Play interactive tour

Edit tour

Windows Analysis Report ZGNX11JMSc

Overview

General Information

Sample Name:	ZGNX11JMSc (renamed file extension from none to exe)
Analysis ID:	448876
MD5:	fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:	d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:	ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags:	32exeGuLoadertrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ZGNX11JMSc.exe (PID: 5764 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ZGNX11JMSc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZGNX11JMSc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.0.ZGNX11JMSc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: ZGNX11JMSc.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Source: ZGNX11JMSc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Source: ZGNX11JMSc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZGNX11JMSc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZGNX11JMSc.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ZGNX11JMSc.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZGNX11JMSc.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ZGNX11JMSc.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023154E7 NtAllocateVirtualMemory,		0_2_023154E7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023155AC NtAllocateVirtualMemory,		0_2_023155AC

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023154E7	0_2_023154E7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02310EFE	0_2_02310EFE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023172C3	0_2_023172C3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023142CD	0_2_023142CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02311B2D	0_2_02311B2D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02311B1A	0_2_02311B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317F03	0_2_02317F03
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02313F0C	0_2_02313F0C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317B73	0_2_02317B73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317F6D	0_2_02317F6D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02311B5F	0_2_02311B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02310FB5	0_2_02310FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312793	0_2_02312793
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02314785	0_2_02314785
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02318385	0_2_02318385
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02314B8E	0_2_02314B8E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023143F1	0_2_023143F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317036	0_2_02317036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231341B	0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231100E	0_2_0231100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02314071	0_2_02314071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231844C	0_2_0231844C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02318C82	0_2_02318C82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02318CD5	0_2_02318CD5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023180D4	0_2_023180D4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023134C4	0_2_023134C4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231350F	0_2_0231350F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317D52	0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312958	0_2_02312958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02318D58	0_2_02318D58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312940	0_2_02312940
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023129B0	0_2_023129B0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312183	0_2_02312183

Source: ZGNX11JMSc.exe

Static PE information: invalid certificate

Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ZGNX11JMSc.exe, 00000000.00000000.216975638.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe	Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe

Source: ZGNX11JMSc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

File created: C:\Users\user\AppData\Local\Temp\~DF46939C48381DC1A3.TMP

Jump to behavior

Source: ZGNX11JMSc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZGNX11JMSc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: ZGNX11JMSc.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0040495E push es; ret	0_2_00404963
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02315F81 push ecx; ret	0_2_02315F82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02319551 push edx; iretd	0_2_023196B3

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02310EFE	0_2_02310EFE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023142CD	0_2_023142CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02311B1A	0_2_02311B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02311B5F	0_2_02311B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02310FB5	0_2_02310FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312793	0_2_02312793
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02316F9E	0_2_02316F9E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023143F1	0_2_023143F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317036	0_2_02317036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231341B	0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231100E	0_2_0231100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02314071	0_2_02314071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317D52	0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312958	0_2_02312958

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 0_2_023154E7 rdtsc

0_2_023154E7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 0_2_023154E7 rdtsc

0_2_023154E7

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02316B93 mov eax, dword ptr fs:[00000030h]	0_2_02316B93
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_0231341B mov eax, dword ptr fs:[00000030h]	0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023150CA mov eax, dword ptr fs:[00000030h]	0_2_023150CA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02317D52 mov eax, dword ptr fs:[00000030h]	0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_02312958 mov eax, dword ptr fs:[00000030h]	0_2_02312958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 0_2_023171A9 mov eax, dword ptr fs:[00000030h]	0_2_023171A9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 0_2_0231054C cpuid

0_2_0231054C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZGNX11JMSc.exe	7%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ceattire.com/bin_UYDMbHwI28.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448876
Start date:	14.07.2021
Start time:	19:51:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZGNX11JMSc (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/448876/sample/ZGNX11JMSc.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.7769054763067915
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZGNX11JMSc.exe
File size:	267376
MD5:	fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:	d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:	ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
SHA512:	ffec36b157f889a2bd351b9d8423b247138a5fd2e57de83bb1253336518431136a265d244b653af470a8d04e2674c4cadf467c065a7fc38f10effedd705ab248
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....FR.................`..........p........p....@................

File Icon


Icon Hash:	e8ccce8e8ececce8

Static PE Info

General
Entrypoint:	0x401470
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5246CAE2 [Sat Sep 28 12:26:10 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a6a8fddf213e725d12277ffa52409c50

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/13/2021 10:05:37 AM 7/13/2022 10:05:37 AM
Subject Chain	E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
Version:	3
Thumbprint MD5:	9036914828CBB0BD5603E92A0629EBCE
Thumbprint SHA-1:	502D44A3683EF19D6EE93B5A0BA39CEF214FA587
Thumbprint SHA-256:	D8DC1D893CD8ACCF7B4CB8910AC7F2C4539AB530AD74E93F825CCDA9E5C58408
Serial:	00

Entrypoint Preview

Instruction
push 004316D0h
call 00007F588CC1EB63h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov dl, 30h
sal dword ptr [edx+edx*2-43B57C63h], 1
mov dl, 66h
imul edi, eax, 78h
inc eax
pop edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 55h
insb
outsb
imul eax, dword ptr [eax], 00006496h
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
adc dl, ch
popfd
or al, 2Dh
stc
cli
inc edi
cmp byte ptr [ebx+68h], FFFFFF94h
fdivr st(0), st(3)
dec esp
push ds
sbb ecx, dword ptr fs:[ebx]
dec edx
xchg eax, esi
add dword ptr [esi-51C24BC0h], ebx
retf 1486h
outsb
sbb eax, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jbe 00007F588CC1EB72h
add eax, dword ptr [eax]
xor byte ptr [ebp+00h], dh
add byte ptr [eax], al
add eax, 6D655400h
jo 00007F588CC1EBA5h
add byte ptr [53000501h], cl
inc ecx
dec ebp
dec ebp
inc ebp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah
out dx, al
je 00007F588CC1EB72h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36404	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x7a92	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x40058	0x1418
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1120	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35930	0x36000	False	0.255479600694	data	4.71656794382	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x37000	0xbd4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x7a92	0x8000	False	0.294891357422	data	4.41054714474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3f42a	0x668	data
RT_ICON	0x3f142	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 998965248, next used block 48059
RT_ICON	0x3ef5a	0x1e8	data
RT_ICON	0x3ee32	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x3df8a	0xea8	data
RT_ICON	0x3d6e2	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x3d01a	0x6c8	data
RT_ICON	0x3cab2	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x3a50a	0x25a8	data
RT_ICON	0x39462	0x10a8	data
RT_ICON	0x38ada	0x988	data
RT_ICON	0x38672	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x385c4	0xae	data
RT_VERSION	0x38300	0x2c4	data	Swahili	Kenya
RT_VERSION	0x38300	0x2c4	data	Swahili	Mozambiq

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0441 0x04b0
LegalCopyright	ON24
InternalName	ANTISOCIA
FileVersion	7.00
CompanyName	ON24
LegalTrademarks	ON24
Comments	ON24
ProductName	ON24
ProductVersion	7.00
FileDescription	ON24
OriginalFilename	ANTISOCIA.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Swahili	Kenya
Swahili	Mozambiq

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: ZGNX11JMSc.exe PID: 5764 Parent PID: 5588

General

Start time:	19:52:30
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\ZGNX11JMSc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Imagebase:	0x400000
File size:	267376 bytes
MD5 hash:	FCFB0EC70F1419EDE8A534CC95CB61E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZGNX11JMSc.exe PID: 5764 Parent PID: 5588 ZGNX11JMSc.exeCOMMON

Executed Functions

Function 023154E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 023156A2

Strings

y, xrefs: 023157BB

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction ID: 131933a4d410a443029f6ef34f361a4a4f08ee24a89cef9625f6c5ce6aefbb0d
Opcode Fuzzy Hash: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction Fuzzy Hash: E9516876A0938A8FEF359FB48C517DA3BA1EF0A750F84456DDC898B240D7359A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023155AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 023156A2

Strings

y, xrefs: 023157BB

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction ID: 305cc9b4013132e35a28e787df4b7d514d0baed07f74ca9ad8796e47fab2cbe3
Opcode Fuzzy Hash: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction Fuzzy Hash: 5241523464938A8FEB36AF308C557D97FA1EF46390F98416DDCC58B252D3308A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004335E4, Relevance: 214.7, APIs: 116, Strings: 6, Instructions: 1225COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433730
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043374B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 0043376D
__vbaFreeObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 00433778
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433790
__vbaObjSet.MSVBVM60(?,00000000), ref: 004337AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 004337F9
__vbaFreeObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 00433804
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 0043381C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433837
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000098), ref: 00433861
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433880
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043389B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004338C0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004338D6
__vbaStrVarMove.MSVBVM60(00000000), ref: 004338DF
__vbaStrMove.MSVBVM60(00000000), ref: 004338EC
__vbaFreeStr.MSVBVM60 ref: 0043391F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0043393B
__vbaFreeVar.MSVBVM60 ref: 00433949
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433961
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043397C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004339A1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004339B7
__vbaStrVarMove.MSVBVM60(?), ref: 004339C6
__vbaStrMove.MSVBVM60(?), ref: 004339D3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A0B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A1D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433A32
__vbaFreeVar.MSVBVM60(00401198,00432788,00000710), ref: 00433A40
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433A61
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433AA9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00433AC3
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433ADB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433AF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000A8), ref: 00433B1F
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B77
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B82
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000070C), ref: 00433BA3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006FC), ref: 00433BC4
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C1A
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C2A
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C5D
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C68
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00433C9F
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433CB7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433CD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,00000058), ref: 00433CF5
__vbaFreeObj.MSVBVM60 ref: 00433D27
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433D3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433D5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433D83
__vbaFreeObj.MSVBVM60 ref: 00433DAE
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433DCF
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00433DE9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E18
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E28
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E5B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E66
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433E7E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433E99
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000F0), ref: 00433EC2
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433EDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433EF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433F1E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433F69
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433F7E
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00433FE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434003
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000110), ref: 0043402C
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434064
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043406F
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00434087
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340A2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 004340CB
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 004340E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 00434127
__vbaStrMove.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 0043413F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043417B
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?), ref: 00434190
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 004341B4
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 004341CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004341E7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000198), ref: 00434210
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00434228
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434243
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 0043426C
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00434284
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043429F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000198), ref: 004342C8
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00434315
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00434331
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 0043434E
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00434366
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434381
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 004343AA
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00434402
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 0043440D
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00434427
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 0043443F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043445A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 00434483
__vbaStrMove.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 0043449B
__vbaFreeStr.MSVBVM60 ref: 004344CC
__vbaFreeObj.MSVBVM60 ref: 004344D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043450E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00434528
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00434540
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043455B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000180), ref: 00434584
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 0043459C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004345B7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000E0), ref: 004345E0
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434619
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043462E

Strings

untransplanted, xrefs: 00433C1F
enteromesenteric, xrefs: 00433E1D
Fejlstatistik8, xrefs: 004338FE
pKbU, xrefs: 00433BDE, 00433BE4
D, xrefs: 004344B6
HETEROINTOXICATION, xrefs: 004344A9

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$CallCopyLate
String ID: Fejlstatistik8$HETEROINTOXICATION$enteromesenteric$pKbU$untransplanted$D
API String ID: 4096466292-1851894414
Opcode ID: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction ID: b228ce87f7abde1b46aad1bed7f41f4f117141d907b66e7f5f86440591ccd116
Opcode Fuzzy Hash: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction Fuzzy Hash: D3A241B0940219ABDB25DB65CC99FEA77BCAF08744F0014EAF149E71A1DB786B44CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00435B46, Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaR8Str.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B8B
__vbaFPFix.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B90
__vbaNew2.MSVBVM60(0043199C,00437010,00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BB3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BCB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000120,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BF1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BFF

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction ID: a91470af7f079c1682a62030a7b22422c506b51593a444671756e0bb7d2b609d
Opcode Fuzzy Hash: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction Fuzzy Hash: EB1172B4940608ABCB10EF95C945E9EBBB8FF5C744F10546BF451F72A1C77C55018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401470, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401475

Strings

VB5!6%*, xrefs: 00401470

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction ID: b1e19180af3ab2ec1248aed23a1bce84dea529df0f229db8e130a7f4247806d4
Opcode Fuzzy Hash: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction Fuzzy Hash: F501EE6154E7C28FD7135A708DA15807FB1AE932A472B06DBC0C1CF4B3D62E0D4ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0231341B, Relevance: 8.6, Strings: 6, Instructions: 1057COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
$}, xrefs: 023134A2
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
\e, xrefs: 02319400
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $}$#'_$70};$n"}-$\e$'
API String ID: 0-2086826316
Opcode ID: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction ID: 0d57837c1a79ed8cff984d0fbf517d39bf698048117c0845c6baad27dc3edac9
Opcode Fuzzy Hash: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction Fuzzy Hash: 8E9220716043498FDF389E38CD997DA7BA2FF95340F96812EDC899B254D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02312958, Relevance: 6.5, Strings: 4, Instructions: 1495COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction ID: a96c1ca0f08626f566b713508891e562dd783788dac9c89bbd1635257c6ca29a
Opcode Fuzzy Hash: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction Fuzzy Hash: 0DC2107160034A9FDF389F28CD947DA77A6FF59350F95822EDC899B204D7309A86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02311B5F, Relevance: 6.0, Strings: 4, Instructions: 995COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction ID: 9ea549053f12f6c71bfd3ca3fc8d7e42d7f15052d38b7f13bb8acc90a4f42dcd
Opcode Fuzzy Hash: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction Fuzzy Hash: DF82007160434A9FDF389F28CD957DA7BA2FF95350F95812EDC899B214D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02317036, Relevance: 5.8, Strings: 4, Instructions: 839COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction ID: 789746c4512fc539f9af3c3b33039578e98a285139c54ea4cbf261df7d1bf520
Opcode Fuzzy Hash: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction Fuzzy Hash: 15721E7160034A9FDF389F38C9957DA7BA2FF95340F95812EDC899B214D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02311B1A, Relevance: 5.8, Strings: 4, Instructions: 812COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction ID: 84a6de99e285148a4cce69ec0f9509b86cd589cb15e02903c46afa6d8facb931
Opcode Fuzzy Hash: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction Fuzzy Hash: 88621E7160034A9FDF389F38C9957DA7BA2FF95340F95812EDC899B214D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02314071, Relevance: 5.7, Strings: 4, Instructions: 744COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction ID: 9a8155a337f0893678fae3a9818ba66121efff67d29ab7851741fa438511d8c0
Opcode Fuzzy Hash: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction Fuzzy Hash: B152107160034A9FDF789F38CD957DA7BA2FF55340F95812ADC899B214D3348A86CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023142CD, Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction ID: 85a9aa737e90d5f19a5802d495f8662596f3436494a75f7f06be2dd7446e3730
Opcode Fuzzy Hash: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction Fuzzy Hash: 3A321F71A0034A9FDF788F38CD957DA7BA2FF55350F95812ADC899B214D3348A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02316F9E, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
70};, xrefs: 023143B9
#'_, xrefs: 0231445E
', xrefs: 0231436A

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction ID: c28fcedb0a2c209f356d253e8e63373b777eb6f577ed3558a6d8c63737c4aab7
Opcode Fuzzy Hash: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction Fuzzy Hash: 5E41CC397043078FDB254E78CA903D6B7A2EF573B0F598139DC86AB386D361888AC701

Uniqueness

Uniqueness Score: -1.00%

Function 02317D52, Relevance: 4.4, Strings: 3, Instructions: 635COMMON

Download Yara Rule

Strings

Mki, xrefs: 02318141
-, xrefs: 02317E22
ld %, xrefs: 023185F3

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki$ld %$-
API String ID: 0-2326836923
Opcode ID: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction ID: 9d56b41114d0cff262af5499668a4bea0e887c27dce095a7cbbf18d1bee2cca4
Opcode Fuzzy Hash: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction Fuzzy Hash: EB323A716083858FEF35DF38C8987DA7BD2AF56350F8981AACC894F29AD3348546C716

Uniqueness

Uniqueness Score: -1.00%

Function 02310EFE, Relevance: 4.0, Strings: 3, Instructions: 277COMMON

Download Yara Rule

Strings

-Y, xrefs: 023110AB
{, xrefs: 0231108B
8\, xrefs: 02310F70

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y$8\${
API String ID: 0-1226747229
Opcode ID: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction ID: 2fc6f2bc9563a70089118e503808a65ebb46e5e6e125fe3f4a14059e0a53820e
Opcode Fuzzy Hash: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction Fuzzy Hash: 41A1A17160438A9FDF389E38CC547DE7B66AF42320F55812EDC899B695D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023143F1, Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

n"}-, xrefs: 0231442C
#'_, xrefs: 0231445E

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$n"}-
API String ID: 0-1429538479
Opcode ID: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction ID: d16a16be7f44fc90a1dbe77ecf864ecc544f1c77bf5ec2fd2b2d0b341b7eae5b
Opcode Fuzzy Hash: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction Fuzzy Hash: 8D222071A403899FDF789E38CD947DA7BA2FF55350F95812ADC89CB214D3348A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02310FB5, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

-Y, xrefs: 023110AB
{, xrefs: 0231108B

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction ID: 5fe787c6969e8c8225fead6d5fee47446dd19a686e538914db15919612a7a785
Opcode Fuzzy Hash: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction Fuzzy Hash: AB61BE71A093CB9FDB359E388C553DD7BA2AF42320F85826DDCC98B585D3314585CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0231100E, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

-Y, xrefs: 023110AB
{, xrefs: 0231108B

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction ID: a682fd30455591165bf220276e52d396bd2185980bee114dd21aca01b8b04653
Opcode Fuzzy Hash: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction Fuzzy Hash: 955199B1A096CB9FDF359E388C553D97F66AF03320F99826ACCC98B585D3314685CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02317F03, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

Mki, xrefs: 02318141

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction ID: 13ccb0ce14ca665e41755d1e246c6b10b8f0bfd57b6bdeda1471534fd9c7e931
Opcode Fuzzy Hash: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction Fuzzy Hash: C7A139716083C58EDF358F38CC987DA7BD29F52360F9982AACC894F29AD3358546C716

Uniqueness

Uniqueness Score: -1.00%

Function 02317F6D, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

Mki, xrefs: 02318141

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction ID: 57b71b80a25215502d649ae240d9a3efa19aeba27f0adcdcbb912030caaf6c13
Opcode Fuzzy Hash: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction Fuzzy Hash: 6E916B715483C58FDF358F388C983DA7BE2AF52350F9982AACC894F29AD3358545C712

Uniqueness

Uniqueness Score: -1.00%

Function 023180D4, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Mki, xrefs: 02318141

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction ID: 65a1bf11af9f28860c81e8f181b379cb31a168acf66a10fb330c06d849496644
Opcode Fuzzy Hash: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction Fuzzy Hash: E95126729043858FDF38DF388C983DA7BD2AF92350F99816ACC8A4F299D3344546C716

Uniqueness

Uniqueness Score: -1.00%

Function 023172C3, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

`, xrefs: 0231739D

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction ID: 584fe4b68d853f9e7b770ce9d4c08de975675149387add415b7922858b25f461
Opcode Fuzzy Hash: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction Fuzzy Hash: 4F21317660068ACFFB388E268D657CB76B3AFE5350F0A801ACC491B184D770970A8A02

Uniqueness

Uniqueness Score: -1.00%

Function 023129B0, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction ID: 5e420c0a9c4d293aaf391ce96d949003e4f63d61a82e58cb3cc39126c9e23902
Opcode Fuzzy Hash: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction Fuzzy Hash: E702F371A0074A9FDB38DF39CC94BDAB7A6FF58350F95822ADC8C97204D731A9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 02312940, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction ID: 28aa6db79eaa8a1c0a2206eb5b5dd92e7498dc8242c6d37e13e5d221f6386098
Opcode Fuzzy Hash: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction Fuzzy Hash: 2CF10171A0074A9FDB38DF29CC94BDAB7A6FF58350F95822ADC8C97204D771A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02314785, Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction ID: d1a39155f8cec0b017163dd2370642df18f072e9f22c74cf3fadd4a19707447d
Opcode Fuzzy Hash: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction Fuzzy Hash: A7D10C71A443899FDF789E38CC997DA7BA2FF56350F64812ADC898B210D3358A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02313F0C, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction ID: 661e2146eb09bf9331680799fe80c8850e7b658c288787659e8b1e83a10dbc3f
Opcode Fuzzy Hash: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction Fuzzy Hash: 77A1FC7160434A9FDB286E74C8697EABBA3FF91340F86822EDDC957254D3344986CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02318C82, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction ID: a4978c0a066715e78fe5c071754a99384a14a197b2103a28b11a6b464c934655
Opcode Fuzzy Hash: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction Fuzzy Hash: FB7115716043498FEF389E79CAA47EA77A3BF89350F96803ACC8A8F614D3308545CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02318CD5, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction ID: 7b78e7a89b4cf3d1376250eb46f7e961e2fa9748569026637eb8530a3e379075
Opcode Fuzzy Hash: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction Fuzzy Hash: 6C71F471604349CFEF389E78CAA47DA77A2BF89350F96806ACD8A8F214D330D645CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02318D58, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction ID: b41dd3865d406cd21e29df52e076c88ac8034235d911aea60b98286fbbc48ff4
Opcode Fuzzy Hash: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction Fuzzy Hash: 4E61797160424A8FEF359E74C9A47DA7BA2FF89350FA6817ACC898F215D330D946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02311B2D, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction ID: 4b07951f4fefbce4fafe2453d670374196c739b0dd97061f3f2ddec146d9787d
Opcode Fuzzy Hash: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction Fuzzy Hash: 276148B26442899FDB348E39CC54BDB7BB7AFD9350F58822ADC8C97259D3314A428B40

Uniqueness

Uniqueness Score: -1.00%

Function 023134C4, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction ID: e99a2c9b5846de9d8f348ea39904d01f95e14fb1d92cde7062f0cb9da7279010
Opcode Fuzzy Hash: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction Fuzzy Hash: 61617B71644349CFDB389E358DB97DB7BA7AF91340F96862ECC8587159C3308A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0231350F, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction ID: 0daaaedf98403a07f69ae8d993168e3245a07743eb630fc948a5d6536fca2e90
Opcode Fuzzy Hash: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction Fuzzy Hash: 4D51B8316403498FDB388E39CDA87DB77A7EFC6310F86852DDC8987159C3309986CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02312183, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction ID: 275b8bfa78bfbe96c21775a27985a7c59519328c8e1245d3a28a93d940dc0c7f
Opcode Fuzzy Hash: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction Fuzzy Hash: 155145757003458FEB389E298DA17DB77A7BFD93A0F95413CEC8987294C73489868B01

Uniqueness

Uniqueness Score: -1.00%

Function 02312793, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction ID: 3663f304fb9871a51be6eebab4fd2e3ac0bedcfda43e76bd0412f0e3ea7bc3e0
Opcode Fuzzy Hash: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction Fuzzy Hash: CE41897220438A9FDB398E7589A53EA7BA7BF92310F54842DDDCAC7641C3308995DB02

Uniqueness

Uniqueness Score: -1.00%

Function 02318385, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction ID: f39af96cf37ea5f8de7f819f95227d61fa95cebc3ccf095b50aae800b55dfb72
Opcode Fuzzy Hash: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction Fuzzy Hash: 3E414531A092858FEF389E34C9A57DF7BA3AF96310F89816ECC894B649D7308546C716

Uniqueness

Uniqueness Score: -1.00%

Function 02314B8E, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction ID: f1e6b5bd02526456d0a8423fcd6499ce95d00af62fa2391695d57ddc42ac165e
Opcode Fuzzy Hash: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction Fuzzy Hash: 3B41A9725002899FDF799E38DC897DA3BB2FF1A310F55812AEE4D8B211D3354A95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02317B73, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction ID: 87030f3a94c0f9aaede009331b0d07fc3956ce120695f57e2d2ddc7a95127204
Opcode Fuzzy Hash: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction Fuzzy Hash: 802156322006058FDB285E78CDA63DBB7A6AF56360F96451EDCC6DB255D7308985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0231844C, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction ID: 84ae832a24800a312a82be52315db0f0883d358561a260065f050d89258b9bc1
Opcode Fuzzy Hash: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction Fuzzy Hash: 2331C072A083414FDF389E3889A53DF7BA3AF51314F4982AACC958B649D7348046C616

Uniqueness

Uniqueness Score: -1.00%

Function 0231054C, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d2ba7b713f518437c8f0e4252abea73612c23babd4c8bd32f414af74a63df7
Instruction ID: ddd5df3e4c7ac4514cb614b4ea412759b1ff5b4b2c1253201615c11fc4047ce7
Opcode Fuzzy Hash: a8d2ba7b713f518437c8f0e4252abea73612c23babd4c8bd32f414af74a63df7
Instruction Fuzzy Hash: 6D01263250C3869FDF220A78866C3C97FA4AF27294F1608ADDCC5AB547D66048CECB02

Uniqueness

Uniqueness Score: -1.00%

Function 023171A9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction ID: ccdaee63fc9ede49abdfd6b46bf91e9720af71fcae6ce98941502fce636d68e0
Opcode Fuzzy Hash: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction Fuzzy Hash: 2D1117757407898FCB38DE28C9C8FDAB3A6BF18314F85443ADD5A9B261D3309A41CA11

Uniqueness

Uniqueness Score: -1.00%

Function 023150CA, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02316B93, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction ID: c74afd1e2a157885b9cdc988f14599c24a79e655c21c6cd5f458fa94a46edb96
Opcode Fuzzy Hash: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction Fuzzy Hash: 76B00275651640CFCF55CF49C594F4173B4F758750F4154D4E8518FB11C264E900CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0043540F, Relevance: 28.6, APIs: 19, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 0043546B
__vbaStrMove.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 00435475
#711.MSVBVM60(?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043547F
__vbaAryVar.MSVBVM60(00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043548D
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043549D
__vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354A5
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354B4
__vbaStrCmp.MSVBVM60(00432F0C,?), ref: 004354CD
__vbaNew2.MSVBVM60(0043199C,00437010,00432F0C,?), ref: 004354E9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435501
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000048), ref: 00435521
#531.MSVBVM60(?), ref: 00435529
__vbaFreeStr.MSVBVM60(?), ref: 00435531
__vbaFreeObj.MSVBVM60(?), ref: 00435539
__vbaNew2.MSVBVM60(0043199C,00437010,00432F0C,?), ref: 00435551
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435569
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043558F
__vbaFreeObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043559D
__vbaAryDestruct.MSVBVM60(00000000,?,004355D8), ref: 004355D2

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#531#711CopyDestructListMove
String ID:
API String ID: 1202614378-0
Opcode ID: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction ID: 670a67046e35178a3fe736329d8735255595e13288c1414161bb6763de952726
Opcode Fuzzy Hash: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction Fuzzy Hash: 6E414BB1900208ABDB14EB96CD46EEEB7BCBF58304F50052BF511B71A1DB7CA9058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00436103, Relevance: 22.6, APIs: 15, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436166
__vbaStrMove.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436170
__vbaStrCat.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043617B
__vbaStrMove.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436185
#628.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043618B
__vbaStrMove.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436195
__vbaStrCmp.MSVBVM60(00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043619C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 004361B9
__vbaFreeVar.MSVBVM60(?), ref: 004361C4
__vbaNew2.MSVBVM60(0043199C,00437010,?), ref: 004361E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004361FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000100), ref: 00436223
__vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,00432CE8,00000100), ref: 00436254
__vbaHresultCheckObj.MSVBVM60(00000000,004012B0,00432758,000002C0,?,?,?,00000000), ref: 00436293
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0043629B

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$CheckHresult$#628ListNew2
String ID:
API String ID: 2062027099-0
Opcode ID: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction ID: 81f3ed2391a281d05d79455daf37f34854cbe74ca8376e7805096f1d9f08af89
Opcode Fuzzy Hash: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction Fuzzy Hash: BB41AFB1941209ABCB10EBA2DD49EAEBBBCFF18304F11456BF441F31B1CB7859008B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435FE5, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

#589.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0043602A
__vbaNew2.MSVBVM60(00432E4C,0043746C,00000001), ref: 00436048
__vbaHresultCheckObj.MSVBVM60(00000000,0221E8B4,00432E3C,0000004C), ref: 0043606C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432E5C,00000024), ref: 00436099
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360A7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360AF
__vbaFreeStr.MSVBVM60(004360DC,00000001), ref: 004360D6

Strings

Trespassory7, xrefs: 0043607A
Gennemlyste, xrefs: 0043607F
3+, xrefs: 004360B4

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#589MoveNew2
String ID: 3+$Gennemlyste$Trespassory7
API String ID: 1767156754-2597507220
Opcode ID: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction ID: 3471bc53f4aeaa4db11e57cc4609061d4264d4da27a59fec6320d76ae3109752
Opcode Fuzzy Hash: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction Fuzzy Hash: 62213070940215ABCB14EF95C946EAEBBF8EF58704F20915AF500B72A1C7BC69058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00435873, Relevance: 15.1, APIs: 10, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 004358BB
__vbaHresultCheckObj.MSVBVM60(00000000,0221E8B4,00432E3C,00000014), ref: 004358DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000058), ref: 00435902
__vbaStrMove.MSVBVM60 ref: 00435910
__vbaFreeObj.MSVBVM60 ref: 00435918
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435930
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435948
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432DFC,00000058), ref: 00435968
__vbaFreeObj.MSVBVM60 ref: 00435976
__vbaFreeStr.MSVBVM60(0043599D), ref: 00435997

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move
String ID:
API String ID: 2227187868-0
Opcode ID: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction ID: e2bfae0f4101442dca42f6758713ee20e81d50469c9c497414c0ec7910315bcb
Opcode Fuzzy Hash: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction Fuzzy Hash: DC3183B0940608ABCB14EB96CD46EEEBBB8FF5C714F20541AF001B72A1D67C6905CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004362ED, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 0043633C
__vbaHresultCheckObj.MSVBVM60(00000000,0221E8B4,00432E3C,00000014), ref: 00436360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000050), ref: 00436383
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0043638C
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0043639D
__vbaFreeObj.MSVBVM60(00000000,?), ref: 004363A5
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000CC,gladeligt,00000000,?), ref: 004363BD

Strings

gladeligt, xrefs: 004363AF

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$FileNew2Open
String ID: gladeligt
API String ID: 1550884760-4246425414
Opcode ID: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction ID: 45d114d4640ba2e7366dfde682ae0c95f6d5cfbfff4ac18c4abef8451f5296b5
Opcode Fuzzy Hash: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction Fuzzy Hash: 3621F570940615BBDB10EB95CC46EAFBBB8EF58708F20911BF911B72E1C6BC58018A99

Uniqueness

Uniqueness Score: -1.00%

Function 004355F5, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435648
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435660
__vbaNew2.MSVBVM60(0043199C,00437010,?,00000000), ref: 00435688
__vbaObjSet.MSVBVM60(?,00000000), ref: 004356A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000A8), ref: 004356C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 004356F5
__vbaFreeStr.MSVBVM60 ref: 004356FD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043570C

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction ID: 708b0d6b0c6f0b816a4a683f31335bf59e457f10f7f9e5477d2025cbc020b1a9
Opcode Fuzzy Hash: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction Fuzzy Hash: F231B4B4940608ABCB10EF96CC46FAEBBBCFF09704F50442AF445E72A1C77C95018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00435D74, Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00435DAA
__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435DC2
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435DDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,0000022C), ref: 00435DFC
__vbaFreeObj.MSVBVM60 ref: 00435E04
__vbaFreeStr.MSVBVM60(00435E22), ref: 00435E1C

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction ID: 05641ab9ac4bc3e4dc0d04d4b7b18c034fbc1e74a87b7ace31424ff4c2f6553e
Opcode Fuzzy Hash: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction Fuzzy Hash: 3E115274500608ABC714EBA6CD4AFAF77B8EF08748F60447AF051B71A2D7785A0486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435C3B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435C7A
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435C92
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435CD3
__vbaFreeObj.MSVBVM60 ref: 00435CDB

Strings

Polyodontidae9, xrefs: 00435CB4

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Polyodontidae9
API String ID: 1645334062-980055670
Opcode ID: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction ID: d8f63dadd0c7f86bd8fcc0d0bcd8b6351cbec3edceae88e64d0f90caf6119d0b
Opcode Fuzzy Hash: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction Fuzzy Hash: 2C1173B0540704ABDB10DF95CE46BAF76BCEB09708F60146AF401B71A1D2B859018769

Uniqueness

Uniqueness Score: -1.00%

Function 00435A7D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435ABC
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435AD4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435B15
__vbaFreeObj.MSVBVM60 ref: 00435B1D

Strings

BNHRER, xrefs: 00435AF6

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: BNHRER
API String ID: 1645334062-761458040
Opcode ID: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction ID: 48bdf528161e98126a0c8465fdf0cc7ba51ed57cd699bd72c4aea50de1452adc
Opcode Fuzzy Hash: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction Fuzzy Hash: 2E1186B4640704ABD710EF95CD46FAF76BCEB09744F10046AF411B7191D3BC6A0086A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435F0B, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaLenBstrB.MSVBVM60(00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F4D
__vbaNew2.MSVBVM60(00432E4C,0043746C,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F69
__vbaObjSetAddref.MSVBVM60(?,00401260,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F7E
__vbaHresultCheckObj.MSVBVM60(00000000,0221E8B4,00432E3C,00000010,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F9A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435FA2

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$AddrefBstrCheckFreeHresultNew2
String ID:
API String ID: 2151688750-0
Opcode ID: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction ID: f088a1b97714f96a277f254c758952f17696a8f35fa282824895934c35169a81
Opcode Fuzzy Hash: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction Fuzzy Hash: 51115170900608ABC710AF95C986E9FBBB8BF08704F60906FF505F32A1D37C65458F59

Uniqueness

Uniqueness Score: -1.00%

Function 00435754, Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 004357A4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004357BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001CC), ref: 00435826
__vbaFreeObj.MSVBVM60 ref: 0043582E

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction ID: e6124f0ace62f3f41fc6db8c97291a5c9a7b2bb54052bc93b1f63bd177861b1f
Opcode Fuzzy Hash: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction Fuzzy Hash: 13219FB1D00608AFCB04EFA9C945A9EBBB9EF09700F10842AF951FB2A1C77959058F95

Uniqueness

Uniqueness Score: -1.00%

Function 00435E35, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010,?,?,?,?,?,?,?,?,004012D6), ref: 00435E85
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 00435E9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001C0,?,?,?,?,?,?,?,?,004012D6), ref: 00435EBF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 00435EC7

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction ID: fbe9987e652e3cd95587eb4bb66624989f3f04d94c91e188d19f879de34bdb93
Opcode Fuzzy Hash: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction Fuzzy Hash: 6E1182B4940604ABC710EF96C94AF9EBBBCFF58704F20546BF455E72A1C77C99018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004359B8, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,00437010), ref: 00435A08
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435A20
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001D4), ref: 00435A42
__vbaFreeObj.MSVBVM60 ref: 00435A4A

Memory Dump Source

Source File: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.739195018.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.739458904.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.739476169.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction ID: feb1c320441b9c756de60183dab80e48393f8c49a4c19eaccdb74a3a427bc2c7
Opcode Fuzzy Hash: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction Fuzzy Hash: 0611C4B4500208ABC710FFA5C98AF9B7BBCBF08748F10546AF441F72A2D77C99059B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ZGNX11JMSc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: ZGNX11JMSc.exe PID: 5764 Parent PID: 5588

General

Chronological Activities

Disassembly

Code Analysis