Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report KDVTOodd7T

Overview

General Information

Sample Name:KDVTOodd7T (renamed file extension from none to exe)
Analysis ID:435339
MD5:457fcb32ec7df1868df42f31cce2a301
SHA1:8bd3a8d8e0f6a48b51e5b3fbc119b154304044ec
SHA256:c7d1295093d4112a976f0c13be811d2a1fb6dc5928e1fabefe7b1315f7b0e95f
Tags:32exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • KDVTOodd7T.exe (PID: 6064 cmdline: 'C:\Users\user\Desktop\KDVTOodd7T.exe' MD5: 457FCB32EC7DF1868DF42F31CCE2A301)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
KDVTOodd7T.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.692826646.00000000021E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000001.00000000.328525876.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000001.00000002.692341563.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.KDVTOodd7T.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            1.0.KDVTOodd7T.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.binAvira URL Cloud: Label: malware
              Found malware configurationShow sources
              Source: KDVTOodd7T.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin"}
              Source: KDVTOodd7T.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5BFE NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5E16 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5BFF NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5C4F NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5C64 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5CD6 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5D1E NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5D5E NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5DCA NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_0040E16D
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_00404D55
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5BFE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9A18
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0E16
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1A3F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4A3C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1A3D
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4638
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9A30
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1226
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3258
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9A57
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9254
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4E46
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0E72
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1268
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1A9E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E46BA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E32BA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E62AA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4AA6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0EA6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E12C6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E76C2
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1AFE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E46FE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4AF2
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3AF1
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1B1F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B17
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6313
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3B0E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E330B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0708
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B04
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F00
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1326
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F5A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E475A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4B58
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3B50
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1B76
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E136E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6362
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3360
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F9E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3B9F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B8F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E338B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3FB8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E63A3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E47A0
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2BDB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4BC8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8BC4
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E13C3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5BFF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1FF3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1FE8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0FE4
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3BE3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4C1E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E641F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E441C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8C1A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2C14
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4800
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1038
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3036
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4430
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E202A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4C5E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E484E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5C4F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E304B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8849
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E447F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2C78
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3C6B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8C66
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1464
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5C64
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3C9C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E108C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E308C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0C87
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0CBE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E48BA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E54B5
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E14B0
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8CA7
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E30DE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E98DA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E58D3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E44CF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E98CD
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E74CA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2CC7
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4CC5
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4CFF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E98F7
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E10EB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8CEB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0D17
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4913
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9913
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2D05
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3138
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9937
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1132
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4532
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8D30
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0D31
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E995A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2D4A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E457F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E997A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4D70
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8D6A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4968
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E119B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4990
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6180
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4DBB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E61BB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8DAA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E99A8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E31A0
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E99DF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E45D6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0DD3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E11C8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E99C3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4DFA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E99F7
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8DF2
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E31EF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E49EF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E61EC
              Source: KDVTOodd7T.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: KDVTOodd7T.exe, 00000001.00000002.693611790.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOders.exeFE2Xl vs KDVTOodd7T.exe
              Source: KDVTOodd7T.exe, 00000001.00000000.328540343.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe
              Source: KDVTOodd7T.exe, 00000001.00000002.692811986.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KDVTOodd7T.exe
              Source: KDVTOodd7T.exeBinary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe
              Source: KDVTOodd7T.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal92.troj.evad.winEXE@1/0@0/0
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeFile created: C:\Users\user\AppData\Local\Temp\~DF299C0E1CBDF0229D.TMPJump to behavior
              Source: KDVTOodd7T.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000001.00000002.692826646.00000000021E0000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: KDVTOodd7T.exe, type: SAMPLE
              Source: Yara matchFile source: 00000001.00000000.328525876.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.692341563.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.2.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_00408275 push ss; iretd
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_004072D2 push edi; retf
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_004046EC push esp; ret
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_004057EA push es; iretd
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E5466 push ecx; retf
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021EA134 push 6DC60657h; ret
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0E16
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4A3C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4638
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E9254
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4E46
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0E72
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E46BA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4AA6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0EA6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4ECE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E76C2
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E46FE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4EFA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4AF2
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3AF1
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B17
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B04
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F00
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F5A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E475A
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4B58
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4F54
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0F9E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B8F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3FB8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E47A0
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4BC8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4FC6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8BC4
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0FE4
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4C1E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4800
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1038
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4430
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E7C22
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4C5E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E484E
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8849
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E7C47
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E447F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E108C
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0C87
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0CBE
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E48BA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E54B5
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E44CF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E74CA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4CC5
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4CFF
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E10EB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0D17
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4913
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E1132
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4532
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0D31
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E457F
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4D70
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4968
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E119B
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6998
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4990
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4DBB
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E45D6
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E29D5
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E0DD3
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E11C8
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E4DFA
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E49EF
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeRDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeRDTSC instruction interceptor: First address: 00000000021E7C5B second address: 00000000021E7C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, dword ptr [eax+24h] 0x0000000e mov dword ptr [ebp+10h], ecx 0x00000011 mov esi, dword ptr [eax+20h] 0x00000014 pushad 0x00000015 mov eax, 0000009Fh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeRDTSC instruction interceptor: First address: 00000000021E7C75 second address: 00000000021E7CB4 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, dword ptr [ebp+04h] 0x00000006 xor ecx, ecx 0x00000008 mov edx, dword ptr [esi] 0x0000000a cmp cl, FFFFFFA7h 0x0000000d add edx, dword ptr [ebp+04h] 0x00000010 mov dword ptr [ebp+000001EAh], ebx 0x00000016 mov ebx, ecx 0x00000018 cmp dh, dh 0x0000001a push ebx 0x0000001b mov ebx, dword ptr [ebp+000001EAh] 0x00000021 cmp bl, al 0x00000023 mov dword ptr [ebp+00000242h], eax 0x00000029 mov eax, esi 0x0000002b push eax 0x0000002c jmp 00007FD200395642h 0x0000002e pushad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeRDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeRDTSC instruction interceptor: First address: 00000000021E8296 second address: 00000000021E8296 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A9806D28h 0x00000007 xor eax, 34FBFF8Fh 0x0000000c xor eax, 88F23A62h 0x00000011 add eax, EA76573Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FD20039566Bh 0x0000001e lfence 0x00000021 mov edx, 50D17F9Fh 0x00000026 sub edx, F1A1A6A8h 0x0000002c xor edx, 2B14136Fh 0x00000032 xor edx, 0BC5CB8Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FD200395642h 0x0000003f test bh, ah 0x00000041 test ebx, F76DAF81h 0x00000047 cmp dh, 00000050h 0x0000004a cmp ch, ah 0x0000004c ret 0x0000004d jmp 00007FD200395646h 0x0000004f cmp cx, 2A72h 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 cmp al, cl 0x00000059 cmp bl, FFFFFFB2h 0x0000005c add edi, edx 0x0000005e cmp ch, ch 0x00000060 dec dword ptr [ebp+000000F8h] 0x00000066 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006d jne 00007FD200395615h 0x0000006f call 00007FD200395656h 0x00000074 call 00007FD20039568Ch 0x00000079 lfence 0x0000007c mov edx, 50D17F9Fh 0x00000081 sub edx, F1A1A6A8h 0x00000087 xor edx, 2B14136Fh 0x0000008d xor edx, 0BC5CB8Ch 0x00000093 mov edx, dword ptr [edx] 0x00000095 lfence 0x00000098 jmp 00007FD200395642h 0x0000009a test bh, ah 0x0000009c test ebx, F76DAF81h 0x000000a2 cmp dh, 00000050h 0x000000a5 cmp ch, ah 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6A1F rdtsc
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E6A1F rdtsc
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3AF1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B17 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3B0E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8B04 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E57A7 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E7FC9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E37C6 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E3036 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E8849 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E79CB mov eax, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
              Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\KDVTOodd7T.exeCode function: 1_2_021E2A10 cpuid

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              KDVTOodd7T.exe7%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bintrue
              • Avira URL Cloud: malware
              		unknown

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:435339
              Start date:16.06.2021
              Start time:12:41:13
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 4s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:KDVTOodd7T (renamed file extension from none to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:24
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal92.troj.evad.winEXE@1/0@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 21.5% (good quality ratio 11.6%)
              • Quality average: 33.5%
              • Quality standard deviation: 36.6%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for sample files taking high CPU consumption
              Warnings:
              Show All
              • Max analysis timeout: 220s exceeded, the analysis took too long
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/435339/sample/KDVTOodd7T.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.031806399752245
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:KDVTOodd7T.exe
              File size:94208
              MD5:457fcb32ec7df1868df42f31cce2a301
              SHA1:8bd3a8d8e0f6a48b51e5b3fbc119b154304044ec
              SHA256:c7d1295093d4112a976f0c13be811d2a1fb6dc5928e1fabefe7b1315f7b0e95f
              SHA512:503902cb165b587751270b511c13dd7ae6065814f2ea2ca4b145d831c77d1b36735526827ac185c99b81bb702628f26e9f43f5ccbd075cc491bcd4c836708708
              SSDEEP:1536:L10ol0/gh4343HqtCJWg4edfJPVo8xZSsIgO4jcYzy6ipu5W3EUanOYA2nJ29GLN:L6UdJ/4edfA0ZSsmVu5W3EUanOYA2nJn
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.S............&........ .......$......Rich....................PE..L...6..T.................@...0......D........P....@........

              File Icon

              Icon Hash:11c0c48c86cc08c4

              Static PE Info

              General

              Entrypoint:0x401644
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x54EF7F36 [Thu Feb 26 20:16:54 2015 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:d5d16d1b76210dd28c8586fe9bac3119

              Entrypoint Preview

              Instruction
              push 0040278Ch
              call 00007FD2008D38D3h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              inc eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [ecx+45h], ah
              fcom qword ptr [edx]
              adc bh, byte ptr [319F405Fh]
              arpl word ptr [C2CC377Ah], sp
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              adc dword ptr [ebx], eax
              inc edi
              add byte ptr [eax], al
              add byte ptr [ecx+4Eh], cl
              push esp
              inc ebp
              push edx
              push esi
              inc ecx
              dec esp
              push esp
              pop ecx
              push eax
              inc ebp
              push edx
              dec esi
              inc ebp
              add byte ptr [eax], al
              add byte ptr [eax], al
              add bh, bh
              int3
              xor dword ptr [eax], eax
              add byte ptr [esp+ebp*8+3Fh], dl
              test eax, 4E2C7F85h
              xchg dword ptr [185B32B1h], ebx
              js 00007FD2008D3934h
              xchg eax, edx
              jmp 00007FD2008D38D3h
              inc eax
              scasb
              sbb al, 62h
              dec esi

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x141740x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000xd6a.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x137a80x14000False0.502783203125data6.41658995771IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x150000x1b840x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x170000xd6a0x1000False0.348876953125data3.58378808404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x17c420x128GLS_BINARY_LSB_FIRST
              RT_ICON0x1739a0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884
              RT_GROUP_ICON0x173780x22data
              RT_VERSION0x171200x258dataEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLineInputStr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              InternalNameOders
              FileVersion1.00
              CompanyNameViolet Solution
              CommentsViolet Solution
              ProductNameINTERVALTYPERNE
              ProductVersion1.00
              OriginalFilenameOders.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              System Behavior

              Analysis Process: KDVTOodd7T.exe PID: 6064 Parent PID: 5956

              General

              Start time:12:42:04
              Start date:16/06/2021
              Path:C:\Users\user\Desktop\KDVTOodd7T.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\KDVTOodd7T.exe'
              Imagebase:0x400000
              File size:94208 bytes
              MD5 hash:457FCB32EC7DF1868DF42F31CCE2A301
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.692826646.00000000021E0000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.328525876.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.692341563.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >