Play interactive tour

Edit tour

Windows Analysis Report ogvcqbOEQs

Overview

General Information

Sample Name:	ogvcqbOEQs (renamed file extension from none to exe)
Analysis ID:	456986
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ogvcqbOEQs.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\ogvcqbOEQs.exe' MD5: F00E0BF11A316D65AB59574825F125BF)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: ogvcqbOEQs.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Multi AV Scanner detection for submitted file

Show sources

Source: ogvcqbOEQs.exe

Virustotal: Detection: 18%

Perma Link

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A4810	1_2_020A4810
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A44C7	1_2_020A44C7
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020AA9B4	1_2_020AA9B4

Source: ogvcqbOEQs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ogvcqbOEQs.exe, 00000001.00000000.227845225.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe, 00000001.00000002.751695769.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA9BE596F96A9332A.TMP

Jump to behavior

Source: ogvcqbOEQs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ogvcqbOEQs.exe

Virustotal: Detection: 18%

Source: ogvcqbOEQs.exe

Static file information: File size 10571776 > 1048576

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, type: MEMORY

Source: ogvcqbOEQs.exe

Static PE information: real checksum: 0xa24e1f should be:

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00402A6D push edx; ret	1_2_00402A86
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00405E39 push es; iretd	1_2_00405E62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_0040483D push edx; ret	1_2_00404843
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00405D05 push cs; ret	1_2_00405D9B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00404725 push esp; retf	1_2_00404726
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A4E38 push BA000001h; ret	1_2_020A4E45
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A1C9C push eax; ret	1_2_020A1CB5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5CB4 push eax; iretd	1_2_020A5CB5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A910C push eax; retf	1_2_020A910D
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A554D push eax; iretd	1_2_020A554E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5145 push ecx; ret	1_2_020A5146
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5763 push 878BD3C4h; iretd	1_2_020A5774
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A57D8 push eax; ret	1_2_020A57D9
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A77EC push eax; ret	1_2_020A7805

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F70F03BC520h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A032C second address: 00000000020A84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F70F03BDCFAh 0x0000005b jmp 00007F70F03B4FCAh 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F70F03B42C5h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions:

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A84CB rdtsc

1_2_020A84CB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A84CB rdtsc

1_2_020A84CB

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A8A7E mov eax, dword ptr fs:[00000030h]

1_2_020A8A7E

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ogvcqbOEQs.exe	19%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://d-bin.duckdns.org/remcos_dyno_xLTzJv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://d-bin.duckdns.org/remcos_dyno_xLTzJv	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	456986
Start date:	30.07.2021
Start time:	17:48:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ogvcqbOEQs (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 37.4% (good quality ratio 20.1%) Quality average: 31.6% Quality standard deviation: 35.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998638224332722
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ogvcqbOEQs.exe
File size:	10571776
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
SHA512:	3330bdeb213a3e8f2ec104a7018bf4accdd715b4eb7891f2cf29e8a2a3b5109ef143beba0ba51c5e13d92d5992dc9d809c52b1aa181c265d950e181a6a8c14fd
SSDEEP:	24576:tkELLVtinQL/2HkZQwTLniGZQwCwTrVtLTrzVQe2wCwX:SnGOHHQiGuHHHwCQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....JQW.....................0......d........ ....@........

File Icon


Icon Hash:	e2b0d8d8d2d8c400

Static PE Info

General
Entrypoint:	0x401364
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57514AAD [Fri Jun 3 09:15:25 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9c8c8bb37b14de578924ac09be0d5cc5

Entrypoint Preview

Instruction
push 0040E6DCh
call 00007F70F0C37953h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bl, ah
nop
mov cl, byte ptr [ecx-57h]
mov ebp, D38EA846h
fdivr st(0), st(1)
xor al, BBh
pop esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi+76018350h], al
bound esi, dword ptr [eax+esi*2]
jc 00007F70F0C379D1h
push 00000065h
arpl word ptr [esi+edx*2+62h], si
add byte ptr [ebx], ch
adc al, byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, dword ptr [ebx+edx-66h]
dec ecx
pop eax
in eax, dx
cmp byte ptr [edi-75h], cl
call 00007F7125376BE2h
xor dword ptr [ebp+15h], edx
mov esi, dword ptr [ebp-546DF334h]
inc edx
test byte ptr [edx], ch
inc ecx
out dx, eax
outsb
enter 8F4Dh, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ebp, 960000D0h
add dword ptr [eax], eax
add byte ptr [eax], al
or eax, dword ptr [eax]
push ebx
arpl word ptr [ecx+6Eh], sp
popad
insb
insb
imul ebp, dword ptr [esi+67h], 09010D00h
add byte ptr [ecx+eax*2+52h], dl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11124	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x12a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x110	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x105dc	0x11000	False	0.509966681985	data	6.08573946634	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0xd24	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x13000	0x12a4	0x2000	False	0.166381835938	data	2.77658216516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x13118	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14540253, next used block 12303291
RT_ICON	0x139c0	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x13f28	0x22	data
RT_VERSION	0x13f4c	0x358	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Microsoft Corporation
InternalName	MSTEAMS
FileVersion	1.11.0056
CompanyName	Microsoft Corporation
LegalTrademarks	MTEAMS
Comments	Microsoft Teams
ProductName	Microsoft Teams
ProductVersion	1.11.0056
FileDescription	Microsoft Teams
OriginalFilename	MSTEAMS

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: ogvcqbOEQs.exe PID: 5652 Parent PID: 5696

General

Start time:	17:49:03
Start date:	30/07/2021
Path:	C:\Users\user\Desktop\ogvcqbOEQs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Imagebase:	0x400000
File size:	10571776 bytes
MD5 hash:	F00E0BF11A316D65AB59574825F125BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ogvcqbOEQs.exe PID: 5652 Parent PID: 5696 ogvcqbOEQs.exeCOMMON

Executed Functions

Function 00410530, Relevance: 89.7, APIs: 46, Strings: 5, Instructions: 491COMMON

Download Yara Rule

APIs

#572.MSVBVM60(?), ref: 004105D2
__vbaStrMove.MSVBVM60 ref: 004105DD
__vbaStrCmp.MSVBVM60(0040F8EC,00000000), ref: 004105E9
__vbaFreeStr.MSVBVM60 ref: 004105FC
__vbaFreeVar.MSVBVM60 ref: 00410605
__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 00410626
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,0000001C), ref: 0041064B
__vbaCastObj.MSVBVM60(?,0040F8F4), ref: 0041067F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041068A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F8D8,00000058), ref: 004106AA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004106BE
#535.MSVBVM60 ref: 004106D1
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,0000070C), ref: 00410702
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,0000070C), ref: 0041072D
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,0000070C), ref: 0041074F
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,0000070C), ref: 00410771
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,00000708), ref: 004107C4
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F440,0000070C), ref: 0041083C
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F410,000002B4), ref: 00410859
__vbaCyAdd.MSVBVM60(?,?,00002710,00000000), ref: 00410869
__vbaFpCmpCy.MSVBVM60(00000000), ref: 0041087D
__vbaStrToAnsi.MSVBVM60(?,PJECEN), ref: 00410899
__vbaStrToAnsi.MSVBVM60(?,PRENAVAL,00000000), ref: 004108A9
__vbaSetSystemError.MSVBVM60(00000000), ref: 004108BB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004108E5
__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 00410909
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,0000001C), ref: 0041092E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F8D8,00000064), ref: 00410953
__vbaFreeObj.MSVBVM60 ref: 00410958
__vbaSetSystemError.MSVBVM60(?,0088CE75,007BCA51), ref: 00410979
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F410,000002B0), ref: 004109ED
__vbaSetSystemError.MSVBVM60(00288CA5), ref: 00410A09
__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 00410A2D
__vbaObjSetAddref.MSVBVM60(?,00401170), ref: 00410A40
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,00000010), ref: 00410A60
__vbaFreeObj.MSVBVM60 ref: 00410A6D
__vbaStrToAnsi.MSVBVM60(?,frplanternes), ref: 00410A7E
__vbaSetSystemError.MSVBVM60(00000000), ref: 00410A90
__vbaFreeStr.MSVBVM60 ref: 00410AB2
__vbaHresultCheckObj.MSVBVM60(00000000,00401170,0040F410,0000015C), ref: 00410AE1
__vbaSetSystemError.MSVBVM60(000D3C0F,0076808A,004F9886), ref: 00410AFD
__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 00410B21
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,00000034,?,?,000059C9,?), ref: 00410B6B
__vbaObjSet.MSVBVM60(?,?,?,?,000059C9,?), ref: 00410B7C
__vbaFreeObj.MSVBVM60(00410BCD), ref: 00410BC5
__vbaFreeObj.MSVBVM60(?,?,000059C9,?), ref: 00410BCA

Strings

K, xrefs: 004105C4
PJECEN, xrefs: 00410893
<[, xrefs: 00410B03
frplanternes, xrefs: 00410A78
PRENAVAL, xrefs: 004108A3

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$ErrorSystem$New2$Ansi$List$#535#572AddrefCastMove
String ID: <[$K$PJECEN$PRENAVAL$frplanternes
API String ID: 425809196-731513844
Opcode ID: c079cd5f05fbbe3e8da6490ce0e90b6a21bae68848fa7a1f7bfdd95ee6127bea
Instruction ID: d32aadf664373c114d438c451ef49a0e495a7c349af87ca84cf65ecd2e801450
Opcode Fuzzy Hash: c079cd5f05fbbe3e8da6490ce0e90b6a21bae68848fa7a1f7bfdd95ee6127bea
Instruction Fuzzy Hash: 06127E70A00318AFDB109FA5CD89EDABBB8FF58304F10817AE549AB291D7B46985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00410DE0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

#689.MSVBVM60(PROTESTBEVGELSEN,tenoristers,ALPAKAULDENS,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410E4C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410E57
__vbaStrCmp.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410E5F
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410E72
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040F410,00000254), ref: 00410E9D

Strings

tenoristers, xrefs: 00410E2B
PROTESTBEVGELSEN, xrefs: 00410E35
ALPAKAULDENS, xrefs: 00410E26

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#689CheckFreeHresultMove
String ID: ALPAKAULDENS$PROTESTBEVGELSEN$tenoristers
API String ID: 1863407862-531368812
Opcode ID: fac3d87726191576e38292427029ab712f2ccca5bf301a449be4d800da2a4ad9
Instruction ID: f437a700592aa850ea197dc1489deadf1b81740167e5eefc38193b33328f98e0
Opcode Fuzzy Hash: fac3d87726191576e38292427029ab712f2ccca5bf301a449be4d800da2a4ad9
Instruction Fuzzy Hash: 3C2192B0900344EBC7009F69D989A9AFBB4FB48700F20813AF505F7290C77858848F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401364, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6!*), ref: 00401369

Strings

VB5!6!*, xrefs: 00401364

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6!*
API String ID: 1341478452-2574520878
Opcode ID: 59a4596ce51d07ef9168c76fcc10326a6a6cfff86eacf8fa290ae49b3f72718e
Instruction ID: f9e4b24a308b6e5a02def295f2fa2638238229c0a48cbcc0f70dab4f33b05363
Opcode Fuzzy Hash: 59a4596ce51d07ef9168c76fcc10326a6a6cfff86eacf8fa290ae49b3f72718e
Instruction Fuzzy Hash: 7D51986184E3D14FE7039B7488656853FB0AE13224B5E05EBC4C2DF0F3E258580ADB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020AA9B4, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c84675d3a2e496f41c08809f0500938404a22758c57746dc0639cb8a6edeee2
Instruction ID: d19fbcd3f20550bb1a10d31d23e99bb03c976dd1e430a7e66823ff1141196781
Opcode Fuzzy Hash: 5c84675d3a2e496f41c08809f0500938404a22758c57746dc0639cb8a6edeee2
Instruction Fuzzy Hash: 37712671604344CFCB7ACFB4C9A47EA37B2AF9A320F95421ADC4A9B295D7309A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 020A4810, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b61d21f183e8aa49e8914862e941752eb13b5b93da7dcd2e740073bc08dfc6
Instruction ID: 77326c9614cf2378aadfed2334c97c927aead7f4ae5a3451171124920d4279ce
Opcode Fuzzy Hash: 68b61d21f183e8aa49e8914862e941752eb13b5b93da7dcd2e740073bc08dfc6
Instruction Fuzzy Hash: 8D51E2796063849FDBB4CE658AE47DF73F2AF88704F90452EC94E8BA05D370A940DB45

Uniqueness

Uniqueness Score: -1.00%

Function 020A44C7, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f780aca71cab4ea393575209a984aa10f7eb3d0508cb3967f298df51d8dad9
Instruction ID: 15df92d5ac06fc63ba66dc5dedb7546fb240d0aa4fefdc60710b04b32ffd0ab5
Opcode Fuzzy Hash: 70f780aca71cab4ea393575209a984aa10f7eb3d0508cb3967f298df51d8dad9
Instruction Fuzzy Hash: D651CCB1504300DFD7688FA9C885BDEB7B1FF24320F818269D9898B261D734D980CF92

Uniqueness

Uniqueness Score: -1.00%

Function 020A84CB, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962b319abec52de015afd6754e0b1aca6c9001500c501e83e65f93477f0cf1d3
Instruction ID: 1906f30a02f590420443086e6653bc68913cf1200368b548081a32d0aa203f7d
Opcode Fuzzy Hash: 962b319abec52de015afd6754e0b1aca6c9001500c501e83e65f93477f0cf1d3
Instruction Fuzzy Hash: 20213A74681388DFDF70AFA889997DE36B2AF19750F80401AEC498B205D3345649DF55

Uniqueness

Uniqueness Score: -1.00%

Function 020A8A7E, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec41c1eb74f763925c11fa86da71f3abc001a75a1111ce06eb44122f0d038d3
Instruction ID: 1cb311b874d273e955977e070a36f8d1f393a19e154686706e50b4e71e95761a
Opcode Fuzzy Hash: 3ec41c1eb74f763925c11fa86da71f3abc001a75a1111ce06eb44122f0d038d3
Instruction Fuzzy Hash: 0F015A767147449FCB24CF68C9A8B9E73F1EB98320F518625D809CB720C3309A40DB05

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEE0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

#664.MSVBVM60(?,?,?,?,?), ref: 0040FF63
__vbaStrVarVal.MSVBVM60(?,?), ref: 0040FF71
#581.MSVBVM60(00000000), ref: 0040FF78
__vbaFpR8.MSVBVM60 ref: 0040FF7E
__vbaFreeStr.MSVBVM60 ref: 0040FFA1
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040FFC3
__vbaVarDup.MSVBVM60 ref: 0041001F
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 00410044
__vbaStrMove.MSVBVM60 ref: 0041004F
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00410076
__vbaFreeStr.MSVBVM60(004100C1), ref: 004100BA

Strings

d, xrefs: 0040FF5C
c, xrefs: 0040FF52
Voldtgter8, xrefs: 0041000B

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#581#596#664Move
String ID: Voldtgter8$c$d
API String ID: 1304783275-3588051305
Opcode ID: c0d27ad800ed187d0f797ab762d22761c53aa0b72b1926a9840acc1c07401eaa
Instruction ID: a8a0869b25c8446b4ab19a445a09ca9ae95426ba7e6169c8cc06145ab5bdbd1c
Opcode Fuzzy Hash: c0d27ad800ed187d0f797ab762d22761c53aa0b72b1926a9840acc1c07401eaa
Instruction Fuzzy Hash: F051A2B1C00249AFDB15CFD4D985ADEBFB8FB58300F10812AE50AB7650EB745689CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004103A0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

#606.MSVBVM60(00000001,?), ref: 004103FA
__vbaStrMove.MSVBVM60 ref: 00410405
__vbaStrCmp.MSVBVM60(0040F8A4,00000000), ref: 00410411
__vbaFreeStr.MSVBVM60 ref: 00410424
__vbaFreeVar.MSVBVM60 ref: 0041042D
__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 0041044E
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,0000001C), ref: 00410473
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F8D8,0000005C), ref: 004104B7
__vbaStrMove.MSVBVM60 ref: 004104CA
__vbaFreeObj.MSVBVM60 ref: 004104D3
__vbaFreeStr.MSVBVM60(00410506), ref: 004104FF

Strings

, xrefs: 004103EC

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#606New2
String ID:
API String ID: 3491016160-3916222277
Opcode ID: 467caeace5a7686f1d3bbb7e19afd39b37ddd75af2fb650476024abbf2541eca
Instruction ID: 90fd59103e14050b8aa640d0b18db9691e3cf087dddaed58bb4df2bc5c55eb44
Opcode Fuzzy Hash: 467caeace5a7686f1d3bbb7e19afd39b37ddd75af2fb650476024abbf2541eca
Instruction Fuzzy Hash: 8C415B70940219EFCB00DF95DD89ADEBBB8FF58705F10812AE506B76A0D7B85885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00410270, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004102BF
__vbaCyStr.MSVBVM60(0040F840), ref: 004102CA
__vbaFpCmpCy.MSVBVM60(00000000), ref: 004102D8
__vbaLateMemCall.MSVBVM60(?,d5JdXPSYnKR59nnvdrDF6YLk255,00000003), ref: 0041034A
__vbaFreeStr.MSVBVM60(00410373), ref: 00410363
__vbaFreeObj.MSVBVM60 ref: 0041036C

Strings

JE;K, xrefs: 00410353
d5JdXPSYnKR59nnvdrDF6YLk255, xrefs: 00410327
CHAMBERLAINSHIP, xrefs: 004102F4

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallCopyLate
String ID: CHAMBERLAINSHIP$JE;K$d5JdXPSYnKR59nnvdrDF6YLk255
API String ID: 2857255171-1586721597
Opcode ID: e1eb443f9703af0c14c6a345e7388ea43be4dace5f8f78ca2255cea73bc0e170
Instruction ID: efe3d9c290d4b01e75b3d03d9a31517b8467ebd5e52c53b2357e0b58b684dfcb
Opcode Fuzzy Hash: e1eb443f9703af0c14c6a345e7388ea43be4dace5f8f78ca2255cea73bc0e170
Instruction Fuzzy Hash: 753115B4D002199FCB00DFA9C989A9EBBF8FF48700F10C16AE909AB365D7749941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00410C44
#619.MSVBVM60(?,?,00000001), ref: 00410C61
__vbaVarTstNe.MSVBVM60(?,?), ref: 00410C7D
__vbaFreeVar.MSVBVM60 ref: 00410C88
__vbaInStr.MSVBVM60(00000000,Vicing,bortkastningernes,FFEF1394), ref: 00410CA3
__vbaFreeStr.MSVBVM60(00410CDD), ref: 00410CD6

Strings

var, xrefs: 00410C27
bortkastningernes, xrefs: 00410C98
Vicing, xrefs: 00410C9D

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#619Copy
String ID: Vicing$bortkastningernes$var
API String ID: 4164485050-3262918220
Opcode ID: c1c1dcb7a5976a08baa8dce1476ea37c5a3ea411d1c5371ab14b4c108befb303
Instruction ID: 2ef84301039c11ca9855271cad59f8bbd21ad404a2a4f2e411474bc6843503e8
Opcode Fuzzy Hash: c1c1dcb7a5976a08baa8dce1476ea37c5a3ea411d1c5371ab14b4c108befb303
Instruction Fuzzy Hash: 9221E9B1C01259EFCB00DF98CA45ADDBBF9FB08B04F20802AE105B7650D7B81A49CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00410160, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 004101BD
#518.MSVBVM60(?,?), ref: 004101CB
__vbaVarTstNe.MSVBVM60(?,?), ref: 004101E7
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004101F9
#580.MSVBVM60(BALLAHOO,00000001), ref: 0041020E

Strings

BALLAHOO, xrefs: 00410209
h&, xrefs: 00410214

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#518#580FreeList
String ID: BALLAHOO$h&
API String ID: 1951556138-2323751356
Opcode ID: e487af2cf27ef7a03485b9b188a90944ff57f2fcf3030cfa9115271fe88e8522
Instruction ID: 700d63a13bfa359e17aab473d056b3f03dd47c974ba835bb3123723be90d62e2
Opcode Fuzzy Hash: e487af2cf27ef7a03485b9b188a90944ff57f2fcf3030cfa9115271fe88e8522
Instruction Fuzzy Hash: 7D21E5B1C10259AFDB10DFD4C989ADDBFB8FB48B04F10812AF505BB290D7B41589CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410EF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040F8C8,004125D8), ref: 00410F33
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,00000014), ref: 00410F58
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040F9A0,00000138), ref: 00410F85
__vbaFreeObj.MSVBVM60 ref: 00410F8E

Strings

Rechange, xrefs: 00410F63

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: Rechange
API String ID: 4261391273-1513756435
Opcode ID: cec061664e00e89696bbb70e33a5bf5d839e90268042d3d9d75264ecbca08689
Instruction ID: 5084de990eab15f32c3c312c57dbc1fda6dfbbab4b83b64d0b902ee777cc7e61
Opcode Fuzzy Hash: cec061664e00e89696bbb70e33a5bf5d839e90268042d3d9d75264ecbca08689
Instruction Fuzzy Hash: B9115131640304BBD7209B64CE4AFDA7BB8EB18B01F104136F545F75E0D7F89985CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410D10, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040F8C8,004125D8,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410D54
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,0040F8B8,00000014,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410D79
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9A0,00000068,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410D9D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410DA6

Memory Dump Source

Source File: 00000001.00000002.751372266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.751362416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.751393864.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.751406006.0000000000413000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: ca85b6d7cf3dc280ded02aa1cc03a38a1cb9ccddf12c74d89e1c0a688be8f017
Instruction ID: 560b38cc2dc717684848e6dd20f3b4ace31b00af2496fa584b1fd41d40d40ed2
Opcode Fuzzy Hash: ca85b6d7cf3dc280ded02aa1cc03a38a1cb9ccddf12c74d89e1c0a688be8f017
Instruction Fuzzy Hash: E4119170940209BFC7109B95DD8AEEA7BB9FB18701F104026F205F35A0D7B868C5CB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ogvcqbOEQs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: ogvcqbOEQs.exe PID: 5652 Parent PID: 5696

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: ogvcqbOEQs.exe PID: 5652 Parent PID: 5696 ogvcqbOEQs.exeCOMMON

Executed Functions

Function 00410530, Relevance: 89.7, APIs: 46, Strings: 5, Instructions: 491COMMON

Function 00410DE0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66COMMON