Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981190.24096.12674

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Graftor.981190.24096.12674 (renamed file extension from 12674 to exe)
Analysis ID:	451828
MD5:	19cac1ee3a6e5e9f83054616f5d5ce6f
SHA1:	5b7f16098760f887b0bdc5fee9223d022e0597fb
SHA256:	3709110cc04e0eaffe10bec5e8a5c82b858bee4195975e7bcd30c50b246f56c3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Graftor.981190.24096.exe (PID: 5092 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe' MD5: 19CAC1EE3A6E5E9F83054616F5D5CE6F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Variant.Graftor.981190.24096.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.325526342.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
2.0.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Virustotal: Detection: 14%			Perma Link
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	ReversingLabs: Detection: 19%

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850725852.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A953FF NtAllocateVirtualMemory,	2_2_02A953FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A953FB NtAllocateVirtualMemory,	2_2_02A953FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A95541 NtAllocateVirtualMemory,	2_2_02A95541

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A953FF	2_2_02A953FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93EB2	2_2_02A93EB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97EB4	2_2_02A97EB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97AEF	2_2_02A97AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A906E2	2_2_02A906E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97AF5	2_2_02A97AF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A926CA	2_2_02A926CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93EC0	2_2_02A93EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A906D2	2_2_02A906D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97229	2_2_02A97229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A90626	2_2_02A90626
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98605	2_2_02A98605
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A91207	2_2_02A91207
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A9824D	2_2_02A9824D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FA8	2_2_02A93FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A937A5	2_2_02A937A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FE9	2_2_02A93FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93BE2	2_2_02A93BE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A953FB	2_2_02A953FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A947FF	2_2_02A947FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FC2	2_2_02A93FC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A91B2E	2_2_02A91B2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A91B24	2_2_02A91B24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A91706	2_2_02A91706
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A96F73	2_2_02A96F73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A94345	2_2_02A94345
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98B5E	2_2_02A98B5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98B51	2_2_02A98B51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A938B4	2_2_02A938B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97CB7	2_2_02A97CB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98C81	2_2_02A98C81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A940EF	2_2_02A940EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A904C0	2_2_02A904C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A958D6	2_2_02A958D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A92407	2_2_02A92407
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A9207C	2_2_02A9207C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A9444B	2_2_02A9444B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A95844	2_2_02A95844
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A951A4	2_2_02A951A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A901E9	2_2_02A901E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A905D8	2_2_02A905D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A921DB	2_2_02A921DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A901DA	2_2_02A901DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A92567	2_2_02A92567
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A96D5C	2_2_02A96D5C

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000000.325551670.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametypo.exe vs SecuriteInfo.com.Variant.Graftor.981190.24096.exe
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Binary or memory string: OriginalFilenametypo.exe vs SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

File created: C:\Users\user\AppData\Local\Temp\~DF84A7F2EA291541CF.TMP

Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Virustotal: Detection: 14%
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe	ReversingLabs: Detection: 19%

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, type: SAMPLE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.325526342.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A99662 push esp; iretd	2_2_02A99671
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A99672 push esp; iretd	2_2_02A99675
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A99676 push esp; iretd	2_2_02A99679
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FA8 push ebp; retf	2_2_02A93FC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A9634A push 00000020h; retf	2_2_02A9634C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A91589 push ebp; retf	2_2_02A9158F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A935DC push ebp; ret	2_2_02A935FF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93EB2	2_2_02A93EB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97EB4	2_2_02A97EB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A906E2	2_2_02A906E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A906D2	2_2_02A906D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A90626	2_2_02A90626
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98605	2_2_02A98605
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FA8	2_2_02A93FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A937A5	2_2_02A937A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FE9	2_2_02A93FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A93FC2	2_2_02A93FC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A94345	2_2_02A94345
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A98B51	2_2_02A98B51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97CB7	2_2_02A97CB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A940EF	2_2_02A940EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A904C0	2_2_02A904C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A92407	2_2_02A92407
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A9207C	2_2_02A9207C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A905D8	2_2_02A905D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A921DB	2_2_02A921DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A92567	2_2_02A92567
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A96D5C	2_2_02A96D5C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Code function: 2_2_02A93EB2 rdtsc

2_2_02A93EB2

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Code function: 2_2_02A93EB2 rdtsc

2_2_02A93EB2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A96B34 mov eax, dword ptr fs:[00000030h]	2_2_02A96B34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A970BE mov eax, dword ptr fs:[00000030h]	2_2_02A970BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A97CB7 mov eax, dword ptr fs:[00000030h]	2_2_02A97CB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Code function: 2_2_02A95022 mov eax, dword ptr fs:[00000030h]	2_2_02A95022

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe

Code function: 2_2_02A96E24 cpuid

2_2_02A96E24

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery111	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Graftor.981190.24096.exe	15%	Virustotal		Browse
SecuriteInfo.com.Variant.Graftor.981190.24096.exe	20%	ReversingLabs	Win32.Trojan.Graftor

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	0%	Virustotal		Browse
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451828
Start date:	21.07.2021
Start time:	12:02:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Graftor.981190.24096.12674 (renamed file extension from 12674 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.635501230509535
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Graftor.981190.24096.exe
File size:	246888
MD5:	19cac1ee3a6e5e9f83054616f5d5ce6f
SHA1:	5b7f16098760f887b0bdc5fee9223d022e0597fb
SHA256:	3709110cc04e0eaffe10bec5e8a5c82b858bee4195975e7bcd30c50b246f56c3
SHA512:	75d7cc20b44224ab616b9d4e6edd2c527c4245f5752430a08ed7a68a3d1596bfe5f9a16a447a57e8cbbe965b7377c6259f481c6a1ae8d262238ad25dce14a0ad
SSDEEP:	3072:MtU2Qf98DH332/jEvQuUZZNzPmhd3QPBP:KU2Qf9iXm/jduUNzPKNC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....QU.................0...p......0........@....@................

File Icon


Icon Hash:	e8ccce8e8ececce8

Static PE Info

General
Entrypoint:	0x401330
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5551E11C [Tue May 12 11:16:44 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4e1e57f6de47f654992269152dd1e659

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Lertj1@impifo.Tw, CN=Konc, OU=HVEPSERED, O=Sulfur2, L=Delings, S=tyskla, C=IS
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/20/2021 2:04:04 PM 7/20/2022 2:04:04 PM
Subject Chain	E=Lertj1@impifo.Tw, CN=Konc, OU=HVEPSERED, O=Sulfur2, L=Delings, S=tyskla, C=IS
Version:	3
Thumbprint MD5:	E001EFB7FC2CF4F9AF90A05F56C0FF24
Thumbprint SHA-1:	FCE4066FC44A76DB5BD40EDCD674457947994F61
Thumbprint SHA-256:	30E21C2F0117B69F54088BA86D9ACD07DCB63504497576DBD473335F67BB6F5D
Serial:	00

Entrypoint Preview

Instruction
push 0042F010h
call 00007FA8548FED93h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007FA8548FED52h
mov dh, EDh
lodsb
jl 00007FA8548FED37h
inc ebx
mov ecx, BEBDAAA6h
insd
das
out dx, al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
jne 00007FA8548FEE10h
popad
je 00007FA8548FEE03h
imul eax, dword ptr [eax], 00000000h
dec esp
xor dword ptr [eax], eax
adc al, 59h
push esi
rcl dword ptr [ebp+eax*4+6Eh], 1
add byte ptr [edx+ebx*4-14h], al
movsb
loope 00007FA8548FEDA0h
cld
outsd
clc
and eax, 9AF307A8h
inc ebp
inc ebx
inc esp
stosb
and ecx, ecx
push edi
cmp byte ptr [ebx+4F3A3B76h], FFFFFFADh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
fild dword ptr [edx]
add byte ptr [ecx+4Fh], bh
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [edi+ebp*2+74h], ah
imul ebp, dword ptr [esi+67h], 0D006373h
add dword ptr [eax+eax], eax
push edx
dec ecx
inc edi
dec eax
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah
dec edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33054	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x54b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3b050	0x1418
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1100	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xf8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x324a0	0x33000	False	0.249899471507	data	4.58227124451	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x34000	0xb90	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x54b4	0x6000	False	0.293172200521	data	4.10742387863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x39e4c	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4265541880, next used block 7936
RT_ICON	0x39b64	0x2e8	data
RT_ICON	0x3997c	0x1e8	data
RT_ICON	0x39854	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x389ac	0xea8	data
RT_ICON	0x38104	0x8a8	data
RT_ICON	0x37a3c	0x6c8	data
RT_ICON	0x374d4	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x3642c	0x10a8	data
RT_ICON	0x35aa4	0x988	data
RT_ICON	0x3563c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x3559c	0xa0	data
RT_VERSION	0x352d0	0x2cc	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Clicked
InternalName	typo
FileVersion	7.00
CompanyName	Clicked
LegalTrademarks	Clicked
Comments	Clicked
ProductName	Clicked
ProductVersion	7.00
FileDescription	Clicked
OriginalFilename	typo.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Graftor.981190.24096.exe PID: 5092 Parent PID: 5732

General

Start time:	12:03:02
Start date:	21/07/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exe'
Imagebase:	0x400000
File size:	246888 bytes
MD5 hash:	19CAC1EE3A6E5E9F83054616F5D5CE6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000002.00000000.325526342.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Graftor.981190.24096.exe PID: 5092 Parent PID: 5732 SecuriteInfo.com.Variant.Graftor.981190.24096.exeCOMMON

Executed Functions

Function 02A953FF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02A95594

Strings

G\', xrefs: 02A955EC
n, xrefs: 02A954D9
$2, xrefs: 02A955F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: 54ff3a137cfe36bc263f9d6212e469e8a5d29b1298d080fda841df0197a415ae
Instruction ID: f38f02ad54f768284b479cdc4a9864b7e4f5d0bc69fd6acf9a2f54ce2a77e238
Opcode Fuzzy Hash: 54ff3a137cfe36bc263f9d6212e469e8a5d29b1298d080fda841df0197a415ae
Instruction Fuzzy Hash: C95132B1A183498FDB709E29C8927DE77E6EF4A310F55452DDC89DB210DB318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A953FB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02A95594

Strings

G\', xrefs: 02A955EC
n, xrefs: 02A954D9
$2, xrefs: 02A955F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: aad8d4b231e79fd626d3e4844aacfb6238815ecb8e7034c5770fd6f3affad00c
Instruction ID: a99ec8110636e4976939f7eb85ea0bcfa0d07cf98473502e9e246b041fbba6cd
Opcode Fuzzy Hash: aad8d4b231e79fd626d3e4844aacfb6238815ecb8e7034c5770fd6f3affad00c
Instruction Fuzzy Hash: 0651DEB1A183488FDFB09E29D8957DE37E6EF49310F95452DDC89DB210D7329A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A95541, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02A95594

Strings

G\', xrefs: 02A955EC
n, xrefs: 02A954D9
$2, xrefs: 02A955F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: b285d58cff5a6016e82bc75fd2b5aecd238452ca7577edf0d0e7916096feabd8
Instruction ID: d019f181f27b3845ebc7ca5cf27766994ad82120ce2bb0c9f2c97141be051cef
Opcode Fuzzy Hash: b285d58cff5a6016e82bc75fd2b5aecd238452ca7577edf0d0e7916096feabd8
Instruction Fuzzy Hash: 434124B1905244CFCF769F25CC927DA3BF2EF0A710F44051ED8489B221D7319A88CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00430BC4, Relevance: 221.8, APIs: 116, Strings: 10, Instructions: 1298COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,spearproof), ref: 00430D03
__vbaSetSystemError.MSVBVM60(00000000,?,spearproof), ref: 00430D14
__vbaFreeStr.MSVBVM60(00000000,?,spearproof), ref: 00430D33
#610.MSVBVM60(?,00000000,?,spearproof), ref: 00430D48
#552.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D5D
__vbaVarMove.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D6E
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D79
__vbaNew2.MSVBVM60(0042F948,00434454,?,?,00000001,?,00000000,?,spearproof), ref: 00430D90
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000044), ref: 00430E5D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00430E96
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00430EA1
__vbaNew2.MSVBVM60(0042FCD4,00434010,00000000,?,spearproof), ref: 00430EBC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430EDC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000108), ref: 00430F05
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00430F17
__vbaStrToAnsi.MSVBVM60(?,Laanemuligheder4,00000000,?,?), ref: 00430F29
__vbaSetSystemError.MSVBVM60(00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F3A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F6A
__vbaFreeObj.MSVBVM60(?), ref: 00430F78
__vbaNew2.MSVBVM60(0042F948,00434454,?), ref: 00430F9A
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000014), ref: 00430FC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00430FF0
__vbaStrMove.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00431007
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00431012
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00431029
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,0000001C), ref: 00431050
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9A0,0000005C,?,?,?,?,?), ref: 0043109C
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 004310B4
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004310BF
__vbaNew2.MSVBVM60(0042FCD4,00434010,?), ref: 004310D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004310F4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000000F0), ref: 0043111D
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 0043112D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431148
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,000000E8), ref: 00431171
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00431181
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043119C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311C5
__vbaStrMove.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311DD
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311ED
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8), ref: 0043124F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043126B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 00431287
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 0043129A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004312B5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000110), ref: 004312DE
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 004312EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431309
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000000F8), ref: 00431334
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00431344
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043135F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 00431388
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 00431398
__vbaStrMove.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 004313B0
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8), ref: 00431412
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043142E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 0043144A
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 0043145D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431478
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000068), ref: 0043149B
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 004314AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004314C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,00000060), ref: 004314E9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00182DD5,?), ref: 00431584
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,00182DD5,?), ref: 00431597
__vbaObjSet.MSVBVM60(?,00000000,?,00182DD5,?), ref: 004315B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA10,00000060,?,00182DD5,?), ref: 004315D5
__vbaFreeObj.MSVBVM60(?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043163C
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043164C
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431667
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000150,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431690
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316A0
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316DE
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316EE
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431709
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000080,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431732
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,C,?,00518CAF,?,?,4B7FFB7C,?), ref: 004317AE
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317C1
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,00000160,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431805
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431815
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431830
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000080,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431859
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006FC,?,4B7FFB7C,?,?,00182DD5,?), ref: 004318E6
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004318FB
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043190E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431929
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043194C
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043195C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431977
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,000001C0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319A0
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319B0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA38,000000D0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319F4
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006FC,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A81
__vbaFreeStr.MSVBVM60(?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A8C
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AA8
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431ABB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431AF9
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B09
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B24
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000080,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B4D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,007F5A39,39BD99C0,?,?,?), ref: 00431BBE
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BD1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000060,?,?,?), ref: 00431C0F
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C1F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C3A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000170,?,?,?), ref: 00431C63
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C7B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C8B
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8,?,?,?), ref: 00431CED
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C), ref: 00431D02
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,00000000,?,?,?,?), ref: 00431D17

Strings

REFUSIONSSALDOERS, xrefs: 00431C80
4, xrefs: 0043155A
CORANTO, xrefs: 00431CBD
Codi, xrefs: 00430E25
Lineality, xrefs: 004311E2
C, xrefs: 0043175B, 00431761
Sprogede6, xrefs: 00431874
spearproof, xrefs: 00430C1F
Laanemuligheder4, xrefs: 00430F1D
Grilleres, xrefs: 0043138D

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$AnsiCopy$ErrorSystem$#552#610Late
String ID: C$CORANTO$Codi$Grilleres$Laanemuligheder4$Lineality$REFUSIONSSALDOERS$Sprogede6$spearproof$4
API String ID: 2238139552-805979028
Opcode ID: 09eef0bb9f018b44a7b8ec807f7c7675c362f6b57c32d8b81c5d5f02f2132548
Instruction ID: b0ff59b7ee0f7c146334848be2af030ff7e32bc7879a59961dd64c287c7e4b1b
Opcode Fuzzy Hash: 09eef0bb9f018b44a7b8ec807f7c7675c362f6b57c32d8b81c5d5f02f2132548
Instruction Fuzzy Hash: CDB25EB1A00618AFDB20DB65CC45FEA77BCAF48344F0001EEB549F7191DB78AA458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00432BD5, Relevance: 27.2, APIs: 18, Instructions: 164COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00432C27
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00432C3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432C57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,000001C8), ref: 00432C93
__vbaFreeObj.MSVBVM60 ref: 00432C9B
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00432CB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432CCB
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,00000000), ref: 00432CF3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432D0B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000150), ref: 00432D31
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000001EC), ref: 00432D60
__vbaFreeStr.MSVBVM60 ref: 00432D68
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432D79
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432D94
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432D9E
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DA6
__vbaFreeStr.MSVBVM60(00432DEE,?,000000FF,000000FE,000000FE,000000FE), ref: 00432DE0
__vbaFreeStr.MSVBVM60(00432DEE,?,000000FF,000000FE,000000FE,000000FE), ref: 00432DE8

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#704CopyListMove
String ID:
API String ID: 3420054063-0
Opcode ID: f59f0f4899c58369533f0b9c9598eb36b75edb2da98aa1915a874e1cbafd727c
Instruction ID: 26a3dfeb4a146d5252217d22b066094ff945cc9a3714c27da0ce0bd2adb3b113
Opcode Fuzzy Hash: f59f0f4899c58369533f0b9c9598eb36b75edb2da98aa1915a874e1cbafd727c
Instruction Fuzzy Hash: A1516271A00218ABCB04EFA6D985FDE77B8BF08704F50416EF511F71E1DB7869058B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401330, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401335

Strings

VB5!6%*, xrefs: 00401330

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: fd12bdea4db60704e0e4ff75a8f6b5447b1c2ce97e30c668d4ffc6172e01bd03
Instruction ID: db10775f9613a9cef7dfcb640d259d2a3f3745c2cc7a99156764660d0f41b3f6
Opcode Fuzzy Hash: fd12bdea4db60704e0e4ff75a8f6b5447b1c2ce97e30c668d4ffc6172e01bd03
Instruction Fuzzy Hash: AE7193A144E7C05FD3038BB498296A13FB0AE53229B4F45EBC4C1DF4F3E269180AD766

Uniqueness

Uniqueness Score: -1.00%

Function 0042F860, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72f7b94b8f26f587679a8bf1b5dadee1532e28c7b24ae92f1f0baff111dad7e
Instruction ID: 89b52c948480378e4f8d01a45c640e99590afb59a4cd7219fcf44060605338ab
Opcode Fuzzy Hash: d72f7b94b8f26f587679a8bf1b5dadee1532e28c7b24ae92f1f0baff111dad7e
Instruction Fuzzy Hash: E1B012103841119A57007254BD8192451A0D2813843F00C33F401F2290C728DD04C22E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb22eaf74145d6885aeee790a5b7451da9c8c52253a287ba4f476fd65a6998d
Instruction ID: 695da97cfa436c67d5b5d8ea5b8f3c9cf75e32bc5114b6d39dbb6159547e7a0d
Opcode Fuzzy Hash: 8fb22eaf74145d6885aeee790a5b7451da9c8c52253a287ba4f476fd65a6998d
Instruction Fuzzy Hash: BFB012243941119B6B0072947C42D2153A0EBC47843E40C73F011E11D0D728EC08452D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A96D5C, Relevance: 4.8, Strings: 3, Instructions: 1043COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4
XI!, xrefs: 02A96D98

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2$XI!
API String ID: 0-2309300164
Opcode ID: 5cdf992861daffd6dbfe427866f92838f6311029230a402729e051cb506a6d7f
Instruction ID: 1b19a4d429efd0aa30a2e7532a31519ef52ee0eaf9f3fa2026069e9732d8229b
Opcode Fuzzy Hash: 5cdf992861daffd6dbfe427866f92838f6311029230a402729e051cb506a6d7f
Instruction Fuzzy Hash: A69240B160434A9FDF349F39CD957DA7BA2BF55390F85812DDD898B204D7308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A98B51, Relevance: 4.1, Strings: 3, Instructions: 370COMMON

Download Yara Rule

Strings

x2x<, xrefs: 02A98DA4
/wyh, xrefs: 02A99091
XyG, xrefs: 02A98D76

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /wyh$x2x<$XyG
API String ID: 0-2276865415
Opcode ID: eb387bd6b14a1e02519702af59056b53bbac3638fdf32cce5643e7226908cdb2
Instruction ID: a10cc70d08a55ffa5ba7f6d65681f31a69a19e0b93fa59fca2f1208b84ac206b
Opcode Fuzzy Hash: eb387bd6b14a1e02519702af59056b53bbac3638fdf32cce5643e7226908cdb2
Instruction Fuzzy Hash: BED13371A043469FDF38DF69C9A47EA37E2AF86350F91812ECC4A9B244DB34C985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A92567, Relevance: 3.5, Strings: 2, Instructions: 1024COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a14759382cdfe8938b060d8e868ecc3de5fc8cb829c395dd31e3716daa44ba29
Instruction ID: 0251928f43c85bbf929cbb51457b976132a23ac7a0c26d9bdcf4239df7d79fb6
Opcode Fuzzy Hash: a14759382cdfe8938b060d8e868ecc3de5fc8cb829c395dd31e3716daa44ba29
Instruction Fuzzy Hash: 1C922E7260434A9FDF349F39C9947DABBA2BF55390F96412EDC899B210D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A9207C, Relevance: 3.5, Strings: 2, Instructions: 1015COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: QG;$%{\2
API String ID: 2167126740-543867728
Opcode ID: 148cb644ec8526a0687a798bd6ccd2eda0222f594bca59a7daee9e6f992827d7
Instruction ID: 6175edef2ec1eb8c798b0ecf176ef212c243e57c5062ef0639de4ff586b69a5e
Opcode Fuzzy Hash: 148cb644ec8526a0687a798bd6ccd2eda0222f594bca59a7daee9e6f992827d7
Instruction Fuzzy Hash: A7823EB160434A9FDF249F39CD947EABBA2FF55390F85412EDC899B244D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A92407, Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: QG;$%{\2
API String ID: 2167126740-543867728
Opcode ID: 13a67309c31534982f8a56b75d55e51a7cd416508b00a2ea17c79dfc82e96ee6
Instruction ID: 304e7829d046fa1b29cbf66df5d1c83f29be04710b5f9515da59130b83b82446
Opcode Fuzzy Hash: 13a67309c31534982f8a56b75d55e51a7cd416508b00a2ea17c79dfc82e96ee6
Instruction Fuzzy Hash: C0722EB260434A9FDF349F39CD947DAB7A2BF55350F85412EDD899B200D7348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A98605, Relevance: 3.3, Strings: 2, Instructions: 837COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a5e25383408dfcb553b64e76084faaed6bae22f381f6ed5307db75e95fa65261
Instruction ID: 497a8d7e118658c5fe71ed0c5b2cd56305f18ffb01994d4d0dd98cbb53e47009
Opcode Fuzzy Hash: a5e25383408dfcb553b64e76084faaed6bae22f381f6ed5307db75e95fa65261
Instruction Fuzzy Hash: 0F621DB260434A9FDF349F39CD957EABBA2BF55390F85412DDD899B200D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A93EB2, Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: 02e983f6f4d46db25a40495fbb07e067218a97d14fe3bda29ece5c6f89fafdbc
Instruction ID: cd3905a6b231f2cab0313c69820e2d7c0a7e3e7629da1cfac6595c6bd63ab5d3
Opcode Fuzzy Hash: 02e983f6f4d46db25a40495fbb07e067218a97d14fe3bda29ece5c6f89fafdbc
Instruction Fuzzy Hash: CE621EB260434A9FDF349F39C9957EABBA2FF55390F85412DDD898B210D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A93FC2, Relevance: 3.3, Strings: 2, Instructions: 762COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a9b24319bed42cdf8fb6c8e905a8879f72a468cdd95f3643da4a43ace50fd05f
Instruction ID: 9a429aeda587602e451d5ef72e5c0402d67c2eabf8ac097a7679607f54824221
Opcode Fuzzy Hash: a9b24319bed42cdf8fb6c8e905a8879f72a468cdd95f3643da4a43ace50fd05f
Instruction Fuzzy Hash: 12521DB260434A9FDF349F39CD957DA7BA2BF55390F85812EDC898B210D7348A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A93FA8, Relevance: 3.3, Strings: 2, Instructions: 760COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: 9dc8e854fdbfd0e1b8861380eb4dad53cb79e39564cf8fbf038910e79b91d6ef
Instruction ID: 2adff3892f99776487148cfceb1e7b791c69353be9d39bf77e64ddf24c66ef3e
Opcode Fuzzy Hash: 9dc8e854fdbfd0e1b8861380eb4dad53cb79e39564cf8fbf038910e79b91d6ef
Instruction Fuzzy Hash: 34520EB260434A9FDF349F39CD957DABBA2BF55390F85412DDD898B210DB308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A93FE9, Relevance: 3.2, Strings: 2, Instructions: 743COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2
%{\2, xrefs: 02A940A4

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a106bc3f8deff7f3572655d7f5fc3ab820a2b886733058fd9a92920d3a6413c8
Instruction ID: 1fbf14c577ca51acc7847edea147aca7894e78c8e531d747f72d19a54ecf4e54
Opcode Fuzzy Hash: a106bc3f8deff7f3572655d7f5fc3ab820a2b886733058fd9a92920d3a6413c8
Instruction Fuzzy Hash: F0521DB260034A9FDF349F39CD957DABBA2BF55390F95812DDD898B210D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A97CB7, Relevance: 3.2, Strings: 2, Instructions: 679COMMON

Download Yara Rule

Strings

4O>4, xrefs: 02A980A4
L-d, xrefs: 02A9815C

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4O>4$L-d
API String ID: 0-3250529594
Opcode ID: efc0b8cf50bfe13177e61874b13ccbf05b6d8b321990d49f91cd12509d2569e2
Instruction ID: 55bf76f38b38c0c74193bfe23a2a7d3e6b2ff0d97e740235a223b4ebbc40066d
Opcode Fuzzy Hash: efc0b8cf50bfe13177e61874b13ccbf05b6d8b321990d49f91cd12509d2569e2
Instruction Fuzzy Hash: 6C4228316083858FDF35CF38C9987CA7BE2AF56360F59816ECC998B296D7348545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A97EB4, Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

4O>4, xrefs: 02A980A4
L-d, xrefs: 02A9815C

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4O>4$L-d
API String ID: 0-3250529594
Opcode ID: 6bb56d21ed0a9f07086b79267f0696eb783bfdd8546e20d1b30e8da4127bbad0
Instruction ID: 306495616d2e169c64eac7c763b197702bb0bcb721821225a7ac1b0bbb37b311
Opcode Fuzzy Hash: 6bb56d21ed0a9f07086b79267f0696eb783bfdd8546e20d1b30e8da4127bbad0
Instruction Fuzzy Hash: 7C8116715083818FDF758F358CD97DABBE1AF12350F5981AECC898E28AD7368641CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A98B5E, Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

x2x<, xrefs: 02A98DA4
XyG, xrefs: 02A98D76

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: x2x<$XyG
API String ID: 0-268215166
Opcode ID: d543f20d51e29423d7abe89405541e64522adb6e65d8bb4c74caf295f43bc042
Instruction ID: d18499bd94a240cf77785dd4512bd5d615f22b926768239ea40f83f10086ad45
Opcode Fuzzy Hash: d543f20d51e29423d7abe89405541e64522adb6e65d8bb4c74caf295f43bc042
Instruction Fuzzy Hash: 1D81E070901346DFDF799F25C8A5BEA77B2EF86310F54812ECC4A8B254DB358A84CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A98C81, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

x2x<, xrefs: 02A98DA4
XyG, xrefs: 02A98D76

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: x2x<$XyG
API String ID: 0-268215166
Opcode ID: 0c434f032227c36a307066dc91d918b59e61e8c1f64f5cca519c547e2020a09b
Instruction ID: b1b0d1af133a8976a2b62147088e5f1898a53b7814a16ff490d77d32e8f30fed
Opcode Fuzzy Hash: 0c434f032227c36a307066dc91d918b59e61e8c1f64f5cca519c547e2020a09b
Instruction Fuzzy Hash: 3F519D30901342DFCF799E75C8A9BEB7BB5EF42310F50816ECC4A8B654DB348A848B51

Uniqueness

Uniqueness Score: -1.00%

Function 02A940EF, Relevance: 2.0, Strings: 1, Instructions: 708COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 2053ddd26be84ae1456a41bfcbb3745c463d75c755716ab1a4fe09f36e7ec6ce
Instruction ID: a71ddb147e5c4834eecbbb660f472483717ac4e148e16df51b497b034864cf54
Opcode Fuzzy Hash: 2053ddd26be84ae1456a41bfcbb3745c463d75c755716ab1a4fe09f36e7ec6ce
Instruction Fuzzy Hash: 4A52EBB260034A9FDF349F39CD957DABBA2BF55350F85412EDC898B250DB708A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A94345, Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 8f58c54d3004c3f35482bb6385c79b55a6fa1714a75f595f4fbd28a42b015ec6
Instruction ID: 479c4976315fb1ef4c9307d73ed82c7137208bf5ea90d8cb7333aa49c854c958
Opcode Fuzzy Hash: 8f58c54d3004c3f35482bb6385c79b55a6fa1714a75f595f4fbd28a42b015ec6
Instruction Fuzzy Hash: F1220D7560434A9FDF348F38CD947DA7BA2BF19390F85412EDC898B250DB708A86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A9444B, Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

QG;, xrefs: 02A945F2

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 79db4022bc53799f4292c8cce7db91f8b2cb401d3ef688cf5632a5922b061a6a
Instruction ID: 09ca0fba9e5fdfd487058edfd356a7e93539025749a77c990e74310d64b4236c
Opcode Fuzzy Hash: 79db4022bc53799f4292c8cce7db91f8b2cb401d3ef688cf5632a5922b061a6a
Instruction Fuzzy Hash: 04120E7560434A9FDF349F39CDA47EA7BA2EF59390F85412EDC898B250DB304A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A95844, Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

vF), xrefs: 02A95C40

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: vF)
API String ID: 2167126740-3905765964
Opcode ID: a86ccda33b2383231fc87bbcaebd5f927bc1a85dec308bc510458edb8b79cfc2
Instruction ID: 772f9e4b7220723b6d1f98e094dfd6066cea0db596929a244597304752539495
Opcode Fuzzy Hash: a86ccda33b2383231fc87bbcaebd5f927bc1a85dec308bc510458edb8b79cfc2
Instruction Fuzzy Hash: B8D1F071A4434A9FDF389E79CD917EE77E2AF05340F51842DDC8A97214EB308A85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A921DB, Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

/wyh, xrefs: 02A99091

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: /wyh
API String ID: 2167126740-893334900
Opcode ID: 243824e09a8f3721e703f8c27abc1131d9d47a25351a60139f6e55f0dbe00cd6
Instruction ID: aadb5fa6ad2821e0b9ef0f403eba7f9c940f47a82dea60cd87cb0011af14d0ea
Opcode Fuzzy Hash: 243824e09a8f3721e703f8c27abc1131d9d47a25351a60139f6e55f0dbe00cd6
Instruction Fuzzy Hash: 53A142B1A043499BDF24AF29C9A47EB77A3EF94340F85812DDC8A9B244DB348981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A958D6, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

vF), xrefs: 02A95C40

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vF)
API String ID: 0-3905765964
Opcode ID: 8e9124f9d93a3be4d3904c63184a56d8ef191b2d6103fa07e4d0b223d4d25515
Instruction ID: b6627b19d3e3d13f033b5d723a796caff498b59895233cc2ed45663b7e000eb6
Opcode Fuzzy Hash: 8e9124f9d93a3be4d3904c63184a56d8ef191b2d6103fa07e4d0b223d4d25515
Instruction Fuzzy Hash: 0781DD7164034A9FCF749F36CD957EA7BA6EF05380F85442DDD8A8B611E7308A86CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A97229, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

`, xrefs: 02A9732D

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 4fcb0f064c638c6d4d9cadce6ce0dc1eed1bd7d9671e007af12fddf79443f616
Instruction ID: e34c32d86642c379a6a0ca84a13a8d332349d4f5cca9de830aca3a52d065a956
Opcode Fuzzy Hash: 4fcb0f064c638c6d4d9cadce6ce0dc1eed1bd7d9671e007af12fddf79443f616
Instruction Fuzzy Hash: 305178B1B503469FDF38DE6A8EA83DE36E2AF85750F50812EDC098B244DB7446418F52

Uniqueness

Uniqueness Score: -1.00%

Function 02A970BE, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

d;H, xrefs: 02A97127

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID: d;H
API String ID: 0-3737517937
Opcode ID: 88d4205ec0780f492a29a745e7c55d160f48bf9ac8cd23a8011cfb80f4ce5ddb
Instruction ID: 7d9f45fa8a1ab9a955f16168563a8d127e011b275af67660346a5ea7e7b5d634
Opcode Fuzzy Hash: 88d4205ec0780f492a29a745e7c55d160f48bf9ac8cd23a8011cfb80f4ce5ddb
Instruction Fuzzy Hash: 4301E5B9665284CFDB24CF19CDD5ACAB7E6BB89710F51802ADD088B325D731EA41CE20

Uniqueness

Uniqueness Score: -1.00%

Function 02A947FF, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46718ea5e7ec4653ea426182eddcecc267e1381eed65193a8e18905edfbfa51
Instruction ID: 3887396443e0526ca7e2ae11f7d93bfc40cb5fb25d0a33d067b1fe580cbf431a
Opcode Fuzzy Hash: f46718ea5e7ec4653ea426182eddcecc267e1381eed65193a8e18905edfbfa51
Instruction Fuzzy Hash: C6C10D75600349DFDF358E39DD987DA7BA2EF69360F85412AEC8D8B250D7308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A91B24, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7627839cb8d7a799831c7606693d5466d47347405ce0408c8bad95d51e67187a
Instruction ID: a7e59ad53170907134a51014e433a3ae15c567ff8d8f1ce946f852b7cf10455b
Opcode Fuzzy Hash: 7627839cb8d7a799831c7606693d5466d47347405ce0408c8bad95d51e67187a
Instruction Fuzzy Hash: 83A152B2B402499FEF34DE298D84BDA37E7AF99750F54812EAC4CDB344DB308A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 02A938B4, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fe82c664fa85986cb03bb34722f10d666f3c22fa6337c8515f7269d2b16a04
Instruction ID: 10170b8be111a08e91a4ce69c04a50266f0d90e636f89d75bb56a355c7db499b
Opcode Fuzzy Hash: f3fe82c664fa85986cb03bb34722f10d666f3c22fa6337c8515f7269d2b16a04
Instruction Fuzzy Hash: 39910271A40306AFDF749F29C988BDE37E6AF05360F51816ADC898B294DB34C981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A904C0, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d357e97aa2c26a90febde0b9368686550d0d66005a8c243eba7edc9b30d2e628
Instruction ID: 8e50777f7e80d9ba1fd51ed2aa7b20939d9be88920cc30e22d160e84990a17c0
Opcode Fuzzy Hash: d357e97aa2c26a90febde0b9368686550d0d66005a8c243eba7edc9b30d2e628
Instruction Fuzzy Hash: 788167B56043499FDB249F39C9A47EF37E7AF99350F81812EDC899B244D7308985CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A937A5, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4a411c39b8722fbbb1de7ec5b7fe4b3264988fdf618cb86b4e89e08fd0e1bf
Instruction ID: 9bbdc13f3b93c1e252d40ecc013e9be7aef302ce5d2e71652c4972ec7ef023ca
Opcode Fuzzy Hash: 9c4a411c39b8722fbbb1de7ec5b7fe4b3264988fdf618cb86b4e89e08fd0e1bf
Instruction Fuzzy Hash: BC8164B56043489FDF249F798DA47EB77E7AF98350F81412EDC8A9B244DB348984CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A91B2E, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3bf2d8a56c1e5a75e572d10a40c8338ff5c575522b1ac1bc8fa9e270d4df07
Instruction ID: 58253fd103eaae1710d1da48b390ba3d2eae5d7d9c928f6243807875339e0000
Opcode Fuzzy Hash: ce3bf2d8a56c1e5a75e572d10a40c8338ff5c575522b1ac1bc8fa9e270d4df07
Instruction Fuzzy Hash: 3E615AB2A402499FDF348E29CD94BDE77EBAF99750F45412ADC4CDB348C7718A428B50

Uniqueness

Uniqueness Score: -1.00%

Function 02A901E9, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7a79cf0d62ed81b900bd46c5f515871b8a35ed53beb7b6543b5618c47e276e75
Instruction ID: 5dfea05aea4130653d31aea61f0fcf4f2a4c45a8a6910881bacf1a5da03546ac
Opcode Fuzzy Hash: 7a79cf0d62ed81b900bd46c5f515871b8a35ed53beb7b6543b5618c47e276e75
Instruction Fuzzy Hash: 836167B4A44305AFEF34AE758A807EEBBE3AF46350F51462EEC8992144DB308581CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02A91706, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1894d3734040cef01d5f84e2451fb5f0ef1e82fab4e1959d31c408b972392d88
Instruction ID: 27dae7a09fe1993c536229b55f848f9b19f717e1eaa190430dafac02dc3509bb
Opcode Fuzzy Hash: 1894d3734040cef01d5f84e2451fb5f0ef1e82fab4e1959d31c408b972392d88
Instruction Fuzzy Hash: 53510631608BC69ADB328E3C8C597DB7FA26F56320F99839DC8985B286C7315552C781

Uniqueness

Uniqueness Score: -1.00%

Function 02A905D8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ee20e7d181384727dea6fa15ac81b267f511fd416d93404691af18fb0754cc
Instruction ID: 5326a98c07fcd5100694931b980372f1af68cd7074da7fb06e84a36d39dc21d6
Opcode Fuzzy Hash: 35ee20e7d181384727dea6fa15ac81b267f511fd416d93404691af18fb0754cc
Instruction Fuzzy Hash: 405152B56043499FEB209F79C9A43EB77E7AF98340F86412E9C8997244D7348985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A926CA, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead653bce0e95a63461983cd58969912306313b3b87e5043666ff5a4dd31d9b2
Instruction ID: d5c7d1f31a350f663a64206ca11222471da8d7d55570239958a027134630e8b9
Opcode Fuzzy Hash: ead653bce0e95a63461983cd58969912306313b3b87e5043666ff5a4dd31d9b2
Instruction Fuzzy Hash: EB513332941358DFCB708E368D487DB7BBAEFE6B50F5A412AEC489B254D3314A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A90626, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b87fb9eb8209fad0ab0c7bae6f63223b7dbe63f32f6197b04cb252d49d0ad4
Instruction ID: 95e5148275e9343baafe5c4427a35600528ba745d5dbebdf3a1e6115ff8e0023
Opcode Fuzzy Hash: 79b87fb9eb8209fad0ab0c7bae6f63223b7dbe63f32f6197b04cb252d49d0ad4
Instruction Fuzzy Hash: 875155B56083499FDB249F75C9A43EF77E7AF99340F82402EDC8997244D7348989CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A93BE2, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e546db7f043e88314d1ca96aa97d49c802839b85d366eda5451b1c91de62fc
Instruction ID: fdd4d72d6869276cc245f24887e6990e9ca84088e4cb6bb5f7603561d11b8de5
Opcode Fuzzy Hash: f2e546db7f043e88314d1ca96aa97d49c802839b85d366eda5451b1c91de62fc
Instruction Fuzzy Hash: C35190716007459FDF34CE2B8AE87DF32F6AF98708F94856ACD498B648D731A9818B41

Uniqueness

Uniqueness Score: -1.00%

Function 02A906D2, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d789d20f9cac5d38eefcbaf51c73f767d672af378f9952debfae1dafc0ae5d
Instruction ID: f326045604077862195e62cbda90cb9081d65c195a9394af5cd85f64105d943f
Opcode Fuzzy Hash: 45d789d20f9cac5d38eefcbaf51c73f767d672af378f9952debfae1dafc0ae5d
Instruction Fuzzy Hash: 0D4176756083459FEB21AF79C9943EA77E6BF59390F82002EDC8AA7240D7348985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A9824D, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3f68b16c4435a5aa8bfd4b900801464f91696f06a9092046d8b48ecf8cff6c
Instruction ID: b6122291036442bb850c3d1106937d240bca814a90b329dbbef5378c3de5ec6a
Opcode Fuzzy Hash: ff3f68b16c4435a5aa8bfd4b900801464f91696f06a9092046d8b48ecf8cff6c
Instruction Fuzzy Hash: 18512672A042455FDF38CE3ACDE93DB77E3AFA6250F54C12ECC8A8B649D73485468A11

Uniqueness

Uniqueness Score: -1.00%

Function 02A901DA, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b0bc99db21b09dcbe5fdd0e13a933d1b4da8b1c3e9cdbda83ffc48ad4d79eff0
Instruction ID: 54171ac2706136a6d7a01e0bafc12ed91aa575ac940fa11304e79060007dba36
Opcode Fuzzy Hash: b0bc99db21b09dcbe5fdd0e13a933d1b4da8b1c3e9cdbda83ffc48ad4d79eff0
Instruction Fuzzy Hash: 1B417374688305AFEF206E758A513FEBBE3AF92350F564A0EDCCA92044DB3440C6CA17

Uniqueness

Uniqueness Score: -1.00%

Function 02A906E2, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eccaa7199b46b78c6d62186718d4ac9754d91c01ca1b4741306d5c844c85334
Instruction ID: ce1141e5ea3a6a9c544cfd34c1de6526470b310f22a1b1093fb41c25e32a218f
Opcode Fuzzy Hash: 8eccaa7199b46b78c6d62186718d4ac9754d91c01ca1b4741306d5c844c85334
Instruction Fuzzy Hash: 0C416775608345AFEB21AF79C9943EFB7E7AF99340F82442DDC8997200D7348985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A91207, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1badee8dc04b7aa1af46308dc0ed0db6263c58419099e973708fc19bc34d376e
Instruction ID: a622dab39b843ad81efb5d4e374d7c5b83671f73f3a69f54b1c320a4b9259c9b
Opcode Fuzzy Hash: 1badee8dc04b7aa1af46308dc0ed0db6263c58419099e973708fc19bc34d376e
Instruction Fuzzy Hash: AD31DE309087C66BDB31DF388A093DEBFA1AF53360F44829DCCD89B189C77456568B82

Uniqueness

Uniqueness Score: -1.00%

Function 02A97AEF, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af2bb4017c9c660c9a50f256a6b3735298518f0701278b872d2299585de09bc
Instruction ID: 5cad5209c01dbfe464f3299f85d2ac5508078571ac337431da3a1aeb994d0b8d
Opcode Fuzzy Hash: 5af2bb4017c9c660c9a50f256a6b3735298518f0701278b872d2299585de09bc
Instruction Fuzzy Hash: 6A2108726417498BDB3C8E399D357D733A3AF96260F55011FCC479B290DB718A868B01

Uniqueness

Uniqueness Score: -1.00%

Function 02A97AF5, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d96bb69e24e1c0169fd5fddcbacbabc75cfdf79eb6319402438111e3cffb50d
Instruction ID: cabbbe9d4cffc06972de00099ca3dcf7d0f775fc41f160dc85ad2dbdf26d6b05
Opcode Fuzzy Hash: 1d96bb69e24e1c0169fd5fddcbacbabc75cfdf79eb6319402438111e3cffb50d
Instruction Fuzzy Hash: F92128726427498BDB388E399D357D723A3AFD6260F55021FCC479B290DB318A828B01

Uniqueness

Uniqueness Score: -1.00%

Function 02A96F73, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa83f115d32044355829f99e981b356408b8d06709f15d5cce941108ef1eed5b
Instruction ID: a99fafc716f4d1886e45877fce3ade5ff7d1516645757b5370cb0fd5f2f9cdb6
Opcode Fuzzy Hash: aa83f115d32044355829f99e981b356408b8d06709f15d5cce941108ef1eed5b
Instruction Fuzzy Hash: DB21D03920839A8FCF24DF69C8E47DB73E2AF5A744F89412ADC85CB252E7318985C711

Uniqueness

Uniqueness Score: -1.00%

Function 02A951A4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4842bf7027df32cb82c8e9838463c3e51f2283253d3ee2ae8d19cdf80b8c50d7
Instruction ID: ed2b79298e56401b78504ebe7ff0d28ad9977e444993535c194011e0635a379b
Opcode Fuzzy Hash: 4842bf7027df32cb82c8e9838463c3e51f2283253d3ee2ae8d19cdf80b8c50d7
Instruction Fuzzy Hash: 7F2106312443169FDB54AE398AE57FAB3E5BF25380F82092DCCEAC7565D7304A84CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A93EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1400a60b3bbf9f008126e1f3da13e82bd57188f0276840059380fabb8fd4fced
Instruction ID: 90c387907c5df35b277c13b8113bff53fcca9ad86a87cf74b0711320e61b5ecf
Opcode Fuzzy Hash: 1400a60b3bbf9f008126e1f3da13e82bd57188f0276840059380fabb8fd4fced
Instruction Fuzzy Hash: F711BC316483008FCB546E34CA922BEBBE1EF52360F9A0A1DDAD2821A4D37409C4DF03

Uniqueness

Uniqueness Score: -1.00%

Function 02A96E24, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ead8da88381e0ce6059fde50c10ece565018dae250ef1965bb0c7f736f7068
Instruction ID: d61581fb4a104b8dbe0bd4b02c168e581b3b169d89c8c4c7e6e7bc31d13a1945
Opcode Fuzzy Hash: 35ead8da88381e0ce6059fde50c10ece565018dae250ef1965bb0c7f736f7068
Instruction Fuzzy Hash: 15D05E3110018A9FCF218F29CD487CE7B67BF923A0F108228FC19A6190D772CF518A90

Uniqueness

Uniqueness Score: -1.00%

Function 02A95022, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4294420f0826f5bc2c00e06abd4decf697420ef1cd01d96577d8ed4cd254c4d8
Instruction ID: 290ace613b6555900f67097c8ae28f80657543b550e837e1fe69e96cb1b7a3de
Opcode Fuzzy Hash: 4294420f0826f5bc2c00e06abd4decf697420ef1cd01d96577d8ed4cd254c4d8
Instruction Fuzzy Hash: 83C092FB202581CFEB41DB0CC491B8073A1FB24A48BC404A0E842CF71AC224ED41CB04

Uniqueness

Uniqueness Score: -1.00%

Function 02A96B34, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9e92d1e5c217bc22db8f79576e66618c3505ccf5d32c72a7aeb542b96153fa
Instruction ID: 6949b9b75cd7542e4f557d30197da177321de833ab70246019129f7d803d9e86
Opcode Fuzzy Hash: bf9e92d1e5c217bc22db8f79576e66618c3505ccf5d32c72a7aeb542b96153fa
Instruction Fuzzy Hash: 41B092302A15808FCB45CE08C1C0E0073A1B744640B410880E001CBAA1C224EC00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00432934, Relevance: 39.2, APIs: 26, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0043298C
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 004329A3
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000014), ref: 004329C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 004329F8
__vbaStrMove.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A06
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A0E
#560.MSVBVM60(?), ref: 00432A1E
__vbaFreeVar.MSVBVM60(?), ref: 00432A34
__vbaNew2.MSVBVM60(0042F948,00434454,?), ref: 00432A54
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000014), ref: 00432A74
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A9D
__vbaStrMove.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432AAB
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432AB3
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00432ACA
__vbaObjVar.MSVBVM60(?), ref: 00432ADB
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 00432AE5
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000010), ref: 00432AFC
__vbaFreeObj.MSVBVM60(00000000,0071E8B4,0042F938,00000010), ref: 00432B04
__vbaNew2.MSVBVM60(0042FCD4,00434010,?), ref: 00432B1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432B34
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000198), ref: 00432B5A
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F980,00000198), ref: 00432B68
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432B90
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432B98
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432BA0
__vbaFreeVar.MSVBVM60(00432BAE), ref: 00432BA8

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#560AddrefCopy
String ID:
API String ID: 4235209719-0
Opcode ID: bcf8c706b99db04601c36676d24a6e41dfa079b5582be26c2304a3a11746a177
Instruction ID: c1423ce5c12b2c4b574031c65fe7a80395d619b9ed9ed082f72282d88b5a6126
Opcode Fuzzy Hash: bcf8c706b99db04601c36676d24a6e41dfa079b5582be26c2304a3a11746a177
Instruction Fuzzy Hash: D3618270E00219ABCB14EFA6D885EDEB7B8EF58304F50447EF111F71A1DA786909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432723, Relevance: 28.7, APIs: 19, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 0043276F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432787
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FB3C,00000134), ref: 004327C3
__vbaFreeObj.MSVBVM60(00000000,00000000,0042FB3C,00000134), ref: 004327CB
#696.MSVBVM60(0042FB50), ref: 004327D5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 004327FB
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 00432805
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 0043280D
__vbaNew2.MSVBVM60(0042FCD4,00434010,?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 00432825
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043283D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000170), ref: 00432863
#529.MSVBVM60(00000002), ref: 0043287D
__vbaFreeObj.MSVBVM60(00000002), ref: 00432885
__vbaFreeVar.MSVBVM60(00000002), ref: 0043288D
__vbaNew2.MSVBVM60(0042FCD4,00434010,0042FB50), ref: 004328A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004328BD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000058), ref: 004328DD
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F9C0,00000058), ref: 004328EB
__vbaFreeStr.MSVBVM60(00432919), ref: 00432913

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#529#696#704Move
String ID:
API String ID: 640063502-0
Opcode ID: d8fc5d446533a55316a0e307b3f28a11a38dc4499473a2e2492fc759b926a15a
Instruction ID: c2fda3f4506ae53223b19686265dfab4e0f721b73c1867d2d676e03128cc8d1a
Opcode Fuzzy Hash: d8fc5d446533a55316a0e307b3f28a11a38dc4499473a2e2492fc759b926a15a
Instruction Fuzzy Hash: 02511A70A00218ABCB14EBA6DD85FDE77B8AF08704F50067EF511F72E1DB7869058B68

Uniqueness

Uniqueness Score: -1.00%

Function 00432E13, Relevance: 24.2, APIs: 16, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00432E5B
__vbaHresultCheckObj.MSVBVM60(00000000,0071E8B4,0042F938,00000014), ref: 00432E7F
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00432EA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432EC0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA38,0000013C), ref: 00432EE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,0000013C), ref: 00432F15
__vbaFreeStr.MSVBVM60 ref: 00432F1D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432F2E
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00432F49
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432F61
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,000001D0), ref: 00432F99
__vbaFreeObj.MSVBVM60 ref: 00432FA1
__vbaNew2.MSVBVM60(0042FCD4,00434010), ref: 00432FB9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432FD1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000078), ref: 00432FF1
__vbaFreeObj.MSVBVM60 ref: 00432FFF

Memory Dump Source

Source File: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.850467512.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.850504697.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.850511305.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: eb678c9f3d39e5a4f9df96214f3de4139dd66eaab9dd55ed8939619f27d39f79
Instruction ID: 30e5718719045ac056bf5e9e3402fd759a5bf7ce3b3457348a4afd3427220cf3
Opcode Fuzzy Hash: eb678c9f3d39e5a4f9df96214f3de4139dd66eaab9dd55ed8939619f27d39f79
Instruction Fuzzy Hash: 39515170A00214ABCB04EFA6DD86FEF77B8BF58704F50046AF510F7191D6B8A9058B68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981190.24096.12674

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Graftor.981190.24096.exe PID: 5092 Parent PID: 5732

General

Chronological Activities

Disassembly