Play interactive tour

Edit tour

Windows Analysis Report lpSbvoEkD6.exe

Overview

General Information

Sample Name:	lpSbvoEkD6.exe
Analysis ID:	434685
MD5:	ab19307ba349239ed32f7ec471c882e6
SHA1:	451cb1fc62f9fcd4d6f5e8b187404d278f21c65e
SHA256:	5445447afbc7e74f9a827b122e1b38c4cb9715ec3dfc5bbfbf4805759bfc6eac
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

lpSbvoEkD6.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\lpSbvoEkD6.exe' MD5: AB19307BA349239ED32F7EC471C882E6)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
lpSbvoEkD6.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.216224466.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.lpSbvoEkD6.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.0.lpSbvoEkD6.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: lpSbvoEkD6.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: lpSbvoEkD6.exe

Virustotal: Detection: 29%

Perma Link

Source: lpSbvoEkD6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

Code function: 0_2_00405720

0_2_00405720

Source: lpSbvoEkD6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: lpSbvoEkD6.exe, 00000000.00000002.576799654.0000000002300000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2X0 vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2X vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2X^ vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2X3 vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2Xu vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCHELEM.exeFE2XV vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe	Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe

Source: lpSbvoEkD6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Source: lpSbvoEkD6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lpSbvoEkD6.exe

Virustotal: Detection: 29%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: lpSbvoEkD6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.216224466.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00409AF3 push ss; retf	0_2_00409AFB
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00406141 push 5A7B4F15h; ret	0_2_0040614C
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00406D6B push eax; ret	0_2_00406D6D
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00402F03 push dword ptr [ebp-1Ch]; ret	0_2_0041B0E4
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00406BCA pushfd ; ret	0_2_00406BD1
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Code function: 0_2_00407D85 pushad ; iretd	0_2_00407DA1

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

RDTSC instruction interceptor: First address: 0000000002C32B24 second address: 0000000002C32B24 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 9E07C293h 0x00000007 add eax, 10CAA39Fh 0x0000000c xor eax, 3308A0D8h 0x00000011 sub eax, 9DDAC6E9h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F99AC4F37A1h 0x0000001e lfence 0x00000021 mov edx, 25CCE66Fh 0x00000026 xor edx, BC263FA9h 0x0000002c xor edx, 19DA13DCh 0x00000032 xor edx, FFCECA0Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e jmp 00007F99AC4F3796h 0x00000040 test dx, dx 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a cmp ecx, 00000000h 0x0000004d jne 00007F99AC4F3743h 0x0000004f mov dword ptr [ebp+0000021Bh], edx 0x00000055 mov edx, ecx 0x00000057 test edx, ecx 0x00000059 push edx 0x0000005a mov edx, dword ptr [ebp+0000021Bh] 0x00000060 call 00007F99AC4F377Bh 0x00000065 call 00007F99AC4F37C2h 0x0000006a lfence 0x0000006d mov edx, 25CCE66Fh 0x00000072 xor edx, BC263FA9h 0x00000078 xor edx, 19DA13DCh 0x0000007e xor edx, FFCECA0Eh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 ret 0x0000008a mov esi, edx 0x0000008c pushad 0x0000008d rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\lpSbvoEkD6.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lpSbvoEkD6.exe	29%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	434685
Start date:	15.06.2021
Start time:	11:55:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	lpSbvoEkD6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 34% (good quality ratio 8.5%) Quality average: 14.6% Quality standard deviation: 26%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.743654430674186
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lpSbvoEkD6.exe
File size:	147456
MD5:	ab19307ba349239ed32f7ec471c882e6
SHA1:	451cb1fc62f9fcd4d6f5e8b187404d278f21c65e
SHA256:	5445447afbc7e74f9a827b122e1b38c4cb9715ec3dfc5bbfbf4805759bfc6eac
SHA512:	a18c355e4516741dc02f8bf1572b852db6a7d217b42da3be1b8b4f35e1225e404858e3abf199b97024a2c7e412f6391a35edfc0e9a2397f4bf24334d4072764c
SSDEEP:	1536:+zg1+OOZDPJGMpTzmqEDAoZH0J4oJCEw3dceV1h7nSH2:AOOZrJGM5q1DAoZi4oY3dccY2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....!.W.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4018a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57CF2100 [Tue Sep 6 20:03:12 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2c08d8f9644132654eb702b279083d5c

Entrypoint Preview

Instruction
push 00401C44h
call 00007F99ACDD83D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-66C1898Dh], cl
fstp dword ptr [edi+4Dh]
movsb
retf
inc esi
dec edx
call far 0000h : 005D95F5h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-80h], cl
clc
add al, byte ptr [edx+edx*2+41h]
inc esi
push esp
dec ecx
dec esp
pop ecx
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
bswap eax
aaa
dec ecx
sub al, 80h
arpl word ptr [eax], dx
inc edx
mov dl, 00h
xchg eax, ecx
add eax, 4E27BF1Eh
jmp 00007F99ACDD83E9h
and ah, byte ptr [edx+480EF2CCh]
scasd
mov ebx, 90940BEBh
sub byte ptr [eax+3Ah], ch
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov bh, 02h
add byte ptr [eax], al
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
dec ebx
inc ecx
push ebx
push ebx
inc ebp
inc esp
inc ecx
dec ebp
inc ebp
dec esi
add byte ptr [53000A01h], cl
arpl word ptr [eax+6Eh], bp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21184	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x930	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1dc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2085c	0x21000	False	0.378432765152	data	5.99976435722	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1278	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x930	0x1000	False	0.170166015625	data	1.97470101836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24800	0x130	data
RT_ICON	0x24518	0x2e8	data
RT_ICON	0x243f0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243c0	0x30	data
RT_VERSION	0x24150	0x270	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	CHELEM
FileVersion	1.00
CompanyName	Workday
Comments	Workday
ProductName	Workday
ProductVersion	1.00
FileDescription	Workday
OriginalFilename	CHELEM.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: lpSbvoEkD6.exe PID: 6092 Parent PID: 5672

General

Start time:	11:56:18
Start date:	15/06/2021
Path:	C:\Users\user\Desktop\lpSbvoEkD6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\lpSbvoEkD6.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	AB19307BA349239ED32F7EC471C882E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.216224466.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: lpSbvoEkD6.exe PID: 6092 Parent PID: 5672 lpSbvoEkD6.exeCOMMON

Executed Functions

Function 0041A630, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041A694
#679.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0041A6CA
__vbaFpR8.MSVBVM60 ref: 0041A6D0
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041A703
__vbaVarDup.MSVBVM60 ref: 0041A760
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041A785
__vbaStrMove.MSVBVM60 ref: 0041A790
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041A7B7
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041A7CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A7E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A30,000001E8), ref: 0041A815
__vbaFreeObj.MSVBVM60 ref: 0041A81E
__vbaVarDup.MSVBVM60 ref: 0041A841
#553.MSVBVM60(?,?), ref: 0041A84F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041A874
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041A88A
__vbaVarDup.MSVBVM60 ref: 0041A8E4
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041A909
__vbaStrMove.MSVBVM60 ref: 0041A914
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041A93B
__vbaFreeStr.MSVBVM60(0041A992), ref: 0041A985
__vbaFreeStr.MSVBVM60 ref: 0041A98A
__vbaFreeStr.MSVBVM60 ref: 0041A98F

Strings

01/01/01, xrefs: 0041A82D
Skrivelrer1, xrefs: 0041A8D0
Maumeenondesignateunlimited, xrefs: 0041A74C

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$List$#596Move$#553#679CheckCopyHresultNew2
String ID: 01/01/01$Maumeenondesignateunlimited$Skrivelrer1
API String ID: 207475868-2032125864
Opcode ID: c0d345858cb9ac814c280455e0b3455587fcc7ac199767fc3e1ab06649b8d97a
Instruction ID: de63aeeefd0aa36bf92fecdc25a1f6e0f7f899b857cb9c315a429eaf41de3210
Opcode Fuzzy Hash: c0d345858cb9ac814c280455e0b3455587fcc7ac199767fc3e1ab06649b8d97a
Instruction Fuzzy Hash: 24A1C2B1C1022DAFCB14CF94DD84AEEBBB8FB58704F14416EE509A7250DBB45A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004018A4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004018A9

Strings

VB5!6&*, xrefs: 004018A4

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b98f28458dea1be379413a59dfecd6726e1b557afe988bd5d5a5d73dc4b78615
Instruction ID: b2dd387356a7c12f26958fff5fcd805b5af38766e3fef0f1ddf5ef501be660bb
Opcode Fuzzy Hash: b98f28458dea1be379413a59dfecd6726e1b557afe988bd5d5a5d73dc4b78615
Instruction Fuzzy Hash: 70D0AE1164F7D25FD307A7715861551BF305D2361131E44E78081DB4F3D26C9929D377

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405720, Relevance: 1.4, Strings: 1, Instructions: 174
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00405720() {
				intOrPtr* _t6;
				intOrPtr* _t13;
				void* _t37;

				 *_t6 =  *_t6 + 1;
				asm("stc");
				asm("cmpsd");
				_t13 =  *((intOrPtr*)(0x40100c));
				do {
					_t13 = _t13 + 0xffffffff;
					asm("pushfd");
					asm("popfd");
				} while ( *_t13 != 0xda6f1ff7);
				 *((intOrPtr*)( *((intOrPtr*)(_t13 + 0x10cc))))(0, 0x11000, 0x1000, 0x40);
				_t37 = 0xc224;
				do {
					 *(0 + _t37) = 0 ^  *(0x4059dd + _t37);
					 *(0 + _t37) =  *(0 + _t37) ^ 0xc024fe40;
					_t37 = _t37 - 0x242 + 0x23e;
				} while (_t37 >= 0);
				goto 0x00000000;
			}

0x00405722
0x00405724
0x00405725
0x00405792
0x004057f7
0x00405800
0x0040580c
0x0040580d
0x0040580d
0x00405958
0x0040596e
0x00405981
0x0040599e
0x004059a7
0x004059cb
0x004059cb
0x004059d5

Strings

&, xrefs: 004057E6

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 427bdd50d29f6178d1547da25750606f3abd21a4a00b72de131a708b7ecc007e
Instruction ID: dc91fcf8d730334a3e25dad07810e3c1915da797e441d4767ce00cfaeab7f217
Opcode Fuzzy Hash: 427bdd50d29f6178d1547da25750606f3abd21a4a00b72de131a708b7ecc007e
Instruction Fuzzy Hash: 0151C7916553428AFF780578CAE072E2156EF96700F709E3BDA43EADC9DA7DC0C18613

Uniqueness

Uniqueness Score: -1.00%

Function 004209B0, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

#517.MSVBVM60(004039F4), ref: 00420A0A
__vbaStrMove.MSVBVM60 ref: 00420A15
__vbaStrCmp.MSVBVM60(00403980,00000000), ref: 00420A21
__vbaFreeStr.MSVBVM60 ref: 00420A34
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 00420A51
__vbaLateMemCallLd.MSVBVM60(?,?,uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233,00000000), ref: 00420A6D
__vbaObjVar.MSVBVM60(00000000), ref: 00420A77
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00420A82
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000000C), ref: 00420A9C
__vbaFreeObj.MSVBVM60 ref: 00420AA5
__vbaFreeVar.MSVBVM60 ref: 00420AAE
__vbaVarDup.MSVBVM60 ref: 00420AD0
#562.MSVBVM60(?), ref: 00420ADA
__vbaFreeVar.MSVBVM60 ref: 00420AF1
_adj_fdiv_m64.MSVBVM60 ref: 00420B23
__vbaFpI4.MSVBVM60(42820000,?,434A0000), ref: 00420B54
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000002C0,?,434A0000), ref: 00420B88
#610.MSVBVM60(?), ref: 00420B98
#610.MSVBVM60(?), ref: 00420B9E
__vbaVarAdd.MSVBVM60(?,00000009,?,00000001,00000001), ref: 00420BC6
#662.MSVBVM60(?,004038B0,?,00000000), ref: 00420BDA
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420BFB
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00420C16
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 00420C36
__vbaObjVar.MSVBVM60(?), ref: 00420C48
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00420C53
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000010), ref: 00420C6D
__vbaFreeObj.MSVBVM60 ref: 00420C76
__vbaFreeObj.MSVBVM60(00420CC9), ref: 00420CB9
__vbaFreeVar.MSVBVM60 ref: 00420CC2

Strings

uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233, xrefs: 00420A61

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#610AddrefNew2$#517#562#662CallLateListMove_adj_fdiv_m64
String ID: uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233
API String ID: 3516706468-3714022841
Opcode ID: 1cf7cc3a9cf6cba25eeb05f07bb12564c2b5a8ecbb7bc671ca8745069e8e0ce1
Instruction ID: 29927ca898ef378e3c2e7082c7eefeb9313062ad1db3fdc2d1aee4296595ffaf
Opcode Fuzzy Hash: 1cf7cc3a9cf6cba25eeb05f07bb12564c2b5a8ecbb7bc671ca8745069e8e0ce1
Instruction Fuzzy Hash: 57815DB1D00219EFDB149FA1EE48AEDBBB8FB08705F50816AF546B31A0CB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4D0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B51C
#670.MSVBVM60(?), ref: 0041B526
__vbaVarTstEq.MSVBVM60(?,?), ref: 0041B542
__vbaFreeVar.MSVBVM60 ref: 0041B54E
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041B570
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B589
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A04,000001B8), ref: 0041B5B0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,00000000), ref: 0041B5C1
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041B5CB
__vbaStrMove.MSVBVM60 ref: 0041B5D6
#716.MSVBVM60(?,00000000), ref: 0041B5E1
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041B608
__vbaFreeStr.MSVBVM60 ref: 0041B611
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041B621
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B631
__vbaI4Str.MSVBVM60(00403974), ref: 0041B63F
#697.MSVBVM60(00000000), ref: 0041B646
__vbaStrMove.MSVBVM60 ref: 0041B651
__vbaStrCmp.MSVBVM60(00403980,00000000), ref: 0041B65D
__vbaFreeStr.MSVBVM60 ref: 0041B670
#570.MSVBVM60(000000B9), ref: 0041B680
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041B699
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B6B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D20,00000068), ref: 0041B6D3
__vbaFreeObj.MSVBVM60 ref: 0041B6E2
__vbaFreeStr.MSVBVM60(0041B730), ref: 0041B720
__vbaFreeObj.MSVBVM60 ref: 0041B729

Strings

Spheniscomorphae1, xrefs: 0041B534

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresultLateListNew2$#570#670#697#716CallCopy
String ID: Spheniscomorphae1
API String ID: 1019445086-1645407306
Opcode ID: 7ad97b7b4ce57bc549b40d6af137249d7292e09debc0790f87b47db7f8312912
Instruction ID: 8531cda1502aeca50646a13d3f7e27844f144692b8f3ad728876816a68c038b6
Opcode Fuzzy Hash: 7ad97b7b4ce57bc549b40d6af137249d7292e09debc0790f87b47db7f8312912
Instruction Fuzzy Hash: 37612C74900209AFCB04DFA4DE499EEBBB9FF58701F10852AF542B72A0DB745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9B0, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041AA2A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AA43
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,0000020C), ref: 0041AA66
__vbaFreeObj.MSVBVM60 ref: 0041AA6F
__vbaVarDup.MSVBVM60 ref: 0041AA98
#553.MSVBVM60(?,?), ref: 0041AAA2
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AAC7
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AAE0
__vbaVarDup.MSVBVM60 ref: 0041AB42
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041AB66
__vbaStrMove.MSVBVM60 ref: 0041AB71
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041AB9B
__vbaLenBstr.MSVBVM60(00403ED4), ref: 0041ABA5
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041ABC7
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000001C), ref: 0041ABEC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E34,00000054,?,?,?,?), ref: 0041AC42
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 0041AC79
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041AC82
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041AC8B
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041ACA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ACBD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,00000060), ref: 0041ACE1
__vbaFreeObj.MSVBVM60 ref: 0041ACF3
__vbaFreeObj.MSVBVM60(0041AD51), ref: 0041AD41
__vbaFreeStr.MSVBVM60 ref: 0041AD4A

Strings

01/01/01, xrefs: 0041AA84
Catecholamines, xrefs: 0041AB2E

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$List$#553#596BstrLateMove
String ID: 01/01/01$Catecholamines
API String ID: 2020296758-1285120401
Opcode ID: dc88d78ffdd8f2a965b9ee346c40bb2ff415955b53947a266d58b8b92c747dae
Instruction ID: 038fce09a5b7e193ede636a72176ee158643cb90a358bd313a4c6dad8c53431f
Opcode Fuzzy Hash: dc88d78ffdd8f2a965b9ee346c40bb2ff415955b53947a266d58b8b92c747dae
Instruction Fuzzy Hash: 92B16AB4D01209AFCB14DFA5DA48BDEBBB8FF48300F10816AE509B72A0D7745A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004204D0, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0042053B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042055A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001FC), ref: 00420599
__vbaFreeObj.MSVBVM60 ref: 004205A8
#674.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 004205E4
__vbaFpR8.MSVBVM60 ref: 004205EA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420610
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 00420637
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000004C), ref: 0042065C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F78,0000001C,?,?,?,?), ref: 004206A0
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 004206BB
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 004206C6
#519.MSVBVM60( rr), ref: 004206CD
__vbaStrMove.MSVBVM60 ref: 004206D8
__vbaStrCmp.MSVBVM60(00404028,00000000), ref: 004206E4
__vbaFreeStr.MSVBVM60 ref: 004206F7
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00420719
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420732
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001C0), ref: 00420755
__vbaLateMemCall.MSVBVM60(?,O6LxHL51aTnkYsQDbH68,00000002), ref: 004207B1
__vbaFreeObj.MSVBVM60 ref: 004207BD
__vbaFreeVar.MSVBVM60 ref: 004207C2
__vbaFreeObj.MSVBVM60(0042081C), ref: 00420814
__vbaFreeObj.MSVBVM60 ref: 00420819

Strings

O6LxHL51aTnkYsQDbH68, xrefs: 0042078D
rr, xrefs: 004206C8

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$#519#674CallLateListMove
String ID: rr$O6LxHL51aTnkYsQDbH68
API String ID: 13828861-3451368691
Opcode ID: 33ee8f7fb26348347149fc38f1daf8925e68f2425b3faf480a1681b41dcc62de
Instruction ID: 92979d7f850def72369671ae3f43dbef6a98f8b829324f66ecf314907952db71
Opcode Fuzzy Hash: 33ee8f7fb26348347149fc38f1daf8925e68f2425b3faf480a1681b41dcc62de
Instruction Fuzzy Hash: 4BA12E71A00214ABDB14DFA8DD85B9EBBF8FF48700F10812AF905B72A5D7749905CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B750, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A18,00000008), ref: 0041B7AD
__vbaVarDup.MSVBVM60 ref: 0041B7C7
#544.MSVBVM60(?,?), ref: 0041B7D5
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B7FA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B80D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000002B0), ref: 0041B88A
__vbaStrCopy.MSVBVM60 ref: 0041B89E
__vbaStrCopy.MSVBVM60 ref: 0041B8AB
__vbaVarDup.MSVBVM60 ref: 0041B8C6
#710.MSVBVM60(00000008,?), ref: 0041B8ED
__vbaStrMove.MSVBVM60 ref: 0041B8F8
__vbaStrCmp.MSVBVM60(004039FC,00000000), ref: 0041B904
__vbaFreeStr.MSVBVM60 ref: 0041B917
__vbaFreeVar.MSVBVM60 ref: 0041B920
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041B941
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000001C), ref: 0041B966
__vbaCastObj.MSVBVM60(?,00403950), ref: 0041B99B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B9A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E34,00000058), ref: 0041B9C0
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041B9D0

Strings

20:20:20, xrefs: 0041B7B9

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyList$#544#710CastConstruct2MoveNew2
String ID: 20:20:20
API String ID: 1246080522-1725373740
Opcode ID: 226fb0acad0085b5c33e49da72993bd874bb4ce901e77525e8b53fc29688cd9f
Instruction ID: 593c8df52cc8efca93008a30f48238d8c5669c121d3002fa27027292bef10d78
Opcode Fuzzy Hash: 226fb0acad0085b5c33e49da72993bd874bb4ce901e77525e8b53fc29688cd9f
Instruction Fuzzy Hash: 7D8146B0D00209EFDB14DFA9D989A9EFBB8FF48700F10816AE509B72A1D7745945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9D0, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FA49
__vbaStrCopy.MSVBVM60 ref: 0041FA51
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041FA65
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000014), ref: 0041FA90
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E4,000000F0), ref: 0041FABE
__vbaStrMove.MSVBVM60 ref: 0041FAC9
__vbaFreeObj.MSVBVM60 ref: 0041FAD2
#693.MSVBVM60(00403980), ref: 0041FADD
#532.MSVBVM60(DEDD), ref: 0041FAEC
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0041FB1F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FB40
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0041FB57
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041FB7B
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000004C), ref: 0041FBA0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F78,0000001C,?,?,?,?), ref: 0041FBED
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 0041FBFE
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0041FC07
__vbaFreeStr.MSVBVM60(0041FC77), ref: 0041FC61
__vbaFreeObj.MSVBVM60 ref: 0041FC66
__vbaFreeStr.MSVBVM60 ref: 0041FC6F
__vbaFreeStr.MSVBVM60 ref: 0041FC74

Strings

DEDD, xrefs: 0041FAE7

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#532#660#693ListMove
String ID: DEDD
API String ID: 303901731-2798080213
Opcode ID: a5643ad605b01cc4d0b31fe421bd6725947c3cb9e77d1becd86ae90694b8374f
Instruction ID: 87437e1294f42cf86917f274387fe09affa7d396bab2c1f3ec2cad3b04b50051
Opcode Fuzzy Hash: a5643ad605b01cc4d0b31fe421bd6725947c3cb9e77d1becd86ae90694b8374f
Instruction Fuzzy Hash: C4710AB1900219EFDB10DF94D985ADEBBB9FF48B00F20816AF505B72A0D7745986CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C060, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

#616.MSVBVM60(004039FC,00000001), ref: 0041C0A7
__vbaStrMove.MSVBVM60 ref: 0041C0B8
__vbaStrCmp.MSVBVM60(004039F4,00000000), ref: 0041C0C0
__vbaFreeStr.MSVBVM60 ref: 0041C0D3
#571.MSVBVM60(0000002B), ref: 0041C0E0
__vbaI4Str.MSVBVM60(00403974), ref: 0041C0EB
#697.MSVBVM60(00000000), ref: 0041C0F2
__vbaStrMove.MSVBVM60 ref: 0041C0FD
__vbaStrCmp.MSVBVM60(00403980,00000000), ref: 0041C105
__vbaFreeStr.MSVBVM60 ref: 0041C118
#570.MSVBVM60(000000AD), ref: 0041C128
__vbaStrCopy.MSVBVM60 ref: 0041C136
#524.MSVBVM60(?,?), ref: 0041C151
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C16D
__vbaFreeVar.MSVBVM60 ref: 0041C179
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041C19A
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000001C), ref: 0041C1BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E34,00000060), ref: 0041C20E
__vbaFreeObj.MSVBVM60 ref: 0041C217
__vbaFreeStr.MSVBVM60(0041C254), ref: 0041C24D

Strings

Parisiskes8, xrefs: 0041C1E7

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$#524#570#571#616#697CopyNew2
String ID: Parisiskes8
API String ID: 4051536704-4275025436
Opcode ID: bbcd99ca50b1c72d0010ef3cc13af7d25d2d59db30356a49ab59d1c4e0588da3
Instruction ID: 0bc6b343b2c356189e278427b9fea5a39ecfbb7616f463f28432c25aafe55c9d
Opcode Fuzzy Hash: bbcd99ca50b1c72d0010ef3cc13af7d25d2d59db30356a49ab59d1c4e0588da3
Instruction Fuzzy Hash: 83514D70A40258EFCB14DFA5DE49ADEBBB8FB48701F20412AE506B72A0D7785D45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414190, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A18,00000008), ref: 004141E1
__vbaStrCopy.MSVBVM60 ref: 004141F5
__vbaStrCopy.MSVBVM60 ref: 00414202
__vbaVarDup.MSVBVM60 ref: 00414214
#710.MSVBVM60(?,?), ref: 00414235
__vbaStrMove.MSVBVM60 ref: 00414240
__vbaStrCmp.MSVBVM60(004039FC,00000000), ref: 0041424C
__vbaFreeStr.MSVBVM60 ref: 0041425F
__vbaFreeVar.MSVBVM60 ref: 00414268
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041428A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A04,00000170), ref: 004142CC
__vbaNew2.MSVBVM60(00402530,00422010), ref: 004142E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403984,00000120), ref: 00414321
__vbaFpI4.MSVBVM60 ref: 00414332
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000002C8), ref: 0041437E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041438E
__vbaAryDestruct.MSVBVM60(00000000,?,004143DF), ref: 004143D8

Strings

R(, xrefs: 00414397

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2$#710Construct2DestructListMove
String ID: R(
API String ID: 799147137-4242638291
Opcode ID: fdd9b1e2c37884435c507fc96894ce3fd19933b10e85382d008f90d9b1c07791
Instruction ID: 11ab3a5c790d2c888ddd6b78d8345ef50b084bc71e3d1bf0f0bd50e0a626fcb2
Opcode Fuzzy Hash: fdd9b1e2c37884435c507fc96894ce3fd19933b10e85382d008f90d9b1c07791
Instruction Fuzzy Hash: 0C513E70900218AFDB10DFA5DD89ADEBBB9FF88701F10412AF545B72A0DB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B270, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B2CE
__vbaStrCopy.MSVBVM60 ref: 0041B2D6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0041B2E9
__vbaVarMove.MSVBVM60 ref: 0041B319
__vbaVarCopy.MSVBVM60 ref: 0041B345
__vbaVarMove.MSVBVM60 ref: 0041B369
__vbaVarCopy.MSVBVM60 ref: 0041B391
#668.MSVBVM60(?,?), ref: 0041B39B
__vbaErase.MSVBVM60(00000000,?), ref: 0041B3A6
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B3CB
__vbaFreeVar.MSVBVM60 ref: 0041B3D7
__vbaEnd.MSVBVM60 ref: 0041B3E2
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041B3FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B414
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 0041B462
__vbaFreeObj.MSVBVM60 ref: 0041B46B
__vbaFreeStr.MSVBVM60(0041B4B2), ref: 0041B4AA
__vbaFreeStr.MSVBVM60 ref: 0041B4AF

Strings

plums, xrefs: 0041B43B

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CopyFree$Move$#668CheckEraseHresultNew2Redim
String ID: plums
API String ID: 975322020-90554558
Opcode ID: 63f4d13e95e779737bfc0870c78ddcdda6e08e33c92f7cd579a0a194cb8ff66d
Instruction ID: 2996cf5ef493d0c63c9224db278211b62cd5cb8b4e936f1fd7098e2ee8aab7a9
Opcode Fuzzy Hash: 63f4d13e95e779737bfc0870c78ddcdda6e08e33c92f7cd579a0a194cb8ff66d
Instruction Fuzzy Hash: 836140B0D00259DFDB14DFA8DD88AADBBB9FF48700F10812AE505BB2A1D7B49945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F660, Relevance: 31.7, APIs: 21, Instructions: 206COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000000A8), ref: 0041F6C8
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041F6D3
__vbaFreeStr.MSVBVM60 ref: 0041F6E5
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041F70D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F730
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A04,00000198), ref: 0041F753
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041F76C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F781
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A40,00000048), ref: 0041F79E
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041F7B7
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000004C), ref: 0041F7D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F78,00000024), ref: 0041F804
__vbaStrMove.MSVBVM60 ref: 0041F817
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F827
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041F83B
__vbaOnError.MSVBVM60(00000000), ref: 0041F854
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041F86D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F882
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403984,000001A8), ref: 0041F8A1
__vbaFreeObj.MSVBVM60 ref: 0041F8AA
__vbaFreeStr.MSVBVM60(0041F8ED), ref: 0041F8E6

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$ErrorMove
String ID:
API String ID: 2931715464-0
Opcode ID: aad296fa7404e0e7ea6af368b7b530af8f8ba4cc2435455506070bc63331b8f1
Instruction ID: e61a596e793fa95bd1345ce91ff238f782e5f182b3097cb571d0b88106543367
Opcode Fuzzy Hash: aad296fa7404e0e7ea6af368b7b530af8f8ba4cc2435455506070bc63331b8f1
Instruction Fuzzy Hash: 3D716D71A00214ABDB10DFA5DD88EDABBB8BF58700F10452AF545F72A0D7B8A945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA50, Relevance: 31.7, APIs: 21, Instructions: 176COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041BAB1
__vbaVarDup.MSVBVM60 ref: 0041BACB
#564.MSVBVM60(?,?), ref: 0041BAD9
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041BAE4
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BB00
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BB13
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041BB33
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000048), ref: 0041BB5A
__vbaStrMove.MSVBVM60 ref: 0041BB69
#554.MSVBVM60 ref: 0041BB6F
__vbaR4Str.MSVBVM60(004039C0), ref: 0041BB7A
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041BBA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BBBD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,00000130), ref: 0041BBE4
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041BBF6
__vbaI4Var.MSVBVM60(00000000), ref: 0041BC00
__vbaHresultCheckObj.MSVBVM60(00000000,00401460,004033A4,00000084), ref: 0041BC57
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041BC67
__vbaFreeVar.MSVBVM60 ref: 0041BC73
__vbaFreeStr.MSVBVM60(0041BCCA), ref: 0041BCC2
__vbaFreeStr.MSVBVM60 ref: 0041BCC7

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$#554#564CallCopyLateMove
String ID:
API String ID: 668867254-0
Opcode ID: 0f3dbc144dc1e4b5dde1ad97e29efd629ee4c10d28310c726e9c3789bd8e12b5
Instruction ID: 65076be5ff6e3b86ab3c8602f21709e2b1766954e164ae0fe2046201d9937c38
Opcode Fuzzy Hash: 0f3dbc144dc1e4b5dde1ad97e29efd629ee4c10d28310c726e9c3789bd8e12b5
Instruction Fuzzy Hash: 3C612A70D00209AFCB10DFA5DA89AEEBBB8FF58701F10815AE545B72A0DB745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420DC0, Relevance: 31.6, APIs: 21, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420E24
__vbaStrCopy.MSVBVM60 ref: 00420E2C
__vbaStrCopy.MSVBVM60 ref: 00420E34
__vbaStrCopy.MSVBVM60 ref: 00420E3C
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00420E6E
__vbaFpR8.MSVBVM60 ref: 00420E74
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420EA0
__vbaEnd.MSVBVM60 ref: 00420EAC
__vbaVarDup.MSVBVM60 ref: 00420EC6
#564.MSVBVM60(?,?), ref: 00420ED4
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420EDF
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420EFB
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420F0E
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 00420F2A
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000048), ref: 00420F54
__vbaStrMove.MSVBVM60 ref: 00420F63
__vbaFreeStr.MSVBVM60(00420FB2), ref: 00420F9B
__vbaFreeStr.MSVBVM60 ref: 00420FA0
__vbaFreeStr.MSVBVM60 ref: 00420FA5
__vbaFreeStr.MSVBVM60 ref: 00420FAA
__vbaFreeStr.MSVBVM60 ref: 00420FAF

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultList$#564#676MoveNew2
String ID:
API String ID: 2576684927-0
Opcode ID: cfd7faee2c0f179ac60400e7688f78598f4475a9b3f69703fa2860ff77e633dc
Instruction ID: 20f31474532d314adf380ef7be4c7abf58d0e8e1d556c94da0510ee834c38ac0
Opcode Fuzzy Hash: cfd7faee2c0f179ac60400e7688f78598f4475a9b3f69703fa2860ff77e633dc
Instruction Fuzzy Hash: 33512771D0021AAFCB14DF94D985AEEBBB8FF48704F10811AE515B7260DBB46946CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414400, Relevance: 28.7, APIs: 19, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041445F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041447E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,000000D0), ref: 004144A1
#592.MSVBVM60(?), ref: 004144BA
__vbaFreeObj.MSVBVM60 ref: 004144CF
__vbaFreeVar.MSVBVM60 ref: 004144DE
__vbaNew2.MSVBVM60(00402530,00422010), ref: 004144FC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414515
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403984,00000050), ref: 00414532
#716.MSVBVM60(00000002,?,00000000), ref: 00414542
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041456A
__vbaFreeStr.MSVBVM60 ref: 00414573
__vbaFreeObj.MSVBVM60 ref: 0041457C
__vbaFreeVar.MSVBVM60 ref: 00414585
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041459A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004145B3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A40,00000068), ref: 004145D0
__vbaFreeObj.MSVBVM60 ref: 004145DF
__vbaFreeObj.MSVBVM60(00414613), ref: 0041460C

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#592#716Late
String ID:
API String ID: 3616571326-0
Opcode ID: 815e74569d37f3ecffc5374dabe4f908223ca5955f22dc95911add01be3aa6c3
Instruction ID: a0ba4b037e7717b186a7e7e947cf6f8fa19dd2512ce86d33aa086a36e9d06f5c
Opcode Fuzzy Hash: 815e74569d37f3ecffc5374dabe4f908223ca5955f22dc95911add01be3aa6c3
Instruction Fuzzy Hash: 36513D74A00205ABCB14DFA5D988EDEBBB9BF48700F10852AE545F72A0D7749945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C5F0, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041C62A
__vbaBoolStr.MSVBVM60(True), ref: 0041C635
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041C658
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C671
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B4C,00000178), ref: 0041C698
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041C6C1
__vbaFpI4.MSVBVM60(436A0000,?,42900000), ref: 0041C6EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000002C0,?,42900000), ref: 0041C728
__vbaFreeObj.MSVBVM60(?,42900000), ref: 0041C731
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041C74A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C763
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 0041C7AB
__vbaFreeObj.MSVBVM60 ref: 0041C7B4
__vbaFreeStr.MSVBVM60(0041C7D6), ref: 0041C7CF

Strings

Pleurococcaceae, xrefs: 0041C77A
True, xrefs: 0041C630

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$BoolCopy_adj_fdiv_m64
String ID: Pleurococcaceae$True
API String ID: 3244786466-1036221138
Opcode ID: e6a76f3b57d7b83cb00b9c386a564daed022c474bf72591a623acd3232465b47
Instruction ID: 5bc6e30255821c58df148f5dd7d14580677fa0a99a52219fc7a672f2effaf2ae
Opcode Fuzzy Hash: e6a76f3b57d7b83cb00b9c386a564daed022c474bf72591a623acd3232465b47
Instruction Fuzzy Hash: 70516E74A40205EBCB109F94DE89EAE7BB9FB48701F504426F545B72E0C7749942CFAC

Uniqueness

Uniqueness Score: -1.00%

Function 00420850, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0042088D
#706.MSVBVM60(00000001,00000000,00000000), ref: 00420897
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208A8
__vbaI4Str.MSVBVM60(00403974,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208AF
#537.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208B6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208C1
__vbaStrCmp.MSVBVM60(00403980,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208C9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208DC
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004208E7
__vbaNew2.MSVBVM60(00402530,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420900
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420919
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 00420961
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0042096A
__vbaFreeStr.MSVBVM60(0042099B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420993
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420998

Strings

tippernes, xrefs: 00420930

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$#537#706CheckCopyHresultNew2
String ID: tippernes
API String ID: 999016634-1619208553
Opcode ID: 959c144b5dea9c98e6df07964a0847eb26441441373320d89a316f712f718194
Instruction ID: a39614d72278a7685738a540911fac69027fa0e51261cd2816f716213efdf270
Opcode Fuzzy Hash: 959c144b5dea9c98e6df07964a0847eb26441441373320d89a316f712f718194
Instruction Fuzzy Hash: 65317270A40214ABCB14DFA5EE49AAFBBB8FB48701F104126F906B72A1D7745941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420080, Relevance: 27.1, APIs: 18, Instructions: 149COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004200D5
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 004200ED
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000014), ref: 00420118
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E4,000000C0), ref: 00420146
__vbaFreeObj.MSVBVM60 ref: 00420151
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00420166
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042017F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403960,00000180), ref: 004201A2
__vbaFreeObj.MSVBVM60 ref: 004201A7
__vbaI4Str.MSVBVM60(00403974), ref: 004201AE
#608.MSVBVM60(?,00000000), ref: 004201B9
__vbaVarTstNe.MSVBVM60(?,?), ref: 004201D5
__vbaFreeVar.MSVBVM60 ref: 004201E1
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 004201FF
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000048), ref: 00420226
__vbaStrMove.MSVBVM60 ref: 00420235
__vbaFreeStr.MSVBVM60(00420279), ref: 00420271
__vbaFreeStr.MSVBVM60 ref: 00420276

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$#608CopyMove
String ID:
API String ID: 4240346833-0
Opcode ID: caa6a322cc1cd7d6d37afbaab808325c1cab53d811d5d6db21ea78b59315b1a5
Instruction ID: f000470f7bbed2e9fab13eeaff97296cdffe4719fc6cf7355c14ca365cb0bad2
Opcode Fuzzy Hash: caa6a322cc1cd7d6d37afbaab808325c1cab53d811d5d6db21ea78b59315b1a5
Instruction Fuzzy Hash: AD515D71A00219AFCB10DFA5DD88EAEBBF8FF58705F10406AF505B72A0D7B85945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00413DC0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(00403974), ref: 00413E11
#608.MSVBVM60(?,00000000), ref: 00413E1C
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413E38
__vbaFreeVar.MSVBVM60 ref: 00413E44
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00413E66
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413E85
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403984,00000120), ref: 00413EA8
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00413EC1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413EDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403994,00000148), ref: 00413EFD
__vbaInStrVar.MSVBVM60(?,00000000,00008008,?,?), ref: 00413F34
__vbaI4Var.MSVBVM60(00000000), ref: 00413F3B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413F4B
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 00413F5B

Strings

passulate, xrefs: 00413F26

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultListNew2$#608
String ID: passulate
API String ID: 821347214-629239217
Opcode ID: 0883eefea8ba4c3d5b276cb402f02549812782c9ae730a64e16e0e415b4301a8
Instruction ID: 0d31945961fe23d31fa37856d19cdc31818b3bcc1d57b1cb599ba90f301f0e26
Opcode Fuzzy Hash: 0883eefea8ba4c3d5b276cb402f02549812782c9ae730a64e16e0e415b4301a8
Instruction Fuzzy Hash: 74513EB4900208AFCB00DF95DA88EEEBBB9FB48705F50452AF545F72A0D7745A09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C270, Relevance: 25.7, APIs: 17, Instructions: 199COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041C2BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C2D6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,000001E0), ref: 0041C2FD
#592.MSVBVM60(?), ref: 0041C316
__vbaFreeObj.MSVBVM60 ref: 0041C32B
__vbaFreeVar.MSVBVM60 ref: 0041C334
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041C355
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000001C), ref: 0041C37A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E34,00000054), ref: 0041C3C0
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041C3F2
__vbaFreeObj.MSVBVM60 ref: 0041C3FB
__vbaFreeVar.MSVBVM60 ref: 0041C404
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041C41D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C436
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403994,000001CC), ref: 0041C4BD
__vbaFreeObj.MSVBVM60 ref: 0041C4C6
__vbaFreeObj.MSVBVM60(0041C509), ref: 0041C502

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$#592Late
String ID:
API String ID: 134990064-0
Opcode ID: 9f0c9325fdaee1c40f7625cb58ad40f8cb2b961bd3f139ac49bae8071b58601f
Instruction ID: a4d861df69d6a4d95529e4c7b2fc23e58ecf17a965dd06c157a444fa5876ae15
Opcode Fuzzy Hash: 9f0c9325fdaee1c40f7625cb58ad40f8cb2b961bd3f139ac49bae8071b58601f
Instruction Fuzzy Hash: 95812C74A40204EFCB04DFA9D989A9EBBF9FF49700B10816AE509F73A0D7749941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD70, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041ADB6
#594.MSVBVM60(?), ref: 0041ADCF
__vbaFreeVar.MSVBVM60 ref: 0041ADD8
__vbaVarDup.MSVBVM60 ref: 0041ADF2
#544.MSVBVM60(?,?), ref: 0041AE00
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AE1C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AE2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033A4,000002B0), ref: 0041AEA1
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041AEBA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AED3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,000001E8), ref: 0041AEF6
__vbaFreeObj.MSVBVM60 ref: 0041AEFF
__vbaFreeStr.MSVBVM60(0041AF37), ref: 0041AF30

Strings

20:20:20, xrefs: 0041ADE4

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#544#594CopyListNew2
String ID: 20:20:20
API String ID: 225108240-1725373740
Opcode ID: f970dab91477c700ad4251f5db21405454e47c21e1fb7a97ebc2ba12a331c49d
Instruction ID: e1fc6832e83ea0e788c7bb8b14e9c17e22e0e1f93032f8bd67599350297575b1
Opcode Fuzzy Hash: f970dab91477c700ad4251f5db21405454e47c21e1fb7a97ebc2ba12a331c49d
Instruction Fuzzy Hash: B7512AB4900349DFCB04DFA8D988AEEBFB8FF48704F10412AE909BB2A4D7745945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00414640, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414693
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004146B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 004146F6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414705
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041471A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414733
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403994,000001C0), ref: 00414752
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041475B
#587.MSVBVM60(00000000,3FF00000), ref: 00414764
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041476A
#580.MSVBVM60(Styringscomputeren,00000001), ref: 00414784

Strings

KANTSTENENS, xrefs: 004146C5
Styringscomputeren, xrefs: 0041477F

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#587
String ID: KANTSTENENS$Styringscomputeren
API String ID: 1664163399-2963900404
Opcode ID: 257cc9af8685fa84b7caf7bee4e34436a512798a2c051a974c33f65220218e89
Instruction ID: 9ec07bc1705ae2adead2f8843484ca57c77ff26f04c835660e4ec7b16fe2c7e5
Opcode Fuzzy Hash: 257cc9af8685fa84b7caf7bee4e34436a512798a2c051a974c33f65220218e89
Instruction Fuzzy Hash: 67415174A40214ABCB10DF64CE89F9A7BB8FB49701F10406AF945F72A1C7B89941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCB0, Relevance: 22.7, APIs: 15, Instructions: 205COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041FD0C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD2B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403984,00000098), ref: 0041FD4E
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041FD67
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD80
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D20,00000130), ref: 0041FE0D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FE1D
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041FE39
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE58
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041FE74
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE8D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000000A8), ref: 0041FEB0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,000001EC), ref: 0041FEF0
__vbaFreeStr.MSVBVM60 ref: 0041FEF9
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FF09

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID:
API String ID: 191279167-0
Opcode ID: 136d74f6ea915bf56d1323de1743ca2215d3b419e16dcaea40ad93f2d810524a
Instruction ID: 77711086b704e26527fe4e2bbd297e7e69f3be826227de249a42977a530cf39e
Opcode Fuzzy Hash: 136d74f6ea915bf56d1323de1743ca2215d3b419e16dcaea40ad93f2d810524a
Instruction Fuzzy Hash: C2816370A00204AFC710DFA8D984B9ABBF8FF49700F108079E905F72A1D7759946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE10, Relevance: 22.7, APIs: 15, Instructions: 166COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041BE5F
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041BE77
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000014), ref: 0041BE9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E4,000000C0), ref: 0041BEC6
__vbaFreeObj.MSVBVM60 ref: 0041BECF
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041BEE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BF01
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403960,00000178), ref: 0041BF88
__vbaFreeObj.MSVBVM60 ref: 0041BF97
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041BFAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BFC5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A04,000000F8), ref: 0041BFEC
__vbaFreeObj.MSVBVM60 ref: 0041BFFB
__vbaFreeStr.MSVBVM60(0041C02C), ref: 0041C01C
__vbaFreeObj.MSVBVM60 ref: 0041C025

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$Copy
String ID:
API String ID: 1628389849-0
Opcode ID: 6824e8c212bb66329ec904d3e03b18fac599a46ef4911e56219840f149849f9b
Instruction ID: acbcba20ba292e2676e796800e6fa5504a84779ab9811360c68d090d307ef54c
Opcode Fuzzy Hash: 6824e8c212bb66329ec904d3e03b18fac599a46ef4911e56219840f149849f9b
Instruction Fuzzy Hash: B4613C74A00205EFCB04DF69D989A9EBBB9FF49700F14806AF905B72A0D7749845CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004202A0, Relevance: 22.6, APIs: 15, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420301
__vbaStrCopy.MSVBVM60 ref: 0042030B
#524.MSVBVM60(?,?), ref: 00420322
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042033E
__vbaFreeVar.MSVBVM60 ref: 0042034A
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0042036B
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,0000001C), ref: 00420390
__vbaNew2.MSVBVM60(00402530,00422010), ref: 004203BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000000A8), ref: 004203FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E34,00000060), ref: 00420435
__vbaFreeStr.MSVBVM60 ref: 0042043E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042044E
__vbaFreeStr.MSVBVM60(004204A3), ref: 0042049B
__vbaFreeStr.MSVBVM60 ref: 004204A0

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#524List
String ID:
API String ID: 592294731-0
Opcode ID: 89b94b5de94e7910246cd9712d3ca29423f7a18641e63fd91bc1e252e7528008
Instruction ID: 6870fbc5f32a281f341e681868651cbf1bbffdff6fc6f3fd8d0597ba7400f30b
Opcode Fuzzy Hash: 89b94b5de94e7910246cd9712d3ca29423f7a18641e63fd91bc1e252e7528008
Instruction Fuzzy Hash: 8E514BB4E00209AFCB04DF95D989AEEFBB8FF58705F10802AE505B72A1D7B45905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00413750, Relevance: 21.1, APIs: 14, Instructions: 132COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 004137A9
#661.MSVBVM60(?,004038B0,00000000,3FF00000,?), ref: 004137BE
#610.MSVBVM60(?), ref: 004137C8
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 004137E8
__vbaVarTstNe.MSVBVM60(00000000), ref: 004137EF
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041380A
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041382A
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000048), ref: 00413854
__vbaStrMove.MSVBVM60 ref: 00413863
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 0041387B
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000014), ref: 004138A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E4,000000B8), ref: 004138CD
__vbaFreeObj.MSVBVM60 ref: 004138D6
__vbaFreeStr.MSVBVM60(00413920), ref: 00413919

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#610New2$#661ListMove
String ID:
API String ID: 4150538313-0
Opcode ID: a1d3376fefde66eb148e9421724df18c68c744d748f4e4fbc69708604061fa8d
Instruction ID: 25a94e60f6987df6fb9cb7ad5b67df79ddd895b3ededcb9c7ae4d2b251a6d78a
Opcode Fuzzy Hash: a1d3376fefde66eb148e9421724df18c68c744d748f4e4fbc69708604061fa8d
Instruction Fuzzy Hash: FF414BB1D00219ABCB10DF95DD89EEEBBB8FF58701F10412AF505B71A0D7B85A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413A70, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413AB0
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00413AE6
__vbaFpR8.MSVBVM60 ref: 00413AEC
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413B17
__vbaNew2.MSVBVM60(004038D4,00422390), ref: 00413B37
__vbaCastObj.MSVBVM60(?,00403950,ekspeditricerne), ref: 00413B53
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413B5E
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000040), ref: 00413B78
__vbaFreeObj.MSVBVM60 ref: 00413B81
__vbaFreeObj.MSVBVM60(00413BCD), ref: 00413BBD
__vbaFreeStr.MSVBVM60 ref: 00413BC6

Strings

ekspeditricerne, xrefs: 00413B46

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#676CastCheckCopyHresultListNew2
String ID: ekspeditricerne
API String ID: 2764453826-1880822252
Opcode ID: 77808d673ae6b77facd3b0db42fe90e244c60d9a3c3ba53bf09daf5a7ecb6dab
Instruction ID: a7cea6b9efe71e43133a515a2c25048f791aba51dc61a08c89923ae171160946
Opcode Fuzzy Hash: 77808d673ae6b77facd3b0db42fe90e244c60d9a3c3ba53bf09daf5a7ecb6dab
Instruction Fuzzy Hash: E9313E74900249ABCB14DF95DE49BEEBBB8FB48701F20416AF505B62A0D7782A41CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF50, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041AF99
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041AFB2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AFCB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403960,0000016C), ref: 0041AFEE
__vbaFreeObj.MSVBVM60 ref: 0041AFF7
#516.MSVBVM60(00403980), ref: 0041B002
__vbaVarDup.MSVBVM60 ref: 0041B03E
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041B055
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041B06D
__vbaFreeStr.MSVBVM60(0041B0AC), ref: 0041B0A5

Strings

Festerment9, xrefs: 0041B030

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#516#595CheckCopyHresultListNew2
String ID: Festerment9
API String ID: 1659224419-664888475
Opcode ID: 9605954e717c279b144087c07a1c7afdebe6c7c279b44f474a1ac08c88064cd1
Instruction ID: f87f6e698fa0b2621b6c8893c666ada989ad8ccddcc22139613e95936490d6d8
Opcode Fuzzy Hash: 9605954e717c279b144087c07a1c7afdebe6c7c279b44f474a1ac08c88064cd1
Instruction Fuzzy Hash: 1F413AB0900209AFCB14DF94D989AEEBFB8FF48701F10412AF546B72A0D7745985CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413BF0, Relevance: 18.1, APIs: 12, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 00413C3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413C59
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00413C70
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413C89
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,00000218), ref: 00413CAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 00413CF1
__vbaFreeStr.MSVBVM60 ref: 00413CFA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413D0A
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00413D26
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413D3F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403960,00000088), ref: 00413D62
__vbaFreeObj.MSVBVM60 ref: 00413D71

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 00da3880a73bd9ee2768a67da5fa44efb5ac19565534b4fd6794b58e347c11e0
Instruction ID: 805b7252bce5975bca7b45c319ff9fee07156d52c07f464218e73f5923ae8d00
Opcode Fuzzy Hash: 00da3880a73bd9ee2768a67da5fa44efb5ac19565534b4fd6794b58e347c11e0
Instruction Fuzzy Hash: 6C418474A40205AFC710DF64DD89FAE7BB8FB58B01F104429F945F72A1D7749902CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413940, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041398F
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413997
__vbaNew2.MSVBVM60(00402530,00422010), ref: 004139AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004139C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 00413A0D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413A16
__vbaFreeStr.MSVBVM60(00413A46), ref: 00413A3E
__vbaFreeStr.MSVBVM60 ref: 00413A43

Strings

IO"K, xrefs: 00413A1C
GENFREMSTILLINGEN, xrefs: 004139DC

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID: GENFREMSTILLINGEN$IO"K
API String ID: 1874231197-1947186289
Opcode ID: 85defd4210939fe3f09b0ab0cfd091e1df0cab8a762ba03277ac7bfad6f0aace
Instruction ID: c36977811d5ade6656ddf20aca5781e288c2aba93173b381e02e3a4cf33f480a
Opcode Fuzzy Hash: 85defd4210939fe3f09b0ab0cfd091e1df0cab8a762ba03277ac7bfad6f0aace
Instruction Fuzzy Hash: 8D314F71A00209AFCB04DF98D985ADEBBF9FF58700F10816AE945F72A1C7749941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413FC0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041402D
__vbaR4Str.MSVBVM60(004039C0), ref: 00414038
__vbaVarDup.MSVBVM60 ref: 004140A3
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 004140CB
__vbaStrMove.MSVBVM60 ref: 004140D6
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00414100
__vbaFreeStr.MSVBVM60(0041415E), ref: 00414156
__vbaFreeStr.MSVBVM60 ref: 0041415B

Strings

Bibeskftigelsernes, xrefs: 0041408F

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#596CopyListMove
String ID: Bibeskftigelsernes
API String ID: 2863382718-3164189337
Opcode ID: c32fb30f56fce281f5fe2fce1d565c3529854eb9aee682f0cfcf1ae53eb93b77
Instruction ID: 5a559bffb529d208bd87fa9fec6c5576d0fac5e4948882d9aa24353b2ce440d0
Opcode Fuzzy Hash: c32fb30f56fce281f5fe2fce1d565c3529854eb9aee682f0cfcf1ae53eb93b77
Instruction Fuzzy Hash: 3341B6B1C11219EFCB14CF99DA44ADEBBB8FB48700F20816AE60AB7254D7741A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004147E0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00414835
#531.MSVBVM60(Luksusvrelsernes), ref: 00414845
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041485E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414877
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040391C,000001EC), ref: 004148C5
__vbaFreeObj.MSVBVM60 ref: 004148CE

Strings

Balancegangs8, xrefs: 0041489E
0:|J, xrefs: 004148D4
Luksusvrelsernes, xrefs: 00414840

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#531CheckFreeHresultNew2
String ID: 0:|J$Balancegangs8$Luksusvrelsernes
API String ID: 1326136531-2358188216
Opcode ID: 6e4db5cd0e0ba1293e8ac7722c28fd3c17308bc1c58e764d88f97ee28e4d3caf
Instruction ID: 70f69fe34696755d180e70627449c516141b19270a0c6e734eb504e3f5ff9b92
Opcode Fuzzy Hash: 6e4db5cd0e0ba1293e8ac7722c28fd3c17308bc1c58e764d88f97ee28e4d3caf
Instruction Fuzzy Hash: 2D314FB4A00344ABCB14DF95D989B9EBFB8FB48700F50802AF545B73A0D7785905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD00, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041BD46
#516.MSVBVM60(00403980), ref: 0041BD51
__vbaVarDup.MSVBVM60 ref: 0041BD8D
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041BDA4
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041BDBC
__vbaFreeStr.MSVBVM60(0041BDF2), ref: 0041BDEB

Strings

Udmarvnings8, xrefs: 0041BD7F

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#516#595CopyList
String ID: Udmarvnings8
API String ID: 515552688-761385786
Opcode ID: af6413a4c1c020313eeaa94366034076caea2d728da38e8b324e686cd4d2ed17
Instruction ID: a42322f3f939b56b05073152851da03a1f443b1597e8703e0ce588013b4c3963
Opcode Fuzzy Hash: af6413a4c1c020313eeaa94366034076caea2d728da38e8b324e686cd4d2ed17
Instruction Fuzzy Hash: 8D21D8B1D01249AFCB04DFD8DA45ADEBBB8EB08701F20812AF506B7254D7746A09CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF80, Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

#705.MSVBVM60(?,00000000), ref: 0041FFC4
__vbaStrMove.MSVBVM60 ref: 0041FFCF
__vbaFreeVar.MSVBVM60 ref: 0041FFD8
__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041FFF1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042000A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A30,00000208), ref: 0042002D
__vbaFreeObj.MSVBVM60 ref: 00420036
__vbaFreeStr.MSVBVM60(00420060), ref: 00420059

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#705CheckHresultMoveNew2
String ID:
API String ID: 1968677507-0
Opcode ID: 5658746f19758ef78308ad1f969de23bf48ca1879e14d0e310f63b5adc9d9cea
Instruction ID: 0b990fca6b60206c3e707248d9d66d7d6a49d4e932ec086fcd571e1128175751
Opcode Fuzzy Hash: 5658746f19758ef78308ad1f969de23bf48ca1879e14d0e310f63b5adc9d9cea
Instruction Fuzzy Hash: 9D214D74A00205ABCB10DF94DE89FEEBBB8FB58701F100026F542F71A0DB745945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F910, Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F953
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F95B
#536.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F96C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F977
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F980
__vbaFreeStr.MSVBVM60(0041F9AD,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F9A0
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F9A5
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041F9AA

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$#536Move
String ID:
API String ID: 754517999-0
Opcode ID: 009f65b11b190cbc85a5ce8a678fd1d1b06de25f9238eb1ba3309ac32ffd4cfe
Instruction ID: 19f9550cbc572107863d23e85454b91a2375f22c0e6cfc86ee56cd86eb8b7105
Opcode Fuzzy Hash: 009f65b11b190cbc85a5ce8a678fd1d1b06de25f9238eb1ba3309ac32ffd4cfe
Instruction Fuzzy Hash: 9C11EC71D002099FCB04DFA4D945AEEBBB4FB58700F108126E506B72A4EB346A05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00420FE0, Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 00421027
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421046
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A04,000000F8), ref: 00421069
__vbaNew2.MSVBVM60(00402530,00422010), ref: 00421082
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042109B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A40,00000130), ref: 0042112A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042113A

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: a92df7a908f82a5dc427a791609bdd45c1cd05528ec4c517785bd0149ace56b0
Instruction ID: 4fa1a074cb9a64279433e27b1913e576eb43f564d3884fd0557e9dc443e29d3a
Opcode Fuzzy Hash: a92df7a908f82a5dc427a791609bdd45c1cd05528ec4c517785bd0149ace56b0
Instruction Fuzzy Hash: BF414F74A00204AFCB14DF98D989A9EBBF9FF4C700F50806AE905F73A1D6749905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420CF0, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004038D4,00422390,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D34
__vbaHresultCheckObj.MSVBVM60(00000000,0233EF84,004038C4,00000014,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D59
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E4,000000B8,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D83
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420D8C

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 6eb63e7c35829c233a6fc7a344d7e4c81dfe20447edc6fad9db80dff0af15822
Instruction ID: c122d9e9c443dfd2cce2d58bcd9dae9b8c811ce319a5d5820ccbaa6cd3433302
Opcode Fuzzy Hash: 6eb63e7c35829c233a6fc7a344d7e4c81dfe20447edc6fad9db80dff0af15822
Instruction Fuzzy Hash: 8911BF34A00215BBCB10DF95DD8AE9ABBFCEB55701F504126F505B71E0D67868458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C530, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402530,00422010), ref: 0041C573
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041C58C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403994,000001C4), ref: 0041C5AF
__vbaFreeObj.MSVBVM60 ref: 0041C5B8

Memory Dump Source

Source File: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.576526445.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.576565667.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: cd385f91139b51eaf88f4ac61fc548b421f8d54bbac8d75b4a1977bd26fdb77b
Instruction ID: e4fa831f53ddc503848e92f2a2e89a018ee89accf2b31cca937922441ddf8c90
Opcode Fuzzy Hash: cd385f91139b51eaf88f4ac61fc548b421f8d54bbac8d75b4a1977bd26fdb77b
Instruction Fuzzy Hash: 27018C74680304BBD7109F64CE89FAA7BBDFB04B05F504426F941B72A0E6B86905CAA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report lpSbvoEkD6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: lpSbvoEkD6.exe PID: 6092 Parent PID: 5672

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: lpSbvoEkD6.exe PID: 6092 Parent PID: 5672 lpSbvoEkD6.exeCOMMON

Executed Functions

Function 0041A630, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 237COMMON

Function 00405720, Relevance: 1.4, Strings: 1, Instructions: 174
COMMONCrypto