A1C2B1C0022DAFCB14CF94DD84AEEBBB8FB58704F14416EE509A7250DBB46A49CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040572D, Relevance: 7.7, Strings: 6, Instructions: 169COMMON

Download Yara Rule

Strings

7, xrefs: 0040577F
t, xrefs: 004057E5
<, xrefs: 00405744
a, xrefs: 004057B1
m, xrefs: 00405767
{, xrefs: 004057EE

Memory Dump Source

Source File: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 7$<$a$m$t${
API String ID: 0-59773385
Opcode ID: 08880593c43748a4fea6f44c1d46a64769c83aa956b2acd32aedb31e9d55a43e
Instruction ID: b9581e2947a5f8544e7d802b286255fac921bf26d851157e1aed0e06c43e1391
Opcode Fuzzy Hash: 08880593c43748a4fea6f44c1d46a64769c83aa956b2acd32aedb31e9d55a43e
Instruction Fuzzy Hash: 9741B1916A63568AFF381470C6F173E1106DF5A300F31A93BD603EAEDAD92EC5C14623

Uniqueness

Uniqueness Score: -1.00%

Function 00420E50, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

#517.MSVBVM60(00403A10), ref: 00420EAA
__vbaStrMove.MSVBVM60 ref: 00420EB5
__vbaStrCmp.MSVBVM60(0040399C,00000000), ref: 00420EC1
__vbaFreeStr.MSVBVM60 ref: 00420ED4
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 00420EF1
__vbaLateMemCallLd.MSVBVM60(?,?,uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233,00000000), ref: 00420F0D
__vbaObjVar.MSVBVM60(00000000), ref: 00420F17
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00420F22
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000000C), ref: 00420F3C
__vbaFreeObj.MSVBVM60 ref: 00420F45
__vbaFreeVar.MSVBVM60 ref: 00420F4E
__vbaVarDup.MSVBVM60 ref: 00420F70
#562.MSVBVM60(?), ref: 00420F7A
__vbaFreeVar.MSVBVM60 ref: 00420F91
_adj_fdiv_m64.MSVBVM60 ref: 00420FC3
__vbaFpI4.MSVBVM60(42820000,?,434A0000), ref: 00420FF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B8,000002C0,?,434A0000), ref: 00421028
#610.MSVBVM60(?), ref: 00421038
#610.MSVBVM60(?), ref: 0042103E
__vbaVarAdd.MSVBVM60(?,00000009,?,00000001,00000001), ref: 00421066
#662.MSVBVM60(?,004038CC,?,00000000), ref: 0042107A
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042109B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004210B6
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 004210D6
__vbaObjVar.MSVBVM60(?), ref: 004210E8
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004210F3
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000010), ref: 0042110D
__vbaFreeObj.MSVBVM60 ref: 00421116
__vbaFreeObj.MSVBVM60(00421169), ref: 00421159
__vbaFreeVar.MSVBVM60 ref: 00421162

Strings

uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233, xrefs: 00420F01

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#610AddrefNew2$#517#562#662CallLateListMove_adj_fdiv_m64
String ID: uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233
API String ID: 3516706468-3714022841
Opcode ID: 901be518d022c91c0bae81d1561f123e7ac5f7a5181c9fb792b36a63731b75f6
Instruction ID: 04d7808399d99da652200b5a89178a55035369bca18ed9908350f50999617e9b
Opcode Fuzzy Hash: 901be518d022c91c0bae81d1561f123e7ac5f7a5181c9fb792b36a63731b75f6
Instruction Fuzzy Hash: 37815071D00219EFDB149FA0EE48AEDBB78FB08701F50816AF645B61A0CB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE50, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041AECA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AEE3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A4C,0000020C), ref: 0041AF06
__vbaFreeObj.MSVBVM60 ref: 0041AF0F
__vbaVarDup.MSVBVM60 ref: 0041AF38
#553.MSVBVM60(?,?), ref: 0041AF42
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AF67
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AF80
__vbaVarDup.MSVBVM60 ref: 0041AFE2
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041B006
__vbaStrMove.MSVBVM60 ref: 0041B011
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041B03B
__vbaLenBstr.MSVBVM60(00403EF0), ref: 0041B045
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0041B067
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000001C), ref: 0041B08C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000054,?,?,?,?), ref: 0041B0E2
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 0041B119
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B122
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B12B
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041B144
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B15D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,00000060), ref: 0041B181
__vbaFreeObj.MSVBVM60 ref: 0041B193
__vbaFreeObj.MSVBVM60(0041B1F1), ref: 0041B1E1
__vbaFreeStr.MSVBVM60 ref: 0041B1EA

Strings

hoT, xrefs: 0041AE7C, 0041AEC0, 0041AED0, 0041B131, 0041B13A, 0041B14A
Catecholamines, xrefs: 0041AFCE
01/01/01, xrefs: 0041AF24

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$#553#596BstrLateMove
String ID: 01/01/01$Catecholamines$hoT
API String ID: 2020296758-1437828182
Opcode ID: 74dfcb160fe1702257fb4eb262d2077c7cb9beb819fa710f626fec00cab1d758
Instruction ID: 867c41be9a8a9729b71415552b9d03d2b0924fb67b93db76240bdbd269a18dcd
Opcode Fuzzy Hash: 74dfcb160fe1702257fb4eb262d2077c7cb9beb819fa710f626fec00cab1d758
Instruction Fuzzy Hash: 41B159B5A00219AFCB14DFA5DA48BDEBBB8FF48700F10816AE509B72A0D7745A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00420970, Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 004209DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004209FA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001FC), ref: 00420A39
__vbaFreeObj.MSVBVM60 ref: 00420A48
#674.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00420A84
__vbaFpR8.MSVBVM60 ref: 00420A8A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420AB0
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 00420AD7
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000004C), ref: 00420AFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F94,0000001C,?,?,?,?), ref: 00420B40
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00420B5B
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420B66
#519.MSVBVM60( rr), ref: 00420B6D
__vbaStrMove.MSVBVM60 ref: 00420B78
__vbaStrCmp.MSVBVM60(00404044,00000000), ref: 00420B84
__vbaFreeStr.MSVBVM60 ref: 00420B97
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00420BB9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420BD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001C0), ref: 00420BF5
__vbaLateMemCall.MSVBVM60(?,O6LxHL51aTnkYsQDbH68,00000002), ref: 00420C51
__vbaFreeObj.MSVBVM60 ref: 00420C5D
__vbaFreeVar.MSVBVM60 ref: 00420C62
__vbaFreeObj.MSVBVM60(00420CBC), ref: 00420CB4
__vbaFreeObj.MSVBVM60 ref: 00420CB9

Strings

hoT, xrefs: 004209AA, 004209D1, 004209E1, 00420BA6, 00420BAF, 00420BBF
rr, xrefs: 00420B68
O6LxHL51aTnkYsQDbH68, xrefs: 00420C2D

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#519#674CallLateListMove
String ID: rr$O6LxHL51aTnkYsQDbH68$hoT
API String ID: 13828861-3731289759
Opcode ID: 35d548673bebf2d803e6fd8a73d9be864e1124ecf37826f8f80ab4478ef9e182
Instruction ID: 2b9ae6831b6a3d275555e46f8e8657dab89cea1fcd4107d5915c2ee419c21c47
Opcode Fuzzy Hash: 35d548673bebf2d803e6fd8a73d9be864e1124ecf37826f8f80ab4478ef9e182
Instruction Fuzzy Hash: FAA12DB1A00214AFDB14DFA8DD85B9EBBF8FF49700F10816AF905B72A5D7749805CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBF0, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A34,00000008), ref: 0041BC4D
__vbaVarDup.MSVBVM60 ref: 0041BC67
#544.MSVBVM60(?,?), ref: 0041BC75
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BC9A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BCAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B8,000002B0), ref: 0041BD2A
__vbaStrCopy.MSVBVM60 ref: 0041BD3E
__vbaStrCopy.MSVBVM60 ref: 0041BD4B
__vbaVarDup.MSVBVM60 ref: 0041BD66
#710.MSVBVM60(00000008,?), ref: 0041BD8D
__vbaStrMove.MSVBVM60 ref: 0041BD98
__vbaStrCmp.MSVBVM60(00403A18,00000000), ref: 0041BDA4
__vbaFreeStr.MSVBVM60 ref: 0041BDB7
__vbaFreeVar.MSVBVM60 ref: 0041BDC0
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0041BDE1
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000001C), ref: 0041BE06
__vbaCastObj.MSVBVM60(?,0040396C), ref: 0041BE3B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BE46
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000058), ref: 0041BE60
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041BE70

Strings

20:20:20, xrefs: 0041BC59

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyList$#544#710CastConstruct2MoveNew2
String ID: 20:20:20
API String ID: 1246080522-1725373740
Opcode ID: 5babbeaac18f84d2f42fc9fcfce928b6c64bbce8f9cbe9b69a0f3d975d58de94
Instruction ID: 0d298197829300c9664aecc06a22bc9ef62f73711b67bcd5e47a51e03f8be6fd
Opcode Fuzzy Hash: 5babbeaac18f84d2f42fc9fcfce928b6c64bbce8f9cbe9b69a0f3d975d58de94
Instruction Fuzzy Hash: 238158B0D00208EFCB14DFA8D989ADEBBB8FF48700F10816AE509B72A1D7745945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB00, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B8,000000A8), ref: 0041FB68
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041FB73
__vbaFreeStr.MSVBVM60 ref: 0041FB85
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041FBAD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBD0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A20,00000198), ref: 0041FBF3
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041FC0C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FC21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A5C,00000048), ref: 0041FC3E
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0041FC57
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000004C), ref: 0041FC78
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F94,00000024), ref: 0041FCA4
__vbaStrMove.MSVBVM60 ref: 0041FCB7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FCC7
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041FCDB
__vbaOnError.MSVBVM60(00000000), ref: 0041FCF4
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041FD0D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD22
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A0,000001A8), ref: 0041FD41
__vbaFreeObj.MSVBVM60 ref: 0041FD4A
__vbaFreeStr.MSVBVM60(0041FD8D), ref: 0041FD86

Strings

hoT, xrefs: 0041FB94, 0041FB9D, 0041FBAF, 0041FBF9, 0041FC02, 0041FC0E, 0041FCFA, 0041FD03, 0041FD0F

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$ErrorMove
String ID: hoT
API String ID: 2931715464-937861391
Opcode ID: 80610ff0dbbe2d1806183f3641644afbba62f0b25dafcb93ab474572a37b2868
Instruction ID: 753472b0d8917996cd3dfdfe66c1b54af9aa2d89552b6f224bfb06ec32e9df74
Opcode Fuzzy Hash: 80610ff0dbbe2d1806183f3641644afbba62f0b25dafcb93ab474572a37b2868
Instruction Fuzzy Hash: E7716F71A00214AFDB14DFA5DD48EDAB7B8BF49700F10442AF945F72A0D7B4A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE70, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FEE9
__vbaStrCopy.MSVBVM60 ref: 0041FEF1
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0041FF05
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000014), ref: 0041FF30
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403900,000000F0), ref: 0041FF5E
__vbaStrMove.MSVBVM60 ref: 0041FF69
__vbaFreeObj.MSVBVM60 ref: 0041FF72
#693.MSVBVM60(0040399C), ref: 0041FF7D
#532.MSVBVM60(DEDD), ref: 0041FF8C
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0041FFBF
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FFE0
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0041FFF7
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0042001B
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000004C), ref: 00420040
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F94,0000001C,?,?,?,?), ref: 0042008D
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 0042009E
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 004200A7
__vbaFreeStr.MSVBVM60(00420117), ref: 00420101
__vbaFreeObj.MSVBVM60 ref: 00420106
__vbaFreeStr.MSVBVM60 ref: 0042010F
__vbaFreeStr.MSVBVM60 ref: 00420114

Strings

DEDD, xrefs: 0041FF87

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#532#660#693ListMove
String ID: DEDD
API String ID: 303901731-2798080213
Opcode ID: 6e8864915b79544f2f18aa806f60393cf25131e5f3a08b974d5ea74876d96f12
Instruction ID: eb927650430f1b16570073f3607061ac4d10ef1ece85a520f8ff8b7c5ff31957
Opcode Fuzzy Hash: 6e8864915b79544f2f18aa806f60393cf25131e5f3a08b974d5ea74876d96f12
Instruction Fuzzy Hash: 15713BB5D00219AFDB10DF94D985ADEBBB9FF48B00F20806AF505B72A1C7B45946CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C500, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

#616.MSVBVM60(00403A18,00000001), ref: 0041C547
__vbaStrMove.MSVBVM60 ref: 0041C558
__vbaStrCmp.MSVBVM60(00403A10,00000000), ref: 0041C560
__vbaFreeStr.MSVBVM60 ref: 0041C573
#571.MSVBVM60(0000002B), ref: 0041C580
__vbaI4Str.MSVBVM60(00403990), ref: 0041C58B
#697.MSVBVM60(00000000), ref: 0041C592
__vbaStrMove.MSVBVM60 ref: 0041C59D
__vbaStrCmp.MSVBVM60(0040399C,00000000), ref: 0041C5A5
__vbaFreeStr.MSVBVM60 ref: 0041C5B8
#570.MSVBVM60(000000AD), ref: 0041C5C8
__vbaStrCopy.MSVBVM60 ref: 0041C5D6
#524.MSVBVM60(?,?), ref: 0041C5F1
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C60D
__vbaFreeVar.MSVBVM60 ref: 0041C619
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0041C63A
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000001C), ref: 0041C65F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000060), ref: 0041C6AE
__vbaFreeObj.MSVBVM60 ref: 0041C6B7
__vbaFreeStr.MSVBVM60(0041C6F4), ref: 0041C6ED

Strings

Parisiskes8, xrefs: 0041C687

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#524#570#571#616#697CopyNew2
String ID: Parisiskes8
API String ID: 4051536704-4275025436
Opcode ID: cedd6b93179b6a576b5f7e17979304da25c729a4ddeb952c363ad6f4d131891c
Instruction ID: 2a664aedcc907ac3d378ba46b1547653e51d7a8f8f83f83adf46ba831f4d4860
Opcode Fuzzy Hash: cedd6b93179b6a576b5f7e17979304da25c729a4ddeb952c363ad6f4d131891c
Instruction Fuzzy Hash: 0A515F70A40218EFCB14DFA4DE49ADEBBB8FB58701F204126E506B72A0D7785D45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004148A0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 004148FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041491E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A4C,000000D0), ref: 00414941
#592.MSVBVM60(?), ref: 0041495A
__vbaFreeObj.MSVBVM60 ref: 0041496F
__vbaFreeVar.MSVBVM60 ref: 0041497E
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041499C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004149B5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A0,00000050), ref: 004149D2
#716.MSVBVM60(00000002,?,00000000), ref: 004149E2
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00414A0A
__vbaFreeStr.MSVBVM60 ref: 00414A13
__vbaFreeObj.MSVBVM60 ref: 00414A1C
__vbaFreeVar.MSVBVM60 ref: 00414A25
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00414A3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414A53
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A5C,00000068), ref: 00414A70
__vbaFreeObj.MSVBVM60 ref: 00414A7F
__vbaFreeObj.MSVBVM60(00414AB3), ref: 00414AAC

Strings

hoT, xrefs: 004148D7, 004148F5, 00414905, 00414989, 00414992, 004149A2, 00414A27, 00414A30, 00414A40

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#592#716Late
String ID: hoT
API String ID: 3616571326-937861391
Opcode ID: da4548367a3aeeda1b0ef4b82dc4de64a7009ee9ddafd6f337713c866f8b5193
Instruction ID: c8b62566602b71fdca7ef5b8e3d88c2113eece09edc5fcc242aa9b22582ae368
Opcode Fuzzy Hash: da4548367a3aeeda1b0ef4b82dc4de64a7009ee9ddafd6f337713c866f8b5193
Instruction Fuzzy Hash: 44512A74A00205ABCB14DFA4DA89EDEBBB8BF48701F10852AE505F72A0D7749945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B710, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B76E
__vbaStrCopy.MSVBVM60 ref: 0041B776
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0041B789
__vbaVarMove.MSVBVM60 ref: 0041B7B9
__vbaVarCopy.MSVBVM60 ref: 0041B7E5
__vbaVarMove.MSVBVM60 ref: 0041B809
__vbaVarCopy.MSVBVM60 ref: 0041B831
#668.MSVBVM60(?,?), ref: 0041B83B
__vbaErase.MSVBVM60(00000000,?), ref: 0041B846
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B86B
__vbaFreeVar.MSVBVM60 ref: 0041B877
__vbaEnd.MSVBVM60 ref: 0041B882
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041B89B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B8B4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001EC), ref: 0041B902
__vbaFreeObj.MSVBVM60 ref: 0041B90B
__vbaFreeStr.MSVBVM60(0041B952), ref: 0041B94A
__vbaFreeStr.MSVBVM60 ref: 0041B94F

Strings

hoT, xrefs: 0041B888, 0041B891, 0041B8A1
plums, xrefs: 0041B8DB

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$Move$#668CheckEraseHresultNew2Redim
String ID: hoT$plums
API String ID: 975322020-2157525026
Opcode ID: 431c5227cc8a671c550fdc9c851f80ad8efb6a87f3891e2885bf87aa502a5d8a
Instruction ID: 879b2afd34caad5bb0d7ab4d9d2d7a11f3cb5be20d9132309a9e348a00e7ab8d
Opcode Fuzzy Hash: 431c5227cc8a671c550fdc9c851f80ad8efb6a87f3891e2885bf87aa502a5d8a
Instruction Fuzzy Hash: 8A6150B0D00259DFDB14DFA8DD88AADBBB9FF48704F10812AE505BB2A0D7745946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00420520, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420575
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0042058D
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000014), ref: 004205B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403900,000000C0), ref: 004205E6
__vbaFreeObj.MSVBVM60 ref: 004205F1
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00420606
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042061F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040397C,00000180), ref: 00420642
__vbaFreeObj.MSVBVM60 ref: 00420647
__vbaI4Str.MSVBVM60(00403990), ref: 0042064E
#608.MSVBVM60(?,00000000), ref: 00420659
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420675
__vbaFreeVar.MSVBVM60 ref: 00420681
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0042069F
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000048), ref: 004206C6
__vbaStrMove.MSVBVM60 ref: 004206D5
__vbaFreeStr.MSVBVM60(00420719), ref: 00420711
__vbaFreeStr.MSVBVM60 ref: 00420716

Strings

hoT, xrefs: 004205F3, 004205FC, 0042060C

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#608CopyMove
String ID: hoT
API String ID: 4240346833-937861391
Opcode ID: c2dd02b1b3c2c1da4c6d8dad4bb3222640f489f64b9bea6691acc8d5a7311da8
Instruction ID: 40ef9631feb91487c38d1a04e1f8fb439bbf3defffa667910dea1ba0ac8c7808
Opcode Fuzzy Hash: c2dd02b1b3c2c1da4c6d8dad4bb3222640f489f64b9bea6691acc8d5a7311da8
Instruction Fuzzy Hash: 69515C70A00219AFCB10DFA5DD89E9EBBF8FF58705F104026F505B72A0C7B8A945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00421260, Relevance: 31.6, APIs: 21, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004212C4
__vbaStrCopy.MSVBVM60 ref: 004212CC
__vbaStrCopy.MSVBVM60 ref: 004212D4
__vbaStrCopy.MSVBVM60 ref: 004212DC
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0042130E
__vbaFpR8.MSVBVM60 ref: 00421314
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00421340
__vbaEnd.MSVBVM60 ref: 0042134C
__vbaVarDup.MSVBVM60 ref: 00421366
#564.MSVBVM60(?,?), ref: 00421374
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042137F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042139B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004213AE
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 004213CA
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000048), ref: 004213F4
__vbaStrMove.MSVBVM60 ref: 00421403
__vbaFreeStr.MSVBVM60(00421452), ref: 0042143B
__vbaFreeStr.MSVBVM60 ref: 00421440
__vbaFreeStr.MSVBVM60 ref: 00421445
__vbaFreeStr.MSVBVM60 ref: 0042144A
__vbaFreeStr.MSVBVM60 ref: 0042144F

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresultList$#564#676MoveNew2
String ID:
API String ID: 2576684927-0
Opcode ID: e1ac9b8c6d018b50e8b12c3bf2def9cb07e4053154931eda3be747a2515678f2
Instruction ID: cfd635a05b949fbef8d24674332301abab94cfad742acbf48d7540415066b92a
Opcode Fuzzy Hash: e1ac9b8c6d018b50e8b12c3bf2def9cb07e4053154931eda3be747a2515678f2
Instruction Fuzzy Hash: D95148B1D0021AAFCB14DF94D945AEEBBB8FF58700F10811AF815B7260DB746906CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420CF0, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D2D
#706.MSVBVM60(00000001,00000000,00000000), ref: 00420D37
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D48
__vbaI4Str.MSVBVM60(00403990,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D4F
#537.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D56
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D61
__vbaStrCmp.MSVBVM60(0040399C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D69
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D7C
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D87
__vbaNew2.MSVBVM60(00402540,hoT,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420DA0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420DB9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001EC), ref: 00420E01
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420E0A
__vbaFreeStr.MSVBVM60(00420E3B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420E33
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420E38

Strings

hoT, xrefs: 00420D8D, 00420D96, 00420DA6
tippernes, xrefs: 00420DD0

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#706CheckCopyHresultNew2
String ID: hoT$tippernes
API String ID: 999016634-152669187
Opcode ID: 76d96497a3d9412ce33b7822c9406b5ae9a67f9d2a155deeb12c7f38d8244eea
Instruction ID: cee251d586444a96583cc138008e0f34bbcc49578cd63589c8ada31dc9e685bd
Opcode Fuzzy Hash: 76d96497a3d9412ce33b7822c9406b5ae9a67f9d2a155deeb12c7f38d8244eea
Instruction Fuzzy Hash: 18315275A00214AFCB14DFA4DD49AAEBFB8FF58701F104126F906B72A0DB745941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420150, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 004201AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004201CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A0,00000098), ref: 004201EE
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00420207
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420220
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D3C,00000130), ref: 004202AD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004202BD
__vbaNew2.MSVBVM60(00402540,hoT), ref: 004202D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004202F8
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00420314
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042032D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000000A8), ref: 00420350
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A4C,000001EC), ref: 00420390
__vbaFreeStr.MSVBVM60 ref: 00420399
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004203A9

Strings

hoT, xrefs: 00420187, 004201A2, 004201B2, 004201F4, 004201FD, 0042020D, 004202C3, 004202CF, 004202DF, 004202FC, 0042030A, 0042031A

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID: hoT
API String ID: 191279167-937861391
Opcode ID: 2d6ede49a6ace5844f0173107b98205109cc9c5e03a0f05929ae5240c0953537
Instruction ID: 354b715435ac8ae4b39ac1f9632b7aa5c35b73a0e5fc0f8a3544c1fb5f21acff
Opcode Fuzzy Hash: 2d6ede49a6ace5844f0173107b98205109cc9c5e03a0f05929ae5240c0953537
Instruction Fuzzy Hash: 01815274A00204AFC710DFA8D989F9ABBF9FF49700F60806AE905F7291D7759906CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420740, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004207A1
__vbaStrCopy.MSVBVM60 ref: 004207AB
#524.MSVBVM60(?,?), ref: 004207C2
__vbaVarTstNe.MSVBVM60(?,?), ref: 004207DE
__vbaFreeVar.MSVBVM60 ref: 004207EA
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 0042080B
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,0000001C), ref: 00420830
__vbaNew2.MSVBVM60(00402540,hoT), ref: 0042085A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420873
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000000A8), ref: 0042089A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000060), ref: 004208D5
__vbaFreeStr.MSVBVM60 ref: 004208DE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004208EE
__vbaFreeStr.MSVBVM60(00420943), ref: 0042093B
__vbaFreeStr.MSVBVM60 ref: 00420940

Strings

hoT, xrefs: 00420836, 00420850, 00420860

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#524List
String ID: hoT
API String ID: 592294731-937861391
Opcode ID: afd279799b12bcbb342d1e902a17c9dcf695869fb738961bc3c7d02bb59c11f8
Instruction ID: ce729e0b33dc88027de3eb47e83256515dc996167130ab936b4a035f00c34e78
Opcode Fuzzy Hash: afd279799b12bcbb342d1e902a17c9dcf695869fb738961bc3c7d02bb59c11f8
Instruction Fuzzy Hash: EA511DB4E00219AFCB04DF95D949ADEFBB9FF58701F10802AE505B72A1C7B45945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414260, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(00403990), ref: 004142B1
#608.MSVBVM60(?,00000000), ref: 004142BC
__vbaVarTstNe.MSVBVM60(?,?), ref: 004142D8
__vbaFreeVar.MSVBVM60 ref: 004142E4
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00414306
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414325
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A0,00000120), ref: 00414348
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00414361
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041437A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039B0,00000148), ref: 0041439D
__vbaInStrVar.MSVBVM60(?,00000000,00008008,?,?), ref: 004143D4
__vbaI4Var.MSVBVM60(00000000), ref: 004143DB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004143EB
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 004143FB

Strings

hoT, xrefs: 004142F3, 004142FC, 0041430C, 0041434E, 00414357, 00414367
passulate, xrefs: 004143C6

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListNew2$#608
String ID: hoT$passulate
API String ID: 821347214-1276889307
Opcode ID: 903991b4c489633e0884f4ff0d3be28894bef23d653c0fae810491526be668dc
Instruction ID: dac49699d1c4c82f7e7813b7d5cbf41167575862f79eabce4aa76ea0017d51d4
Opcode Fuzzy Hash: 903991b4c489633e0884f4ff0d3be28894bef23d653c0fae810491526be668dc
Instruction Fuzzy Hash: 3F5130B4901208AFCB00DF94DE88EEEBBB9FB48704F60452AF545F72A0D7745905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414B33
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414B52
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001EC), ref: 00414B96
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414BA5
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00414BBA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414BD3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039B0,000001C0), ref: 00414BF2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414BFB
#587.MSVBVM60(00000000,3FF00000), ref: 00414C04
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414C0A
#580.MSVBVM60(Styringscomputeren,00000001), ref: 00414C24

Strings

hoT, xrefs: 00414B17, 00414B29, 00414B39, 00414BA7, 00414BB0, 00414BC0
Styringscomputeren, xrefs: 00414C1F
KANTSTENENS, xrefs: 00414B65

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#587
String ID: KANTSTENENS$Styringscomputeren$hoT
API String ID: 1664163399-2674501553
Opcode ID: 7ca7f79fbd5e7e6d2c10710b17f0f0992eca17480e6c1997d678d591dbec909a
Instruction ID: 086304ba4a6bc16e133a29a4e4503ab2b6eba0a2384d87e393ce40811bc9062b
Opcode Fuzzy Hash: 7ca7f79fbd5e7e6d2c10710b17f0f0992eca17480e6c1997d678d591dbec909a
Instruction Fuzzy Hash: FA416574A00214AFCB109F64CE49F9A7BB8FB49701F104066F945F72A1D7789941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414090, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 004140DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004140F9
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00414110
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414129
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,00000218), ref: 0041414C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403938,000001EC), ref: 00414191
__vbaFreeStr.MSVBVM60 ref: 0041419A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004141AA
__vbaNew2.MSVBVM60(00402540,hoT), ref: 004141C6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004141DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040397C,00000088), ref: 00414202
__vbaFreeObj.MSVBVM60 ref: 00414211

Strings

hoT, xrefs: 004140B9, 004140D0, 004140E0, 004140FD, 00414106, 00414116, 004141B0, 004141BC, 004141CC

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: hoT
API String ID: 2509323985-937861391
Opcode ID: c0ace793c7c21d3d4e0b01f4df89e9ab6317647b85458282b10cc4cfcd9b2dcd
Instruction ID: 949c94ead35c932dd60d6b90075866319507dc32e4ad68558f37bfa00d5c1594
Opcode Fuzzy Hash: c0ace793c7c21d3d4e0b01f4df89e9ab6317647b85458282b10cc4cfcd9b2dcd
Instruction Fuzzy Hash: 41417374A40205BFC710DFA4CD89FAE7BB8FB58B01F108529F945F72A1D6749942CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413BF0, Relevance: 21.1, APIs: 14, Instructions: 132COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 00413C49
#661.MSVBVM60(?,004038CC,00000000,3FF00000,?), ref: 00413C5E
#610.MSVBVM60(?), ref: 00413C68
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 00413C88
__vbaVarTstNe.MSVBVM60(00000000), ref: 00413C8F
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413CAA
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 00413CCA
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000048), ref: 00413CF4
__vbaStrMove.MSVBVM60 ref: 00413D03
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 00413D1B
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000014), ref: 00413D40
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403900,000000B8), ref: 00413D6D
__vbaFreeObj.MSVBVM60 ref: 00413D76
__vbaFreeStr.MSVBVM60(00413DC0), ref: 00413DB9

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#610New2$#661ListMove
String ID:
API String ID: 4150538313-0
Opcode ID: c202d7c8394d46e3cd7fe96c04343b18671ecffc43b43f907a345bf0d26e897c
Instruction ID: 9623937efe0d1ed414f79a126cf0d711382a1a83107a1edafba65cb8e6a225fd
Opcode Fuzzy Hash: c202d7c8394d46e3cd7fe96c04343b18671ecffc43b43f907a345bf0d26e897c
Instruction Fuzzy Hash: 14413CB5900219AFCB10DF94DD49EEEBBB8FF58701F10412AF505B71A0D7B85945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F10, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413F50
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00413F86
__vbaFpR8.MSVBVM60 ref: 00413F8C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413FB7
__vbaNew2.MSVBVM60(004038F0,00422390), ref: 00413FD7
__vbaCastObj.MSVBVM60(?,0040396C,ekspeditricerne), ref: 00413FF3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413FFE
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000040), ref: 00414018
__vbaFreeObj.MSVBVM60 ref: 00414021
__vbaFreeObj.MSVBVM60(0041406D), ref: 0041405D
__vbaFreeStr.MSVBVM60 ref: 00414066

Strings

ekspeditricerne, xrefs: 00413FE6

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#676CastCheckCopyHresultListNew2
String ID: ekspeditricerne
API String ID: 2764453826-1880822252
Opcode ID: 270faa976acba25d61da3f72fe536a5c14f796e9f44e741d9b4a713dc6723cba
Instruction ID: 1e0a7106793c2204903507bdb6b200a599e73e1e5d631327d157670df13f2e85
Opcode Fuzzy Hash: 270faa976acba25d61da3f72fe536a5c14f796e9f44e741d9b4a713dc6723cba
Instruction Fuzzy Hash: 92311E70900209AFCB14DF95DE49BEEBBB8FB49701F20412AF545B62A0D7785A41CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00414460, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004144CD
__vbaR4Str.MSVBVM60(004039DC), ref: 004144D8
__vbaVarDup.MSVBVM60 ref: 00414543
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041456B
__vbaStrMove.MSVBVM60 ref: 00414576
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 004145A0
__vbaFreeStr.MSVBVM60(004145FE), ref: 004145F6
__vbaFreeStr.MSVBVM60 ref: 004145FB

Strings

Bibeskftigelsernes, xrefs: 0041452F

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#596CopyListMove
String ID: Bibeskftigelsernes
API String ID: 2863382718-3164189337
Opcode ID: a1f9a121b6e5b7bbb84d49cfd74169af31f47251b57d6176b54a76e05a9dca08
Instruction ID: 65c156ed9ef55b261266cc7b07bbd678f61cf9e2ed0625ec5a053040fcdfdf7c
Opcode Fuzzy Hash: a1f9a121b6e5b7bbb84d49cfd74169af31f47251b57d6176b54a76e05a9dca08
Instruction Fuzzy Hash: 9741D6B1D11219EFCB14CF99DA44ADEBBB8FB48700F20816BE20AB7250D7741A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00420420, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

#705.MSVBVM60(?,00000000), ref: 00420464
__vbaStrMove.MSVBVM60 ref: 0042046F
__vbaFreeVar.MSVBVM60 ref: 00420478
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00420491
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204AA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A4C,00000208), ref: 004204CD
__vbaFreeObj.MSVBVM60 ref: 004204D6
__vbaFreeStr.MSVBVM60(00420500), ref: 004204F9

Strings

hoT, xrefs: 0042047E, 00420487, 00420497

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#705CheckHresultMoveNew2
String ID: hoT
API String ID: 1968677507-937861391
Opcode ID: f0921c8da66dea128e5506e918e3e6e90fe460b212d9fc0e68350cb9fa78dca1
Instruction ID: a8085bcb6ed78adecccc87b2fd6a4dc88f93d387430ddf46f5c06462f007102d
Opcode Fuzzy Hash: f0921c8da66dea128e5506e918e3e6e90fe460b212d9fc0e68350cb9fa78dca1
Instruction Fuzzy Hash: 69214D74A00205ABCB10DF94DE4DEAEBBB9FB58705F104026F642F71B1D7745945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00421480, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 004214C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004214E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A20,000000F8), ref: 00421509
__vbaNew2.MSVBVM60(00402540,hoT), ref: 00421522
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042153B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A5C,00000130), ref: 004215CA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004215DA

Strings

hoT, xrefs: 004214A9, 004214BD, 004214CD, 0042150F, 00421518, 00421528

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID: hoT
API String ID: 1549294082-937861391
Opcode ID: 3bd51ce2d5eea663e37b0b4ec75a01cafae224317a36c14cf19c309e46b81bcf
Instruction ID: c899c08ce4e9756651fb77ff30fc8f5e82143324f2ea500c97f1bcb82dd1429c
Opcode Fuzzy Hash: 3bd51ce2d5eea663e37b0b4ec75a01cafae224317a36c14cf19c309e46b81bcf
Instruction Fuzzy Hash: C74130B4A00204AFCB14DF98D989A9EBBF9FF48700F50806AE905F73A1D7749945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1A0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C1E6
#516.MSVBVM60(0040399C), ref: 0041C1F1
__vbaVarDup.MSVBVM60 ref: 0041C22D
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041C244
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041C25C
__vbaFreeStr.MSVBVM60(0041C292), ref: 0041C28B

Strings

Udmarvnings8, xrefs: 0041C21F

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#595CopyList
String ID: Udmarvnings8
API String ID: 515552688-761385786
Opcode ID: 13dc94da40231d9b72d7f91a4e8b1c46743409b51c080b72b1260ac5551131b5
Instruction ID: e466ce92e85676bc5a6d7c928ed610b1900d17459876c1e74bc6b8a91cf78086
Opcode Fuzzy Hash: 13dc94da40231d9b72d7f91a4e8b1c46743409b51c080b72b1260ac5551131b5
Instruction Fuzzy Hash: 8E21D8B1C41249AFCB04DFD8DA45ADEBBB8EB08701F20812AF506B7254D7746A09CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDB0, Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FDF3
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FDFB
#536.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE0C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE17
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE20
__vbaFreeStr.MSVBVM60(0041FE4D,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE40
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE45
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FE4A

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#536Move
String ID:
API String ID: 754517999-0
Opcode ID: ad02998d60dd76802e1479f348e015364292d0049cc2ed8f446472805dc71e99
Instruction ID: ae37cb24f6c1e9938e939b742b14975ada79c8cb3c578f16343ebac0e352bccf
Opcode Fuzzy Hash: ad02998d60dd76802e1479f348e015364292d0049cc2ed8f446472805dc71e99
Instruction Fuzzy Hash: 4711AC71D002199FCB04DFA4DA45AEEBBB4FB58700F10812AE516F72A4EB346A46CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402540,hoT), ref: 0041CA13
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041CA2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039B0,000001C4), ref: 0041CA4F
__vbaFreeObj.MSVBVM60 ref: 0041CA58

Strings

hoT, xrefs: 0041C9F9, 0041CA09, 0041CA19

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: hoT
API String ID: 1645334062-937861391
Opcode ID: 2dad93ff4f2ce014e16fbeea2d2bea608c55a0c74987db4e93623eaaa8a86149
Instruction ID: 25a241702b6b0e9bc543e50fcc0eb42a061b3873cca23a165d4e16e31c354c9c
Opcode Fuzzy Hash: 2dad93ff4f2ce014e16fbeea2d2bea608c55a0c74987db4e93623eaaa8a86149
Instruction Fuzzy Hash: 77018C74680204BBD710DF64CE89FAA7BBCFB04B45F104466F941F72A0D3B85904CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421190, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004038F0,00422390,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004211D4
__vbaHresultCheckObj.MSVBVM60(00000000,0215EF84,004038E0,00000014,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004211F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403900,000000B8,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00421223
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0042122C

Memory Dump Source

Source File: 00000000.00000002.693610148.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.692929139.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.692936797.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.695124866.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: a9426e20b29d037f9dcb2bfd998f04e9212961f1a6dd2923f1275b06199ab5a9
Instruction ID: bbc45858572b71ca155e9a1e42e392250a5d1bd90455c45a724876a803e97c0a
Opcode Fuzzy Hash: a9426e20b29d037f9dcb2bfd998f04e9212961f1a6dd2923f1275b06199ab5a9
Instruction Fuzzy Hash: 30119D74A00215ABCB10DF55DD4AFAABBBCEB29701F504026F505F32B0C6B868418BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report fN2QHk2XYG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: fN2QHk2XYG.exe PID: 6652 Parent PID: 5984

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: fN2QHk2XYG.exe PID: 6652 Parent PID: 5984 fN2QHk2XYG.exeCOMMON

Executed Functions

Function 004018A4, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 472COMMON

Function 0041AAD0, Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 237COMMON

Non-executed Functions