Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.25640

Overview

General Information

Sample Name:	SecuriteInfo.com.__vbaHresultCheckObj.11013.25640 (renamed file extension from 25640 to exe)
Analysis ID:	451415
MD5:	c6066a473750ed5ad023d20ce532c8c8
SHA1:	b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256:	932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/IRANSAT_Vsidob74.bin

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B NtAllocateVirtualMemory,	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228306 NtAllocateVirtualMemory,	1_2_02228306
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022283BF NtAllocateVirtualMemory,	1_2_022283BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222840D NtAllocateVirtualMemory,	1_2_0222840D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228487 NtAllocateVirtualMemory,	1_2_02228487

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE22	1_2_0222DE22
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E26	1_2_02223E26
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E36	1_2_02223E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA3F	1_2_0222CA3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE00	1_2_0222CE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EA01	1_2_0222EA01
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA17	1_2_0222CA17
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A71	1_2_02220A71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A77	1_2_02220A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE43	1_2_0222DE43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A57	1_2_02221A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222725B	1_2_0222725B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227EAB	1_2_02227EAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220AB2	1_2_02220AB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223EB5	1_2_02223EB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE80	1_2_0222DE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A89	1_2_02221A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE96	1_2_0222CE96
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226EEF	1_2_02226EEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DEF2	1_2_0222DEF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CAD5	1_2_0222CAD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221B27	1_2_02221B27
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220B2C	1_2_02220B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF36	1_2_0222DF36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227B0E	1_2_02227B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223F6F	1_2_02223F6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CB77	1_2_0222CB77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF4F	1_2_0222DF4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CF8C	1_2_0222CF8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B791	1_2_0222B791
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226F9B	1_2_02226F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DFE3	1_2_0222DFE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022287F0	1_2_022287F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220BC2	1_2_02220BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221BD7	1_2_02221BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222BDE	1_2_02222BDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CC1F	1_2_0222CC1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222C1C	1_2_02222C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221874	1_2_02221874
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220C4A	1_2_02220C4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C84F	1_2_0222C84F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C453	1_2_0222C453
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222305E	1_2_0222305E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222705F	1_2_0222705F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C45F	1_2_0222C45F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022230B9	1_2_022230B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92	1_2_0222EC92
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E097	1_2_0222E097
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C8FB	1_2_0222C8FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCFF	1_2_0222CCFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCCB	1_2_0222CCCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221925	1_2_02221925
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD3F	1_2_0222DD3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD02	1_2_0222DD02
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227104	1_2_02227104
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD0F	1_2_0222DD0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD78	1_2_0222DD78
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CD55	1_2_0222CD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DB6	1_2_02223DB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022271B4	1_2_022271B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DDBB	1_2_0222DDBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C993	1_2_0222C993
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C9FF	1_2_0222C9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022219C3	1_2_022219C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DC9	1_2_02223DC9

PE file contains strange resources

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Uses 32bit PE files

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

File created: C:\Users\user\AppData\Local\Temp\~DF934512EC1FF84EF0.TMP

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0040663B push ebp; iretd	1_2_00406645
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE10 push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE60 push esi; retf	1_2_0222EE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE64 push esi; retf	1_2_0222EE67
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE68 push esi; retf	1_2_0222EE6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE6C push esi; retf	1_2_0222EE6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE70 push esi; retf	1_2_0222EE73
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE74 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE78 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE5C push esi; retf	1_2_0222EE5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EEAD push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228AF9 push ebp; retf	1_2_02228B0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92 push esi; retf	1_2_0222EE5B

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D2FF	1_2_0222D2FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A4	1_2_0222D3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A8	1_2_0222D3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B846	1_2_0222B846
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C075 second address: 000000000222C0A1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edx, 2F78EC29h 0x00000009 xor edx, 66DC7D09h 0x0000000f cmp cx, cx 0x00000012 cmp bx, cx 0x00000015 add edx, 2B23399Ah 0x0000001b cmp bl, bl 0x0000001d cmp dword ptr [edi+14h], edx 0x00000020 mov edx, dword ptr [ebp+000001CDh] 0x00000026 je 00007F01043649F6h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C0A1 second address: 000000000222BD95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F0104E2E8B8h 0x00000010 jmp 00007F0104E2ECE2h 0x00000012 cmp bx, bx 0x00000015 add esi, 00001000h 0x0000001b test bh, ah 0x0000001d test ch, ch 0x0000001f mov dword ptr [ebp+000001CEh], esi 0x00000025 mov esi, D1CB123Dh 0x0000002a test ax, bx 0x0000002d xor esi, 9D079601h 0x00000033 cmp bl, al 0x00000035 xor esi, 6EEE3B7Fh 0x0000003b test ax, ax 0x0000003e sub esi, 2221CF43h 0x00000044 test bl, bl 0x00000046 cmp dword ptr [ebp+000001CEh], esi 0x0000004c mov esi, dword ptr [ebp+000001CEh] 0x00000052 je 00007F0104E2F5D7h 0x00000058 test ah, ch 0x0000005a test ax, 00005041h 0x0000005e mov dword ptr [ebp+00000218h], esi 0x00000064 cmp cl, FFFFFFB9h 0x00000067 mov esi, 1CDCD8D0h 0x0000006c jmp 00007F0104E2ECE6h 0x0000006e test bx, cx 0x00000071 cmp edx, ecx 0x00000073 xor esi, 8DEA0809h 0x00000079 test edi, 1851CFE8h 0x0000007f cmp ch, bh 0x00000081 xor esi, 46C5E00Dh 0x00000087 pushad 0x00000088 mov ebx, 000000B2h 0x0000008d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222AA71 mov eax, dword ptr fs:[00000030h]	1_2_0222AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B2B6 mov eax, dword ptr fs:[00000030h]	1_2_0222B2B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350 mov eax, dword ptr fs:[00000030h]	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750 mov eax, dword ptr fs:[00000030h]	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783 mov eax, dword ptr fs:[00000030h]	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227C90 mov eax, dword ptr fs:[00000030h]	1_2_02227C90

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_0222B4B5 cpuid

1_2_0222B4B5

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/IRANSAT_Vsidob74.bin	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/IRANSAT_Vsidob74.bin

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B NtAllocateVirtualMemory,	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228306 NtAllocateVirtualMemory,	1_2_02228306
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022283BF NtAllocateVirtualMemory,	1_2_022283BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222840D NtAllocateVirtualMemory,	1_2_0222840D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228487 NtAllocateVirtualMemory,	1_2_02228487

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE22	1_2_0222DE22
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E26	1_2_02223E26
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E36	1_2_02223E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA3F	1_2_0222CA3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE00	1_2_0222CE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EA01	1_2_0222EA01
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA17	1_2_0222CA17
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A71	1_2_02220A71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A77	1_2_02220A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE43	1_2_0222DE43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A57	1_2_02221A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222725B	1_2_0222725B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227EAB	1_2_02227EAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220AB2	1_2_02220AB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223EB5	1_2_02223EB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE80	1_2_0222DE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A89	1_2_02221A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE96	1_2_0222CE96
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226EEF	1_2_02226EEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DEF2	1_2_0222DEF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CAD5	1_2_0222CAD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221B27	1_2_02221B27
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220B2C	1_2_02220B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF36	1_2_0222DF36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227B0E	1_2_02227B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223F6F	1_2_02223F6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CB77	1_2_0222CB77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF4F	1_2_0222DF4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CF8C	1_2_0222CF8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B791	1_2_0222B791
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226F9B	1_2_02226F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DFE3	1_2_0222DFE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022287F0	1_2_022287F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220BC2	1_2_02220BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221BD7	1_2_02221BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222BDE	1_2_02222BDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CC1F	1_2_0222CC1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222C1C	1_2_02222C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221874	1_2_02221874
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220C4A	1_2_02220C4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C84F	1_2_0222C84F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C453	1_2_0222C453
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222305E	1_2_0222305E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222705F	1_2_0222705F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C45F	1_2_0222C45F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022230B9	1_2_022230B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92	1_2_0222EC92
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E097	1_2_0222E097
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C8FB	1_2_0222C8FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCFF	1_2_0222CCFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCCB	1_2_0222CCCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221925	1_2_02221925
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD3F	1_2_0222DD3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD02	1_2_0222DD02
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227104	1_2_02227104
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD0F	1_2_0222DD0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD78	1_2_0222DD78
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CD55	1_2_0222CD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DB6	1_2_02223DB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022271B4	1_2_022271B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DDBB	1_2_0222DDBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C993	1_2_0222C993
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C9FF	1_2_0222C9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022219C3	1_2_022219C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DC9	1_2_02223DC9

PE file contains strange resources

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Uses 32bit PE files

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

File created: C:\Users\user\AppData\Local\Temp\~DF934512EC1FF84EF0.TMP

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0040663B push ebp; iretd	1_2_00406645
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE10 push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE60 push esi; retf	1_2_0222EE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE64 push esi; retf	1_2_0222EE67
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE68 push esi; retf	1_2_0222EE6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE6C push esi; retf	1_2_0222EE6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE70 push esi; retf	1_2_0222EE73
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE74 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE78 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE5C push esi; retf	1_2_0222EE5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EEAD push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228AF9 push ebp; retf	1_2_02228B0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92 push esi; retf	1_2_0222EE5B

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D2FF	1_2_0222D2FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A4	1_2_0222D3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A8	1_2_0222D3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B846	1_2_0222B846
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C075 second address: 000000000222C0A1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edx, 2F78EC29h 0x00000009 xor edx, 66DC7D09h 0x0000000f cmp cx, cx 0x00000012 cmp bx, cx 0x00000015 add edx, 2B23399Ah 0x0000001b cmp bl, bl 0x0000001d cmp dword ptr [edi+14h], edx 0x00000020 mov edx, dword ptr [ebp+000001CDh] 0x00000026 je 00007F01043649F6h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C0A1 second address: 000000000222BD95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F0104E2E8B8h 0x00000010 jmp 00007F0104E2ECE2h 0x00000012 cmp bx, bx 0x00000015 add esi, 00001000h 0x0000001b test bh, ah 0x0000001d test ch, ch 0x0000001f mov dword ptr [ebp+000001CEh], esi 0x00000025 mov esi, D1CB123Dh 0x0000002a test ax, bx 0x0000002d xor esi, 9D079601h 0x00000033 cmp bl, al 0x00000035 xor esi, 6EEE3B7Fh 0x0000003b test ax, ax 0x0000003e sub esi, 2221CF43h 0x00000044 test bl, bl 0x00000046 cmp dword ptr [ebp+000001CEh], esi 0x0000004c mov esi, dword ptr [ebp+000001CEh] 0x00000052 je 00007F0104E2F5D7h 0x00000058 test ah, ch 0x0000005a test ax, 00005041h 0x0000005e mov dword ptr [ebp+00000218h], esi 0x00000064 cmp cl, FFFFFFB9h 0x00000067 mov esi, 1CDCD8D0h 0x0000006c jmp 00007F0104E2ECE6h 0x0000006e test bx, cx 0x00000071 cmp edx, ecx 0x00000073 xor esi, 8DEA0809h 0x00000079 test edi, 1851CFE8h 0x0000007f cmp ch, bh 0x00000081 xor esi, 46C5E00Dh 0x00000087 pushad 0x00000088 mov ebx, 000000B2h 0x0000008d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222AA71 mov eax, dword ptr fs:[00000030h]	1_2_0222AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B2B6 mov eax, dword ptr fs:[00000030h]	1_2_0222B2B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350 mov eax, dword ptr fs:[00000030h]	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750 mov eax, dword ptr fs:[00000030h]	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783 mov eax, dword ptr fs:[00000030h]	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227C90 mov eax, dword ptr fs:[00000030h]	1_2_02227C90

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_0222B4B5 cpuid

1_2_0222B4B5

ID:	451415
Product:	CloudBasic
Start time:	16:06:38
Start date:	20.07.2021
Sample:	SecuriteInfo.com.__vbaHresultCheckObj.11013.25640
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c6066a473750ed5ad023d20ce532c8c8
SHA1:	b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256:	932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.25640

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs