Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Overview

General Information

Sample Name: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Analysis ID: 451415
MD5: c6066a473750ed5ad023d20ce532c8c8
SHA1: b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256: 932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Virustotal: Detection: 26% Perma Link
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://andreameixueiro.com/IRANSAT_Vsidob74.bin

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988274 NtAllocateVirtualMemory, 0_2_02988274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298827B NtAllocateVirtualMemory, 0_2_0298827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029883BF NtAllocateVirtualMemory, 0_2_029883BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988306 NtAllocateVirtualMemory, 0_2_02988306
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988487 NtAllocateVirtualMemory, 0_2_02988487
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298840D NtAllocateVirtualMemory, 0_2_0298840D
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988274 0_2_02988274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298469A 0_2_0298469A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986A9C 0_2_02986A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CE96 0_2_0298CE96
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BE97 0_2_0298BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981A89 0_2_02981A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985A8B 0_2_02985A8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298428C 0_2_0298428C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981680 0_2_02981680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DE80 0_2_0298DE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029866BD 0_2_029866BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980AB2 0_2_02980AB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983EB5 0_2_02983EB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02987EAB 0_2_02987EAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980ED0 0_2_02980ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CAD5 0_2_0298CAD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DEF2 0_2_0298DEF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029812E9 0_2_029812E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986EEF 0_2_02986EEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029832E5 0_2_029832E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CA17 0_2_0298CA17
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CE00 0_2_0298CE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CA3F 0_2_0298CA3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983E36 0_2_02983E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DE22 0_2_0298DE22
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983E26 0_2_02983E26
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298725B 0_2_0298725B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D25D 0_2_0298D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986E50 0_2_02986E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981A57 0_2_02981A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298124F 0_2_0298124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DE43 0_2_0298DE43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298827B 0_2_0298827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980A71 0_2_02980A71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980A77 0_2_02980A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298626C 0_2_0298626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986F9B 0_2_02986F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298B791 0_2_0298B791
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986B91 0_2_02986B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CF8C 0_2_0298CF8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983B8D 0_2_02983B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298678D 0_2_0298678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C783 0_2_0298C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029817BF 0_2_029817BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029813AA 0_2_029813AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980FDB 0_2_02980FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02982BDE 0_2_02982BDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981BD7 0_2_02981BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BBCE 0_2_0298BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980BC2 0_2_02980BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029887F0 0_2_029887F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029843F5 0_2_029843F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DFE3 0_2_0298DFE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029863E7 0_2_029863E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298171F 0_2_0298171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298570B 0_2_0298570B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02987B0E 0_2_02987B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986B04 0_2_02986B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983B36 0_2_02983B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DF36 0_2_0298DF36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980B2C 0_2_02980B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981B27 0_2_02981B27
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986327 0_2_02986327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C350 0_2_0298C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C750 0_2_0298C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BF51 0_2_0298BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DF4F 0_2_0298DF4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986742 0_2_02986742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984347 0_2_02984347
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298E772 0_2_0298E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CB77 0_2_0298CB77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983F6F 0_2_02983F6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EC92 0_2_0298EC92
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986C95 0_2_02986C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986497 0_2_02986497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298E097 0_2_0298E097
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981083 0_2_02981083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984485 0_2_02984485
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029830B9 0_2_029830B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BCB6 0_2_0298BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029844A8 0_2_029844A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029860D4 0_2_029860D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CCCB 0_2_0298CCCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029808FA 0_2_029808FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C8FB 0_2_0298C8FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CCFF 0_2_0298CCFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983CF6 0_2_02983CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029868E9 0_2_029868E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029810EB 0_2_029810EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029814EF 0_2_029814EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02982C1C 0_2_02982C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CC1F 0_2_0298CC1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985C10 0_2_02985C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C010 0_2_0298C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BC08 0_2_0298BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986C05 0_2_02986C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298143F 0_2_0298143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983C37 0_2_02983C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298305E 0_2_0298305E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298705F 0_2_0298705F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C45F 0_2_0298C45F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C453 0_2_0298C453
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980C4A 0_2_02980C4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C84F 0_2_0298C84F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981874 0_2_02981874
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298086C 0_2_0298086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298446C 0_2_0298446C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986866 0_2_02986866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298159A 0_2_0298159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298619D 0_2_0298619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986991 0_2_02986991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C993 0_2_0298C993
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029845B9 0_2_029845B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DDBB 0_2_0298DDBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D1B1 0_2_0298D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029871B4 0_2_029871B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983DB6 0_2_02983DB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029841B7 0_2_029841B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029859D3 0_2_029859D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983DC9 0_2_02983DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029819C3 0_2_029819C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BDFC 0_2_0298BDFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986DFE 0_2_02986DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C9FF 0_2_0298C9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029841F2 0_2_029841F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029865ED 0_2_029865ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029815E1 0_2_029815E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DD0F 0_2_0298DD0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DD02 0_2_0298DD02
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02987104 0_2_02987104
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DD3F 0_2_0298DD3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983D33 0_2_02983D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984524 0_2_02984524
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981925 0_2_02981925
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985551 0_2_02985551
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298CD55 0_2_0298CD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985549 0_2_02985549
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298594C 0_2_0298594C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BD42 0_2_0298BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983D43 0_2_02983D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986545 0_2_02986545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298DD78 0_2_0298DD78
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984560 0_2_02984560
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986D63 0_2_02986D63
PE file contains strange resources
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1304848116.00000000020D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1303115469.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Uses 32bit PE files
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe File created: C:\Users\user\AppData\Local\Temp\~DFCF65BA1571E1F766.TMP Jump to behavior
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Virustotal: Detection: 26%
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe ReversingLabs: Detection: 30%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1302794449.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.218200781.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0040663B push ebp; iretd 0_2_00406645
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EEAD push esi; retf 0_2_0298EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988AF9 push ebp; retf 0_2_02988B0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE10 push esi; retf 0_2_0298EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE5C push esi; retf 0_2_0298EE5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE78 push esi; retf 0_2_0298EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE70 push esi; retf 0_2_0298EE73
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE74 push esi; retf 0_2_0298EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE68 push esi; retf 0_2_0298EE6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE6C push esi; retf 0_2_0298EE6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE60 push esi; retf 0_2_0298EE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EE64 push esi; retf 0_2_0298EE67
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298EC92 push esi; retf 0_2_0298EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988274 NtAllocateVirtualMemory, 0_2_02988274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986A9C 0_2_02986A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BE97 0_2_0298BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298428C 0_2_0298428C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981680 0_2_02981680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029866BD 0_2_029866BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980ED0 0_2_02980ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984EF8 0_2_02984EF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D2FF 0_2_0298D2FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029812E9 0_2_029812E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029832E5 0_2_029832E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D25D 0_2_0298D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986E50 0_2_02986E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984E4B 0_2_02984E4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298124F 0_2_0298124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298626C 0_2_0298626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986B91 0_2_02986B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983B8D 0_2_02983B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298678D 0_2_0298678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984FBB 0_2_02984FBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029817BF 0_2_029817BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D3A8 0_2_0298D3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029813AA 0_2_029813AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D3A4 0_2_0298D3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02980FDB 0_2_02980FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BBCE 0_2_0298BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029843F5 0_2_029843F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029863E7 0_2_029863E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298171F 0_2_0298171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986B04 0_2_02986B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983B36 0_2_02983B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986327 0_2_02986327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C350 0_2_0298C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BF51 0_2_0298BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986742 0_2_02986742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984347 0_2_02984347
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298E772 0_2_0298E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986C95 0_2_02986C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986497 0_2_02986497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02981083 0_2_02981083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984485 0_2_02984485
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BCB6 0_2_0298BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029844A8 0_2_029844A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029860D4 0_2_029860D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984CC9 0_2_02984CC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029808FA 0_2_029808FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983CF6 0_2_02983CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984CF7 0_2_02984CF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029868E9 0_2_029868E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029810EB 0_2_029810EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029814EF 0_2_029814EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985C10 0_2_02985C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C010 0_2_0298C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BC08 0_2_0298BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986C05 0_2_02986C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298143F 0_2_0298143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983C37 0_2_02983C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298B846 0_2_0298B846
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984C70 0_2_02984C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984C68 0_2_02984C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298086C 0_2_0298086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298446C 0_2_0298446C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298506C 0_2_0298506C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986866 0_2_02986866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298159A 0_2_0298159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984D9B 0_2_02984D9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298619D 0_2_0298619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986991 0_2_02986991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298D1B1 0_2_0298D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029841B7 0_2_029841B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BDFC 0_2_0298BDFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986DFE 0_2_02986DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029841F2 0_2_029841F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029865ED 0_2_029865ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029815E1 0_2_029815E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983D33 0_2_02983D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984524 0_2_02984524
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02985551 0_2_02985551
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298BD42 0_2_0298BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02983D43 0_2_02983D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986545 0_2_02986545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984560 0_2_02984560
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02986D63 0_2_02986D63
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B3DF second address: 000000000298B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B409 second address: 000000000298B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007FE97C6ED5EEh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007FE97C6ED5E9h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007FE97C6ED530h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B3B8 second address: 000000000298B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298E29D second address: 000000000298E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298C060 second address: 000000000298C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B3DF second address: 000000000298B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B409 second address: 000000000298B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007FE97C6ED5EEh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007FE97C6ED5E9h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007FE97C6ED530h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298B3B8 second address: 000000000298B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298E29D second address: 000000000298E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298C060 second address: 000000000298C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298C075 second address: 000000000298C0A1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edx, 2F78EC29h 0x00000009 xor edx, 66DC7D09h 0x0000000f cmp cx, cx 0x00000012 cmp bx, cx 0x00000015 add edx, 2B23399Ah 0x0000001b cmp bl, bl 0x0000001d cmp dword ptr [edi+14h], edx 0x00000020 mov edx, dword ptr [ebp+000001CDh] 0x00000026 je 00007FE97C6ED5D6h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe RDTSC instruction interceptor: First address: 000000000298C0A1 second address: 000000000298BD95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FE97C9C9548h 0x00000010 jmp 00007FE97C9C9972h 0x00000012 cmp bx, bx 0x00000015 add esi, 00001000h 0x0000001b test bh, ah 0x0000001d test ch, ch 0x0000001f mov dword ptr [ebp+000001CEh], esi 0x00000025 mov esi, D1CB123Dh 0x0000002a test ax, bx 0x0000002d xor esi, 9D079601h 0x00000033 cmp bl, al 0x00000035 xor esi, 6EEE3B7Fh 0x0000003b test ax, ax 0x0000003e sub esi, 2221CF43h 0x00000044 test bl, bl 0x00000046 cmp dword ptr [ebp+000001CEh], esi 0x0000004c mov esi, dword ptr [ebp+000001CEh] 0x00000052 je 00007FE97C9CA267h 0x00000058 test ah, ch 0x0000005a test ax, 00005041h 0x0000005e mov dword ptr [ebp+00000218h], esi 0x00000064 cmp cl, FFFFFFB9h 0x00000067 mov esi, 1CDCD8D0h 0x0000006c jmp 00007FE97C9C9976h 0x0000006e test bx, cx 0x00000071 cmp edx, ecx 0x00000073 xor esi, 8DEA0809h 0x00000079 test edi, 1851CFE8h 0x0000007f cmp ch, bh 0x00000081 xor esi, 46C5E00Dh 0x00000087 pushad 0x00000088 mov ebx, 000000B2h 0x0000008d rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988274 rdtsc 0_2_02988274
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02988274 rdtsc 0_2_02988274
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298B2B6 mov eax, dword ptr fs:[00000030h] 0_2_0298B2B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298AA71 mov eax, dword ptr fs:[00000030h] 0_2_0298AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C783 mov eax, dword ptr fs:[00000030h] 0_2_0298C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C350 mov eax, dword ptr fs:[00000030h] 0_2_0298C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298C750 mov eax, dword ptr fs:[00000030h] 0_2_0298C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02987C90 mov eax, dword ptr fs:[00000030h] 0_2_02987C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984C70 mov eax, dword ptr fs:[00000030h] 0_2_02984C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_02984C68 mov eax, dword ptr fs:[00000030h] 0_2_02984C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_029841B7 mov eax, dword ptr fs:[00000030h] 0_2_029841B7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1304340706.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1304340706.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1304340706.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000000.00000002.1304340706.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe Code function: 0_2_0298B4B5 cpuid 0_2_0298B4B5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451415 Sample: SecuriteInfo.com.__vbaHresu... Startdate: 20/07/2021 Architecture: WINDOWS Score: 88 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 SecuriteInfo.com.__vbaHresultCheckObj.11013.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://andreameixueiro.com/IRANSAT_Vsidob74.bin true
  • Avira URL Cloud: safe
 unknown