Play interactive tour

Edit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:	NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:	482886
MD5:	b71a9e479123528ba6f7b8642b924d0e
SHA1:	5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:	1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 3604 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: DB55139D9DD29F24AE8EA8F0E5606901)

7za.exe (PID: 3240 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6264 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe (PID: 1380 cmdline: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe MD5: 21E13385E6C6A3BE5C2922D7D02F04D6)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://pantronus.com/bin_gcbZVug136."}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://pantronus.com/bin_gcbZVug136."}

Multi AV Scanner detection for submitted file

Show sources

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	Virustotal: Detection: 14%			Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	ReversingLabs: Detection: 39%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Metadefender: Detection: 25%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	ReversingLabs: Detection: 57%

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 02DA099Bh		0_2_02DA02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 02DA099Ah		0_2_02DA02A8

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://pantronus.com/bin_gcbZVug136.

Source: unarchiver.exe, 00000000.00000002.932490318.00000000010DB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_02DA02A8	0_2_02DA02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_02DA0298	0_2_02DA0298
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BAB0	7_2_02A9BAB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A962BF	7_2_02A962BF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A966B0	7_2_02A966B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A2B0	7_2_02A9A2B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C6B0	7_2_02A9C6B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA06B0	7_2_02AA06B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A992B7	7_2_02A992B7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92699	7_2_02A92699
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96A9B	7_2_02A96A9B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9969B	7_2_02A9969B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9869E	7_2_02A9869E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99E9E	7_2_02A99E9E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93A90	7_2_02A93A90
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BAE0	7_2_02A9BAE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A992F9	7_2_02A992F9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99ACB	7_2_02A99ACB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A936CC	7_2_02A936CC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A98EC0	7_2_02A98EC0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A922C2	7_2_02A922C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A932C2	7_2_02A932C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93AC7	7_2_02A93AC7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92ADC	7_2_02A92ADC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A986D0	7_2_02A986D0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA3AD5	7_2_02AA3AD5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96A29	7_2_02A96A29
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9322B	7_2_02A9322B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92A2C	7_2_02A92A2C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92620	7_2_02A92620
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99E22	7_2_02A99E22
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96624	7_2_02A96624
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99626	7_2_02A99626
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96639	7_2_02A96639
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96233	7_2_02A96233
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A235	7_2_02A9A235
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99209	7_2_02A99209
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C61C	7_2_02A9C61C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA1A7C	7_2_02AA1A7C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BA71	7_2_02A9BA71
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A277	7_2_02A9A277
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92248	7_2_02A92248
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95A4E	7_2_02A95A4E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92E5F	7_2_02A92E5F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A98E53	7_2_02A98E53
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99A57	7_2_02A99A57
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A997A7	7_2_02A997A7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A3B9	7_2_02A9A3B9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99BBB	7_2_02A99BBB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95BBA	7_2_02A95BBA
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A98FBF	7_2_02A98FBF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A963B1	7_2_02A963B1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A983B1	7_2_02A983B1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A997B6	7_2_02A997B6
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A94389	7_2_02A94389
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93B88	7_2_02A93B88
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9278F	7_2_02A9278F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A98F85	7_2_02A98F85
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A91F84	7_2_02A91F84
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92B9B	7_2_02A92B9B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9339C	7_2_02A9339C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9139E	7_2_02A9139E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A94395	7_2_02A94395
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92397	7_2_02A92397
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A993E9	7_2_02A993E9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93BE8	7_2_02A93BE8
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A937E7	7_2_02A937E7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A913F9	7_2_02A913F9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A927FF	7_2_02A927FF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99FF0	7_2_02A99FF0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A993F2	7_2_02A993F2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A91FF4	7_2_02A91FF4
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A957F7	7_2_02A957F7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA1FF5	7_2_02AA1FF5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95BC9	7_2_02A95BC9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95BCB	7_2_02A95BCB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A967C4	7_2_02A967C4
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C3DD	7_2_02A9C3DD
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92B2A	7_2_02A92B2A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9232F	7_2_02A9232F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C32F	7_2_02A9C32F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93323	7_2_02A93323
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9673B	7_2_02A9673B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A98F30	7_2_02A98F30
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93737	7_2_02A93737
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92F0B	7_2_02A92F0B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93B00	7_2_02A93B00
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95B1D	7_2_02A95B1D
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92716	7_2_02A92716
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9576A	7_2_02A9576A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C361	7_2_02A9C361
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A91F62	7_2_02A91F62
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99F7F	7_2_02A99F7F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A94F77	7_2_02A94F77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BB77	7_2_02A9BB77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96347	7_2_02A96347
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99347	7_2_02A99347
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99B58	7_2_02A99B58
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A95B5E	7_2_02A95B5E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A91354	7_2_02A91354
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A990AB	7_2_02A990AB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A934A0	7_2_02A934A0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A920A7	7_2_02A920A7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A99CB0	7_2_02A99CB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9149A	7_2_02A9149A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9949C	7_2_02A9949C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A92C90	7_2_02A92C90
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A96497	7_2_02A96497
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A968EB	7_2_02A968EB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A4E1	7_2_02A9A4E1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A93CE0	7_2_02A93CE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9A0E0	7_2_02A9A0E0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A958E7	7_2_02A958E7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A918E6	7_2_02A918E6
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A934FE	7_2_02A934FE
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A998F1	7_2_02A998F1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A920F7	7_2_02A920F7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9C4CB	7_2_02A9C4CB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA10C9	7_2_02AA10C9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A988CD	7_2_02A988CD
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9B4C3	7_2_02A9B4C3
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A998C2	7_2_02A998C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A928DB	7_2_02A928DB

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BAB0 NtAllocateVirtualMemory,	7_2_02A9BAB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BAE0 NtAllocateVirtualMemory,	7_2_02A9BAE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BA71 NtAllocateVirtualMemory,	7_2_02A9BA71
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BBB5 NtAllocateVirtualMemory,	7_2_02A9BBB5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BB77 NtAllocateVirtualMemory,	7_2_02A9BB77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9BC9E NtAllocateVirtualMemory,	7_2_02A9BC9E

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe

Process Stats: CPU usage > 98%

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	Virustotal: Detection: 14%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	ReversingLabs: Detection: 39%

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winLZH@9/2@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, type: MEMORY

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr

Static PE information: real checksum: 0x7fdeb should be: 0x7afb2

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00402214 push 984418D8h; retf	7_2_00402756
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00403A35 push ss; ret	7_2_00403A43
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_004088C8 push esp; ret	7_2_004088CB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_0040B6B0 push esi; ret	7_2_0040B6B2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00407D74 pushfd ; iretd	7_2_00407D92
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_0040B574 push esi; ret	7_2_0040B576
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00402577 push 984418D8h; retf	7_2_00402756
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00405320 push edi; ret	7_2_00405323
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00409D2E pushfd ; ret	7_2_00409D3F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_004083E2 push edx; ret	7_2_004084C3
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_004089E9 push 2422A595h; retf	7_2_00408CBE
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_00404B9D push ebp; ret	7_2_00404B9F

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444	Thread sleep count: 231 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444	Thread sleep time: -115500s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe

API coverage: 1.2 %

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_0133B042 GetSystemInfo,

0_2_0133B042

Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9B21F mov eax, dword ptr fs:[00000030h]	7_2_02A9B21F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02A9F7B8 mov eax, dword ptr fs:[00000030h]	7_2_02A9F7B8
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA03EC mov eax, dword ptr fs:[00000030h]	7_2_02AA03EC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Code function: 7_2_02AA1FF5 mov eax, dword ptr fs:[00000030h]	7_2_02AA1FF5

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Jump to behavior

Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	14%	Virustotal		Browse
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	40%	ReversingLabs	Win32.Backdoor.Androm

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	34%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe	58%	ReversingLabs	Win32.Backdoor.Androm

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://pantronus.com/bin_gcbZVug136.	0%	Virustotal		Browse
http://pantronus.com/bin_gcbZVug136.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pantronus.com/bin_gcbZVug136.	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482886
Start date:	14.09.2021
Start time:	09:42:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winLZH@9/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 39% (good quality ratio 25%) Quality average: 34.6% Quality standard deviation: 33%
HCA Information:	Successful, ratio: 95% Number of executed functions: 46 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .lzh
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	471040
Entropy (8bit):	4.253459931665977
Encrypted:	false
SSDEEP:	6144:YMDKzMGGdOxLwdffBfwfBfB6rtHGGGGGgGGGGGGGGGGGGGGGSGGGLGGGGGGGGGGg:YjTOlpltB
MD5:	21E13385E6C6A3BE5C2922D7D02F04D6
SHA1:	A4CC3FB3CDDC95E8C2BF353205DD540220EC0576
SHA-256:	F0C28EABB44D97B7C5F6906B3862A358B3F91245E2AEF683C371C31C54560AD3
SHA-512:	207143B24E50BC5CCA8DBCA5C8FD90F3D41A1A7BFDAF4EF5FF102141462FCD69588D5A3614CF8CCB1594763A69180387F2B0C12E6CBB30FB0D041A58048A8A4F
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 34%, Browse Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L....C.O.................`..........H........p....@..........................@..............................................._..(.......n...................................................................8... .......4............................text...HT.......`.................. ..`.data........p.......p..............@....rsrc...n...........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1508
Entropy (8bit):	5.290897978868285
Encrypted:	false
SSDEEP:	24:C1zGXDJ3frIiJRJIiJjWILIiJRJIiJUwZIiJfsdIiJRJIiJFTAzGXDJIiJbNIiJ1:1X58GcGbcGcGpiGUmGcGpVXuGb2GuXuh
MD5:	50386A038F345FB33F443D9AF8DB64C3
SHA1:	C27E86C40C7A37A8E092CBF703286DE3A12DDD45
SHA-256:	C00ABC679A6E8C72E409C4958A8F814CDF75573600B52C0CA9A548CC2651BADF
SHA-512:	15BBF1BB693AFA2CA6A96C225361E18B39882D325B002E65666F9C914C47C683E764E68ACD8286C22B51654463703A1019D36325005663FB9379B0C9E42D73A9
Malicious:	false
Reputation:	low
Preview:	09/14/2021 9:43 AM: Unpack: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: Scanning the drive for archives:..09/14/2021 9:43 AM: Received from standard out: 1 file, 107136 bytes (105 KiB)..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Received from standard out: --..09/14/2021 9:43 AM: Received from standard out: Path = C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Received from standard out: Type = Lzh..09/14/2021 9:43 AM: Received from standard out: Physical Si

Static File Info

General
File type:	LHa (2.x) archive data [lh5], with "NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe"
Entropy (8bit):	7.983327494950816
TrID:	LHARC/LZARK compressed archive (6/4) 100.00%
File name:	NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
File size:	107136
MD5:	b71a9e479123528ba6f7b8642b924d0e
SHA1:	5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:	1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
SHA512:	ba6f16107c9a944ca2c62b419ff29933caad97650f4482102f92c364d95d52282710a2882723785373035e79828e56f98aee69f0f280b81c9cecbe103e7dbcde
SSDEEP:	3072:dVlHrjorhU1+isBSk4x1DdS3sdP2hxhBpimq:9r8U+94x1Z2s1qxPY
File Content Preview:	6.-lh5-H....0....-S . NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe..^.........]..x........2.Z....R..Z*T..R....f.......P..2j.IEU..HQU$........}........=.....y...{..\|.'.;.....@....#m.3<E......=.....5...e..\|..k..U....x.N...%..i..B..AC.5c@i ..".......6..c...j. t.........

File Icon


Icon Hash:	00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exe PID: 3604 Parent PID: 5140

General

Start time:	09:43:43
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:	0xa40000
File size:	10240 bytes
MD5 hash:	DB55139D9DD29F24AE8EA8F0E5606901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: 7za.exe PID: 3240 Parent PID: 3604

General

Start time:	09:43:44
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:	0x840000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5776 Parent PID: 3240

General

Start time:	09:43:45
Start date:	14/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6264 Parent PID: 3604

General

Start time:	09:43:46
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4500 Parent PID: 6264

General

Start time:	09:43:47
Start date:	14/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe PID: 1380 Parent PID: 6264

General

Start time:	09:43:47
Start date:	14/09/2021
Path:	C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
Imagebase:	0x400000
File size:	471040 bytes
MD5 hash:	21E13385E6C6A3BE5C2922D7D02F04D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 34%, Virustotal, Browse Detection: 29%, Metadefender, Browse Detection: 58%, ReversingLabs
Reputation:	low

Analysis Process: unarchiver.exe PID: 3604 Parent PID: 5140 unarchiver.exeCOMMON

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02DA02A8, Relevance: 3.0, Strings: 2, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

u]p^, xrefs: 02DA0345, 02DA034A
:@fq, xrefs: 02DA062E

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID: :@fq$u]p^
API String ID: 0-2298872955
Opcode ID: 78831e3e81790309acd50e8e91f16f92ae1312541b6205a45a3302c56fd5497c
Instruction ID: b5a1ea231a40124c07070bf7c9094af7d306feee582116fb84a165a8e3273f2b
Opcode Fuzzy Hash: 78831e3e81790309acd50e8e91f16f92ae1312541b6205a45a3302c56fd5497c
Instruction Fuzzy Hash: 1522F874E10218CFDB24DFA5D898B9DBBB2FB89301F1091AAD40AA7359DB749D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0133B042, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0133B074

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 916af4b34f4d0eba54de1f5ffc7222c3bb916297001525249064dae11330550f
Instruction ID: a9dec3498d0ad04591061080a89e734d9cffc184f8ceba02b902f54e03169b74
Opcode Fuzzy Hash: 916af4b34f4d0eba54de1f5ffc7222c3bb916297001525249064dae11330550f
Instruction Fuzzy Hash: C501A270900344DFDB20CF19D985756FB94DF44224F08C4AADD488F65AD379A408CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0133B0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0133B15F

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e79b0c2e20e1075ac7a1bd5e88e763f35d9ffaaee800fa82c8a06484b8a2e785
Instruction ID: 6060e0650d2874f4c8a6246bf9f81c911a8fc9890adaef664c02fed14f1b2698
Opcode Fuzzy Hash: e79b0c2e20e1075ac7a1bd5e88e763f35d9ffaaee800fa82c8a06484b8a2e785
Instruction Fuzzy Hash: D03194715043446FEB228F65DC45F66BFACEF45320F0484AAE985DB152D224A919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0133AB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0133AC13

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 330feb464c02809949b2058f200042827eb484ba8bce8be75ac1a6c05db18030
Instruction ID: 465c0f93a29287e74198630235ee9f62bb2eecca251c56f9a35e9b5db09731bb
Opcode Fuzzy Hash: 330feb464c02809949b2058f200042827eb484ba8bce8be75ac1a6c05db18030
Instruction Fuzzy Hash: 1B31B3725043446FEB228F65DC44F67BFACEF05720F0888AAE985DB152D224E519CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0133A504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0133A5A9

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de18512ddf52611af9876cb872a91eac3139ac043f8da6fd1f381983bfcf4ffb
Instruction ID: 0fc9c371094011d9f9a1b439d12344c70dbd7c07db34f695345c6d8bc7919777
Opcode Fuzzy Hash: de18512ddf52611af9876cb872a91eac3139ac043f8da6fd1f381983bfcf4ffb
Instruction Fuzzy Hash: 4D3190B1504780AFE722CF25CC44F66BFE8EF45214F0885AEE9858B252D375E805CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0133A9E2, Relevance: 1.6, APIs: 1, Instructions: 90
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0133AAA2

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 341fae0c9182f77cfb7529ef42104885bc68ae61b68ba35be6c4c1814d3be7df
Instruction ID: 647089927fde7dea03b5bbfc722819234f196f34f87f72b12b72d321ca490e1b
Opcode Fuzzy Hash: 341fae0c9182f77cfb7529ef42104885bc68ae61b68ba35be6c4c1814d3be7df
Instruction Fuzzy Hash: 6F316D7240E7C46FD3138B758C61A55BFB4AF47610F1E84DBD8C4CB1A3D2696909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0133A120, Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0133A1C2

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e80ed460afa1d15c89a82852abe9eb0615a35df588f155741f896e42bd5abbc8
Instruction ID: 053654b1f25679b6997f9a9d55338341b2bbae33bbd823785982bee9cc2d8307
Opcode Fuzzy Hash: e80ed460afa1d15c89a82852abe9eb0615a35df588f155741f896e42bd5abbc8
Instruction Fuzzy Hash: 2C21DE7140D3C06FD7138B358C51BA6BFB4EF47620F0981DBD8848F293D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0133AB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0133AC13

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1192fa0b865ca92708d9eaa4945da368d2950e79a311f674a480ee7e39aa8b08
Instruction ID: f44bb4abcd485e8047cc98939dda0877a34f9622c1b5a73162041a72c516b71e
Opcode Fuzzy Hash: 1192fa0b865ca92708d9eaa4945da368d2950e79a311f674a480ee7e39aa8b08
Instruction Fuzzy Hash: 4321B072500708AFEB22CF69DC84F6ABBACEF04320F04886AE985DB551D274E5048BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0133B0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0133B15F

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eeabd9cceab68fc3c526e23bc6b0cd09b85f23eb127d8171df6a2356bd39e21b
Instruction ID: d5c61e7764f324728d67ec29d9b9a8b7afcd7f4a0b0aa1e8f9b2a314cfeda968
Opcode Fuzzy Hash: eeabd9cceab68fc3c526e23bc6b0cd09b85f23eb127d8171df6a2356bd39e21b
Instruction Fuzzy Hash: FD21B072500304AFEB21CF69DC85F6AFBACEF04320F04886AED459B656D234E4048B75

Uniqueness

Uniqueness Score: -1.00%

Function 0133A77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A80A

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 12430b84de3fcce45fe3d277aea0b97a1e936673cb3b1a763af439da76ba2dd2
Instruction ID: 572b0d6aeb7e9ad4087397ef6238f2d1f15364ae32063f26363c22a89cbb9859
Opcode Fuzzy Hash: 12430b84de3fcce45fe3d277aea0b97a1e936673cb3b1a763af439da76ba2dd2
Instruction Fuzzy Hash: 30219271509380AFE7238F25DC44F66BFA8EF46724F0984EAED849F153C264A809C775

Uniqueness

Uniqueness Score: -1.00%

Function 0133A85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A8ED

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 55cf75faca9dea86b5bb4e3105d9ab0958316c6e8ca246dc3e1da163ad250a02
Instruction ID: 126f66408c76e552289d887fb0ffadb0581c3c41be8f9f952220ead54e4f1bb3
Opcode Fuzzy Hash: 55cf75faca9dea86b5bb4e3105d9ab0958316c6e8ca246dc3e1da163ad250a02
Instruction Fuzzy Hash: 5D217C71409384AFDB228F65DC45F96BFB8EF46310F08849AE9849F153C275A408CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0133A52A, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0133A5A9

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dbd146a28e0acf5e3e72df72d7c74a3011d5b22e1f4997bb0b00122c3ffbf110
Instruction ID: 3842cc33cd3cf0f68c12f987d350f4c06a1caf499e9cd9b1e86c7054904e7eae
Opcode Fuzzy Hash: dbd146a28e0acf5e3e72df72d7c74a3011d5b22e1f4997bb0b00122c3ffbf110
Instruction Fuzzy Hash: BE219CB1600704EFEB21CF69CC84B66FBE8EF08324F04846AE9858B692D375E404CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0133A6BB, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A741

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: adc5674eebd0dfba717c5ea93edceab3b8291b8b636cdc857816949fe9394faa
Instruction ID: 04dc22630f3b3597ef558a3ed9ccb76003238fbcda294544ee184bfe55371741
Opcode Fuzzy Hash: adc5674eebd0dfba717c5ea93edceab3b8291b8b636cdc857816949fe9394faa
Instruction Fuzzy Hash: 0121F3B54083806FE7138B259C80BA6BFB8DF46724F0880DBE9808B153D264A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 0133A600, Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0133A674

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6be17af0fbfea7b8f19718ba8f5cd4d6a63d8c8f177576bd28fcdfe6f9dabe2e
Instruction ID: d4c2d95010d3c49dd7a5f03da9400b37cdc7bcb68d5007a16f3370e17bbc2881
Opcode Fuzzy Hash: 6be17af0fbfea7b8f19718ba8f5cd4d6a63d8c8f177576bd28fcdfe6f9dabe2e
Instruction Fuzzy Hash: 4721C2B55097C09FD713CB29DC94752BFB4EF42224F0984DBDC858F663D2249908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0133A448, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0133A4AF

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 125c9afd1f7ea98f661f5855c21fd34e5df0ca184bdd806d04927c2ecdd66a57
Instruction ID: 403d2e23c76aa84842ec4e371884074ae356ada3409d4509361181793489435c
Opcode Fuzzy Hash: 125c9afd1f7ea98f661f5855c21fd34e5df0ca184bdd806d04927c2ecdd66a57
Instruction Fuzzy Hash: 861193715093809FD722CF29DC89B56BFE8EF46224F0984AEED85DF252D274E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0133A88E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A8ED

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 52cb103accee0839117dcc321fa8082926376db6c0b82f3f2252fd1cc854edb9
Instruction ID: c8dd784892dedfe3733f34642640ad1fe028ff53587f4b1208c361917e931c2e
Opcode Fuzzy Hash: 52cb103accee0839117dcc321fa8082926376db6c0b82f3f2252fd1cc854edb9
Instruction Fuzzy Hash: D311C171500308AFEB22CF59DC84F6AFBA8EF44720F04846AED859B656D274E404CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0133A7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A80A

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f3e5d919bfe50b7fd0908efa25f279850933fcd07564f2b1635fff5f3b4af06c
Instruction ID: ff0053e17ecf6b60b8bfbf3168c3c52c37d29332f69404df3f7870625feb1eff
Opcode Fuzzy Hash: f3e5d919bfe50b7fd0908efa25f279850933fcd07564f2b1635fff5f3b4af06c
Instruction Fuzzy Hash: 3A11C171500304AFEB21CF59DC84F6AFFA8EF44724F04846AED859F646D278A404CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0133B020, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0133B074

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 95e93e52fdaac6d9aadd6c595eabbae7690623bb7da8d1b636738ec7d072cb14
Instruction ID: 45d41439710e5c8c143811d003c93f8acd3d231bf3cec6c74d43351c897f024b
Opcode Fuzzy Hash: 95e93e52fdaac6d9aadd6c595eabbae7690623bb7da8d1b636738ec7d072cb14
Instruction Fuzzy Hash: B2117C714093849FDB12CF25DC84B56FFA4DF46224F0884EBED848F257D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0133ADF7, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0133AE50

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e4d3699772b157663860f6b30d0bf2391d00e4be825b4a5889070003642197d6
Instruction ID: 8ead22175ba41fa3f332c5634cc68f52d2349f40291e5a9714b8b34e0667ff04
Opcode Fuzzy Hash: e4d3699772b157663860f6b30d0bf2391d00e4be825b4a5889070003642197d6
Instruction Fuzzy Hash: F811A3715093809FD7128B29DC85A56FFF4EF46220F0984DBED858F263C275A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0133A46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0133A4AF

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: bd9c7036cae1cc42295f3ee097302bb765d0f2ee99125e432cbe3fc980bf9597
Instruction ID: 00bf3799ebf291f1a51f978ead3db87964458532349ef67f5c4bfb7e0c62f2d4
Opcode Fuzzy Hash: bd9c7036cae1cc42295f3ee097302bb765d0f2ee99125e432cbe3fc980bf9597
Instruction Fuzzy Hash: 7711AD716043048FEB20CF2AD889B66FBD8EF44224F08C4AADD89DB756E274E404CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0133A6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,03B45EB1,00000000,00000000,00000000,00000000), ref: 0133A741

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 34cfb32ea6303fa78a20ae1731c78cce5bf067889b30f0753a2e20c518afa160
Instruction ID: f6dea99fe1e4af4a77cf99fb4723bd3df8b9fac981e77df9cf5acd9cbf83c6cf
Opcode Fuzzy Hash: 34cfb32ea6303fa78a20ae1731c78cce5bf067889b30f0753a2e20c518afa160
Instruction Fuzzy Hash: 8601F571500304AFE722CF59DC85F6AFBACDF44724F54C0AAED859B646D278E404CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0133A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0133A290

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 23f3a3520a16b7e1ec734963771ec4456a6e6a697a2eca4e885c9662195ca575
Instruction ID: 7cb101d99a050dbd001d1ba7e9b81010feea622954849af1ae75a1d5eee13334
Opcode Fuzzy Hash: 23f3a3520a16b7e1ec734963771ec4456a6e6a697a2eca4e885c9662195ca575
Instruction Fuzzy Hash: B2118471409384AFDB228B15DC84B62FFB4DF46624F0880DBED858F253D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0133A172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0133A1C2

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4360aa596cc95d229b1a381dd3dd149a9167783fd2ff170de485f78a4fcfb05a
Instruction ID: 0211982051d10adc1e8e782e9d6a221db59f4ff4df96e2bdcb5b931e0dad3f9f
Opcode Fuzzy Hash: 4360aa596cc95d229b1a381dd3dd149a9167783fd2ff170de485f78a4fcfb05a
Instruction Fuzzy Hash: CC01B171500600AFD714DF1ADC82B26FBA8EB89A20F14816AED088B641D231B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133AA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0133AAA2

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 51f2a4a73e411eab98dd71b6d6f1d4bccc4803d99e298b22144adc2c09631b56
Instruction ID: d590eb289b97a492a49e07d494c6b4037290e8731bea70d7f8f848c6bcdba3ec
Opcode Fuzzy Hash: 51f2a4a73e411eab98dd71b6d6f1d4bccc4803d99e298b22144adc2c09631b56
Instruction Fuzzy Hash: 7E01B171500600AFD714DF1ADC82B26FBA8FB89B20F14816AED088B641D231B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133A642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0133A674

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 15ed2b2dc30742e8401ee6c7e2582d2e897c95156f6b8fbf87397462b30fe214
Instruction ID: d901b8ef0485b1f1d6681e7a19d9cb240eb1b6f63e307a6a3ee42af40b825cca
Opcode Fuzzy Hash: 15ed2b2dc30742e8401ee6c7e2582d2e897c95156f6b8fbf87397462b30fe214
Instruction Fuzzy Hash: 0001D471A003048FDB11CF1AD88475AFB94DF80234F08C4ABDC45CF656D278D404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0133AE1E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0133AE50

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b33bc4fcb89233458e3ea829ca5fb46c488c11eaf58d424220ca6dd7025b7b9f
Instruction ID: eccb5d64ae888380545d7e5d57c8dc43b4071b11b00dd3ce2e613e30575c7363
Opcode Fuzzy Hash: b33bc4fcb89233458e3ea829ca5fb46c488c11eaf58d424220ca6dd7025b7b9f
Instruction Fuzzy Hash: D801D1356003448FDB208F1AD885766FB98DF44625F08C0AADD898BA56D279E448CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0133A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0133A290

Memory Dump Source

Source File: 00000000.00000002.932809012.000000000133A000.00000040.00000001.sdmp, Offset: 0133A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49820858c30c7200dfa44acd997f6672d74efc1c9bea0e99d74fe8ca6c366f52
Instruction ID: c605086a688e51d3051f3a0a267c8d0dfc1ffa62608b95e68335d375b0490218
Opcode Fuzzy Hash: 49820858c30c7200dfa44acd997f6672d74efc1c9bea0e99d74fe8ca6c366f52
Instruction Fuzzy Hash: 6DF0F4309043048FDB20CF0AD884725FF94DF44724F08C09ADD848B716D2BAA404CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0C30, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

U]p^, xrefs: 02DA0DA2, 02DA0DA7

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID: U]p^
API String ID: 0-3209644301
Opcode ID: 9066f7c3838a09795a831d260509ee22ef27b4e3efd28f84244c0c3e880b94f8
Instruction ID: 3b6f77fa2c7fa5c5d7e9c399b4a644b89d2c8fe4ed3e0fd3e3013208b17e6854
Opcode Fuzzy Hash: 9066f7c3838a09795a831d260509ee22ef27b4e3efd28f84244c0c3e880b94f8
Instruction Fuzzy Hash: 7B510375E02208DFCB18DFB5D890AAEBBB2FF8A304F24942DE405A7350DB35A945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01420875, Relevance: 1.0, Instructions: 995COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932933128.0000000001420000.00000040.00000040.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751de267ee3fc56068a4bef8b190f01e60888e69b79dc7e0c681036b3c467c81
Instruction ID: af0813610ed5910bd1487a5a9d27ada3b63e2494efee8af4c940517f1245661f
Opcode Fuzzy Hash: 751de267ee3fc56068a4bef8b190f01e60888e69b79dc7e0c681036b3c467c81
Instruction Fuzzy Hash: C821A66254E3C04FE3038B649C115A5BFE0DF43230F1D85EBD4888F563E12E985B87A6

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0AD8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e33a2e1c0b483056976c40560bc49e309f873ad9203e6cbae32aeda55a654b
Instruction ID: 082c76eee85daf39c7c174bc4d59f1a8616e8d407d407bb5a4d0a161bbad3371
Opcode Fuzzy Hash: 33e33a2e1c0b483056976c40560bc49e309f873ad9203e6cbae32aeda55a654b
Instruction Fuzzy Hash: ED213775D01208DFCB15DFA5E444AEEBBB6EB89304F20852AD901B3254DBB56D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014205BF, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932933128.0000000001420000.00000040.00000040.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3f4e11d96f2f57d5863013b16bd440368a88657f46700bd69c499e231a4b72
Instruction ID: 1f62bb26a50b9a80431ea2fcc33e55fba9de84bb6ab33deb759850e2308127c5
Opcode Fuzzy Hash: 1f3f4e11d96f2f57d5863013b16bd440368a88657f46700bd69c499e231a4b72
Instruction Fuzzy Hash: BB0128735097805FCB26CB15EC41852BFE4EB86230B5884EFEC4DCB622D235E449CB65

Uniqueness

Uniqueness Score: -1.00%

Function 014205AF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932933128.0000000001420000.00000040.00000040.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f0d79709bff089992c154402ce9e5396fed0ff16637c46ac712d2f7228ec0
Instruction ID: ed8456d0bdcc2ca22b6b1cdb252ddc1d13319d6dbb01aeb6155c624eab4ce889
Opcode Fuzzy Hash: 952f0d79709bff089992c154402ce9e5396fed0ff16637c46ac712d2f7228ec0
Instruction Fuzzy Hash: 6901D8725497C05FCB12CB15DC40853BFE8EF8663070884EBEC45CB612D175A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0E38, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a223effcaedb841ae68d93b8006dbd35442bc4194fb15dbe8a04ad242cf7b42d
Instruction ID: 01fa1219de8592a08e732fb4ecd8bb83865b9407eb120120efa7b3d6a70c002f
Opcode Fuzzy Hash: a223effcaedb841ae68d93b8006dbd35442bc4194fb15dbe8a04ad242cf7b42d
Instruction Fuzzy Hash: A701E2B0C06209DFCB04DFA4D854BAEBBB5AF06305F20A5AEC401B7381D7745A84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0E48, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503dd485c6f748b40ec1b4f7f119873d5eaa302fe0cf6b6eb5f4faece38ba8c2
Instruction ID: 8fa57cd746d1c6b6ff214d716c7c68b825fabfc7e7d57e0993498f934329f956
Opcode Fuzzy Hash: 503dd485c6f748b40ec1b4f7f119873d5eaa302fe0cf6b6eb5f4faece38ba8c2
Instruction Fuzzy Hash: 4C01DDB0C0120ADFCB08EFA4D454BAEBBB5AB05305F2099ADC40577380DB789A84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0BBF, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9571b45265caa453274f8314e0959641d917dc477a0119c27f48c874424030
Instruction ID: ef1d24c41a172dbd2014b4d4775c0c517b93e29dc9a3e7bf4556e202bd862130
Opcode Fuzzy Hash: 1a9571b45265caa453274f8314e0959641d917dc477a0119c27f48c874424030
Instruction Fuzzy Hash: F4013CB4D05209DFCB14DFA9D9456AEBBF1BF45300F1485AAC409B3350EB345E04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0142081E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932933128.0000000001420000.00000040.00000040.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5a2aee90135228bb06e7ecbaafe9ebdc6bae2011add2360a8d00106c0ec4ad
Instruction ID: e10acbb96c1ea7a5917995fef1f4ddab34ecbe9379454e8666f298d6bd2bb101
Opcode Fuzzy Hash: dd5a2aee90135228bb06e7ecbaafe9ebdc6bae2011add2360a8d00106c0ec4ad
Instruction Fuzzy Hash: 34F082B29456046FD600DF09EC4185AF7ECDF85621F18C56FEC488B301E276A9154AE6

Uniqueness

Uniqueness Score: -1.00%

Function 014205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932933128.0000000001420000.00000040.00000040.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3c313ff6ddbf6b2d3edffaf147abbace769cc8856e8e0468551835759df17d
Instruction ID: f9f63b18ee5cfe5b928ebe1f3e74c2854f5a3b16f2a4002a8749241afce0de97
Opcode Fuzzy Hash: ce3c313ff6ddbf6b2d3edffaf147abbace769cc8856e8e0468551835759df17d
Instruction Fuzzy Hash: 1DE09276A407045BD650CF0AEC81456FBD8EB84630B18C07FDC0D8B711E576F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 013323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932799176.0000000001332000.00000040.00000001.sdmp, Offset: 01332000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1332000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1767b5ce02be75cad2cfaf61123969f1421ab418cae83eda61491c583ec3d9e
Instruction ID: 95cc47ea46378dbc7ee5870c8d708f88ebe3d84a4d04d64043ca3c146f3a6fbc
Opcode Fuzzy Hash: e1767b5ce02be75cad2cfaf61123969f1421ab418cae83eda61491c583ec3d9e
Instruction Fuzzy Hash: 16D05E79205A914FE3268A1CC1A8B963FE4AB91B08F4644F9E8008B667C369E681D200

Uniqueness

Uniqueness Score: -1.00%

Function 013323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.932799176.0000000001332000.00000040.00000001.sdmp, Offset: 01332000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1332000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aec97def0199207998bf3e289d4eaad1ccdcd5292ccfbc723cecbce669278d
Instruction ID: 9f5a0672ca34eee133a3cf726eb9eb6b30f0a6bcf7ab3006c7a1e9c079d07b5f
Opcode Fuzzy Hash: 68aec97def0199207998bf3e289d4eaad1ccdcd5292ccfbc723cecbce669278d
Instruction Fuzzy Hash: F1D05E342402814BD715DB0CC194F5A7BD4AB81B14F0644E8AD008B266C7A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02DA0298, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

u]p^, xrefs: 02DA0345, 02DA034A

Memory Dump Source

Source File: 00000000.00000002.933255821.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2da0000_unarchiver.jbxd

Similarity

API ID:
String ID: u]p^
API String ID: 0-1894936721
Opcode ID: 31cabb30948f5d18da67f37574d675a120b0efd2d2c42f45fd2e8578a6749204
Instruction ID: a4b94fdb0c41694e1485e40d7d5d18ec676ad0da2dd31342d65fa9e7c4c53da6
Opcode Fuzzy Hash: 31cabb30948f5d18da67f37574d675a120b0efd2d2c42f45fd2e8578a6749204
Instruction Fuzzy Hash: 1F91C875E10214DFDB14CFA6E848A9DBBB3FB89301F1081AAE80AA7258DB745D85DF10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe PID: 1380 Parent PID: 6264 NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCOMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	75%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 02A9BAB0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: c128949f4c9007a8e70bc339e7159cb2fcd49979db9fd9c1be2480d970166c59
Instruction ID: 81f8383bf6a46cff1d09fed3ed156f14eb18d94a560763399525d180903a60cc
Opcode Fuzzy Hash: c128949f4c9007a8e70bc339e7159cb2fcd49979db9fd9c1be2480d970166c59
Instruction Fuzzy Hash: 609161B1648382DFCF21CE79DAC47DA77E2EF09354F594629CC499BA04CB30AA45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BA71, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: 1d0122d7f6b5cde137729ad9232360059fb8feec0fffe42330481d9f1e3d096e
Instruction ID: 8317cb031d7209352506359be23726427e41a00d55f459a9b15c51e6c0f8446d
Opcode Fuzzy Hash: 1d0122d7f6b5cde137729ad9232360059fb8feec0fffe42330481d9f1e3d096e
Instruction Fuzzy Hash: 72914FB1644382DFCF21CEB9DAC47DA77E2EF09354F994529CC499BA04CB30AA45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BAE0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: 331dcebbe04fc5522c83a896098452719dfa370ac9113e72c62aa4ee36e15cc4
Instruction ID: 38153916adce22711044f0041ce2a90322ae581baf2d3819969c0f02526c30c5
Opcode Fuzzy Hash: 331dcebbe04fc5522c83a896098452719dfa370ac9113e72c62aa4ee36e15cc4
Instruction Fuzzy Hash: C0912DB12947829FCF22CEB9DAC47DA77E1EF09344F594628CC498BA48CB306945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BB77, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: cad740c1e7825d4b89cfdd73e67911a13910c2e23bfd6ef68e1d5dd895be175e
Instruction ID: 512bc00f71aef8d67a5d5c926f992b53344a3c3b67de29992a90625a8884d64c
Opcode Fuzzy Hash: cad740c1e7825d4b89cfdd73e67911a13910c2e23bfd6ef68e1d5dd895be175e
Instruction Fuzzy Hash: D4813FB1288382DFCF21CEB9DAC47DA77E1EF09344F590629CC499B644CB30AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BBB5, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 212
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: 03b6e794e53e11e6fd973924f59a5354e1e70eb7f0247fba3a56bac5c67df1cc
Instruction ID: 475c4572b28f64e806622ea8b3a98d7a16b08b0b89b9debd8cd044a744193a1c
Opcode Fuzzy Hash: 03b6e794e53e11e6fd973924f59a5354e1e70eb7f0247fba3a56bac5c67df1cc
Instruction Fuzzy Hash: E381FCB21947829FCF21CEB9DAC4BC9B7E1EF09344F190668CC095BA48CB306946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BC9E, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-3292A921,-0000000C), ref: 02A9BDED

Strings

B+, xrefs: 02A9D3E3

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: B+
API String ID: 2167126740-2327986267
Opcode ID: 99435fe9cd0e7a7600b83ca2dc0c6ddad23633ef0519caa58f452e5c7b74be15
Instruction ID: 2a56138b9422b5117810f96fd27b68cdbf81e0360f596d91bee4738bf38574c7
Opcode Fuzzy Hash: 99435fe9cd0e7a7600b83ca2dc0c6ddad23633ef0519caa58f452e5c7b74be15
Instruction Fuzzy Hash: F261CAB11947829FCF22CEBCDAC4AC9B7A2FF09314F1A0668C8454BA45DB306946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00401448, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040144D

Strings

VB5!6&*, xrefs: 00401448

Memory Dump Source

Source File: 00000007.00000002.932334937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.932326693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.932391901.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932472232.0000000000444000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932514496.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.932530830.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 93d8e0f3c2a9c17a07f4c25d2d1f409aab031065b209e1d6d2d3a36d0b363587
Instruction ID: e5457dbf632cfcb487803c5f5bd79bd075e69982fb01c5f12132a13feb8f6570
Opcode Fuzzy Hash: 93d8e0f3c2a9c17a07f4c25d2d1f409aab031065b209e1d6d2d3a36d0b363587
Instruction Fuzzy Hash: A0D0AE5258E3C20FC703177119654453F7088A765431F00EB90C1DA4A3D8AC884A8337

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AA1FF5, Relevance: 3.2, Strings: 2, Instructions: 706COMMON

Download Yara Rule

Strings

'\), xrefs: 02AA2644
\SIr, xrefs: 02AA2B05

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID:
String ID: '\)$\SIr
API String ID: 0-2827022522
Opcode ID: bf51be44044f6b813439147898c68f7998328fd78e892a6939d292cb6250b94f
Instruction ID: 0a29d8178066728b1a26d101c65172637ec61e97db3833d493df11612bdf4552
Opcode Fuzzy Hash: bf51be44044f6b813439147898c68f7998328fd78e892a6939d292cb6250b94f
Instruction Fuzzy Hash: 06426C715083868FDF318F38C9A47DA7BE2AF56360F49826ECC8A8F295DB358445C712

Uniqueness

Uniqueness Score: -1.00%

Function 02AA03EC, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d172d99db6e16c5bacb8da21e1001c13f1ba0e0e3c650fdb3d53628f54e9bc3a
Instruction ID: ee3f1b5fedab7910fd18221e3c6e7917d74a6445fef899edbb65449a3cae973f
Opcode Fuzzy Hash: d172d99db6e16c5bacb8da21e1001c13f1ba0e0e3c650fdb3d53628f54e9bc3a
Instruction Fuzzy Hash: 02113A3574674ACFEB35CF28C9A0BD673B2BF49750F848119DD898B261DB34A940CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02A9B21F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction ID: 732c134532d96fb29955e73fcd573646f8ebc6089a05545e247013d8d4537ed8
Opcode Fuzzy Hash: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction Fuzzy Hash: BFB092BA6015808FFF42CB0CC481B0073F0FB48648B0804E0E402CB712D224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02A9F7B8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2a90000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fc49d97aa50d24d38e12c29e96dfea9744648f9db3f507c5ae72440b100f59
Instruction ID: c59fd7ae0448f8fe47ba3d26354c3a03779325417676056572b6d58a50aea685
Opcode Fuzzy Hash: 11fc49d97aa50d24d38e12c29e96dfea9744648f9db3f507c5ae72440b100f59
Instruction Fuzzy Hash: 2CB092712205448FCA45DE08C190E8177A6FB04A00FC11480E0028BB12C224E904CA40

Uniqueness

Uniqueness Score: -1.00%

Function 004458FF, Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004458FF(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v56;
				char _v72;
				char _v76;
				signed int _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				signed int _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char* _t68;
				intOrPtr _t109;

				_push(0x401286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t109;
				_v12 = _t109 - 0x90;
				_v8 = 0x401238;
				_v24 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v72 = 0;
				_v76 = 0;
				_v92 = 0;
				_v108 = 0;
				_v124 = 0;
				_v140 = 0;
				_v156 = 0;
				L00401352();
				L00401352();
				_push(0);
				_push(3);
				_push(1);
				_push(0);
				_push( &_v76);
				_push(0x10);
				_push(0x880);
				L004013EE();
				_v84 = _v84 | 0xffffffff;
				_push(0);
				_push(_v76);
				_v92 = 0xb;
				L004013E2();
				L004013E8();
				_push(1);
				_push(_v76);
				_v100 = 0x41a610;
				_v108 = 8;
				L004013E2();
				L004013DC();
				_v116 = _v116 | 0xffffffff;
				_push(2);
				_push(_v76);
				_v124 = 0xb;
				L004013E2();
				L004013E8();
				_push(3);
				_push(_v76);
				_v132 = 0x41a618;
				_v140 = 8;
				L004013E2();
				L004013DC();
				_push( &_v76);
				_push( &_v56);
				L004013F4();
				_push( &_v76);
				_push(0);
				L004013D6();
				_v148 = 0x41a610;
				_push( &_v56);
				_t68 =  &_v156;
				_push(_t68);
				_v156 = 0x8008;
				L004013FA();
				L004013D0();
				if(_t68 != 0) {
					L004013CA();
					L00401412();
					_push(1);
					_push(1);
					_push(1);
					_push( &_v56);
					L004013BE();
					_push( &_v56);
					L004013C4();
					L00401412();
					L004013D0();
					_v84 = L"Varsha8";
					_v92 = 8;
					L0040141E();
					_t68 =  &_v56;
					_push(_t68);
					L004013B8();
					L004013D0();
				}
				_v28 = 0x25b7;
				_push(0x445b0b);
				L00401394();
				L00401394();
				L00401394();
				L00401394();
				return _t68;
			}

0x00445904
0x0044590f
0x00445910
0x00445920
0x00445923
0x00445932
0x00445935
0x00445938
0x0044593b
0x0044593e
0x00445941
0x00445944
0x00445947
0x0044594a
0x0044594d
0x00445950
0x00445956
0x0044595c
0x00445967
0x0044596c
0x0044596d
0x0044596f
0x00445971
0x00445975
0x00445976
0x00445978
0x0044597d
0x00445982
0x00445989
0x0044598a
0x0044598d
0x00445997
0x004459a0
0x004459a5
0x004459a7
0x004459af
0x004459b2
0x004459bc
0x004459c5
0x004459ca
0x004459ce
0x004459d0
0x004459d3
0x004459dd
0x004459e6
0x004459eb
0x004459ed
0x004459f0
0x004459f7
0x00445a07
0x00445a10
0x00445a18
0x00445a1c
0x00445a1d
0x00445a25
0x00445a26
0x00445a27
0x00445a2c
0x00445a35
0x00445a36
0x00445a3c
0x00445a3d
0x00445a47
0x00445a51
0x00445a59
0x00445a5b
0x00445a65
0x00445a6a
0x00445a6c
0x00445a6e
0x00445a73
0x00445a74
0x00445a7c
0x00445a7d
0x00445a87
0x00445a8f
0x00445a9a
0x00445aa1
0x00445aa8
0x00445aad
0x00445ab0
0x00445ab1
0x00445ab9
0x00445ab9
0x00445abe
0x00445ac5
0x00445aed
0x00445af5
0x00445afd
0x00445b05
0x00445b0a

APIs

__vbaStrCopy.MSVBVM60 ref: 0044595C
__vbaStrCopy.MSVBVM60 ref: 00445967
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0044597D
__vbaDerefAry1.MSVBVM60(?,00000000), ref: 00445997
__vbaVarMove.MSVBVM60(?,00000000), ref: 004459A0
__vbaDerefAry1.MSVBVM60(?,00000001,?,00000000), ref: 004459BC
__vbaVarCopy.MSVBVM60(?,00000001,?,00000000), ref: 004459C5
__vbaDerefAry1.MSVBVM60(?,00000002,?,00000001,?,00000000), ref: 004459DD
__vbaVarMove.MSVBVM60(?,00000002,?,00000001,?,00000000), ref: 004459E6
__vbaDerefAry1.MSVBVM60(?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A07
__vbaVarCopy.MSVBVM60(?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A10
#668.MSVBVM60(?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A1D
__vbaErase.MSVBVM60(00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A27
__vbaVarTstNe.MSVBVM60(?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A47
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A51
#611.MSVBVM60(?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A5B
__vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445A65
#539.MSVBVM60(?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001), ref: 00445A74
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002,?), ref: 00445A7D
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002,?), ref: 00445A87
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002,?), ref: 00445A8F
__vbaVarDup.MSVBVM60(?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002,?), ref: 00445AA8
#529.MSVBVM60(?,?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002), ref: 00445AB1
__vbaFreeVar.MSVBVM60(?,?,?,00000001,00000001,00000001,?,?,00000000,?,?,?,?,00000003,?,00000002), ref: 00445AB9
__vbaFreeStr.MSVBVM60(00445B0B,?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445AED
__vbaFreeStr.MSVBVM60(00445B0B,?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445AF5
__vbaFreeStr.MSVBVM60(00445B0B,?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445AFD
__vbaFreeStr.MSVBVM60(00445B0B,?,?,00000000,?,?,?,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00445B05

Strings

Varsha8, xrefs: 00445A9A

Memory Dump Source

Source File: 00000007.00000002.932472232.0000000000444000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.932326693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.932334937.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932391901.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932514496.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.932530830.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Similarity

API ID: __vba$Free$Move$Ary1CopyDeref$#529#539#611#668EraseRedim
String ID: Varsha8
API String ID: 283550377-4135131953
Opcode ID: 938074e869ce901d2a71421425e33acd203ba2c9629ce53d76bb7258956d9c41
Instruction ID: 76fec0fde1e0e0cfa0da4f8e4d8221a962cf7560d0fd025e40192525ac6ad571
Opcode Fuzzy Hash: 938074e869ce901d2a71421425e33acd203ba2c9629ce53d76bb7258956d9c41
Instruction Fuzzy Hash: DA511971D012189AEF10EFE5C882ADEBBB9BF44704F60412AF405B76E1DBB85A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00445BEC, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00445BEC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr* _t40;
				void* _t41;
				char* _t43;
				char* _t44;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t65;
				void* _t68;
				void* _t70;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t78;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				_v16 = _t71 - 0x50;
				_v12 = 0x401258;
				_v8 = 0;
				_t36 = _a4;
				_t37 =  *((intOrPtr*)( *_t36 + 4))(_t36, __edi, __esi, __ebx,  *[fs:0x0], 0x401286, _t68);
				_push(0);
				_push(0xffffffff);
				_push(0x41a7e4);
				_push("ABC");
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L0040133A();
				if(_t37 != 3) {
					_t75 =  *0x44764c; // 0x2b0e99c
					if(_t75 == 0) {
						_push(0x44764c);
						_push(0x41a5ec);
						L0040140C();
					}
					_t63 =  *0x44764c; // 0x2b0e99c
					_t39 =  *((intOrPtr*)( *_t63 + 0x14))(_t63,  &_v44);
					asm("fclex");
					if(_t39 < 0) {
						_push(0x14);
						_push(0x41a5dc);
						_push(_t63);
						_push(_t39);
						L00401406();
					}
					_t40 = _v44;
					_t64 = _t40;
					_t41 =  *((intOrPtr*)( *_t40 + 0xd8))(_t40,  &_v40);
					asm("fclex");
					if(_t41 < 0) {
						_push(0xd8);
						_push(0x41a5fc);
						_push(_t64);
						_push(_t41);
						L00401406();
					}
					_v40 = 0;
					L00401412();
					L00401400();
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v60);
					_v52 = 0;
					_v60 = 2;
					L00401334();
					L00401412();
					L004013D0();
					_t78 =  *0x44764c; // 0x2b0e99c
					if(_t78 == 0) {
						_push(0x44764c);
						_push(0x41a5ec);
						L0040140C();
					}
					_t65 =  *0x44764c; // 0x2b0e99c
					_t43 =  &_v60;
					L00401322();
					L00401328();
					_t44 =  &_v44;
					L0040132E();
					_t37 =  *((intOrPtr*)( *_t65 + 0xc))(_t65, _t44, _t44, _t43, _t43, _t43, _v36, L"taYlu9110", 0);
					asm("fclex");
					if(_t37 < 0) {
						_push(0xc);
						_push(0x41a5dc);
						_push(_t65);
						_push(_t37);
						L00401406();
					}
					L00401400();
					L004013D0();
				}
				_push(0x445d9d);
				L00401394();
				L00401394();
				L00401400();
				return _t37;
			}

0x00445bef
0x00445bfe
0x00445c0b
0x00445c0e
0x00445c17
0x00445c1a
0x00445c20
0x00445c23
0x00445c24
0x00445c26
0x00445c2b
0x00445c30
0x00445c33
0x00445c36
0x00445c39
0x00445c3c
0x00445c3f
0x00445c42
0x00445c4a
0x00445c50
0x00445c56
0x00445c58
0x00445c5d
0x00445c62
0x00445c62
0x00445c67
0x00445c74
0x00445c77
0x00445c7b
0x00445c7d
0x00445c7f
0x00445c84
0x00445c85
0x00445c86
0x00445c86
0x00445c8b
0x00445c95
0x00445c97
0x00445c9d
0x00445ca1
0x00445ca3
0x00445ca8
0x00445cad
0x00445cae
0x00445caf
0x00445caf
0x00445cba
0x00445cbd
0x00445cc5
0x00445cca
0x00445ccc
0x00445cce
0x00445cd0
0x00445cd5
0x00445cd6
0x00445cd9
0x00445ce0
0x00445cea
0x00445cf2
0x00445cf7
0x00445cfd
0x00445cff
0x00445d04
0x00445d09
0x00445d09
0x00445d0e
0x00445d1f
0x00445d23
0x00445d2c
0x00445d32
0x00445d36
0x00445d3d
0x00445d40
0x00445d44
0x00445d46
0x00445d48
0x00445d4d
0x00445d4e
0x00445d4f
0x00445d4f
0x00445d57
0x00445d5f
0x00445d5f
0x00445d64
0x00445d87
0x00445d8f
0x00445d97
0x00445d9c

APIs

#709.MSVBVM60(ABC,0041A7E4,000000FF,00000000), ref: 00445C42
__vbaNew2.MSVBVM60(0041A5EC,0044764C,ABC,0041A7E4,000000FF,00000000), ref: 00445C62
__vbaHresultCheckObj.MSVBVM60(00000000,02B0E99C,0041A5DC,00000014), ref: 00445C86
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A5FC,000000D8), ref: 00445CAF
__vbaStrMove.MSVBVM60(00000000,?,0041A5FC,000000D8), ref: 00445CBD
__vbaFreeObj.MSVBVM60(00000000,?,0041A5FC,000000D8), ref: 00445CC5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00445CE0
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00445CEA
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00445CF2
__vbaNew2.MSVBVM60(0041A5EC,0044764C,?,000000FF,000000FE,000000FE,000000FE), ref: 00445D09
__vbaLateMemCallLd.MSVBVM60(00000002,?,taYlu9110,00000000,?,000000FF,000000FE,000000FE,000000FE), ref: 00445D23
__vbaObjVar.MSVBVM60(00000000,000000FE), ref: 00445D2C
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,000000FE), ref: 00445D36
__vbaHresultCheckObj.MSVBVM60(00000000,02B0E99C,0041A5DC,0000000C), ref: 00445D4F
__vbaFreeObj.MSVBVM60(00000000,02B0E99C,0041A5DC,0000000C), ref: 00445D57
__vbaFreeVar.MSVBVM60(00000000,02B0E99C,0041A5DC,0000000C), ref: 00445D5F
__vbaFreeStr.MSVBVM60(00445D9D,ABC,0041A7E4,000000FF,00000000), ref: 00445D87
__vbaFreeStr.MSVBVM60(00445D9D,ABC,0041A7E4,000000FF,00000000), ref: 00445D8F
__vbaFreeObj.MSVBVM60(00445D9D,ABC,0041A7E4,000000FF,00000000), ref: 00445D97

Strings

taYlu9110, xrefs: 00445D17
ABC, xrefs: 00445C2B

Memory Dump Source

Source File: 00000007.00000002.932472232.0000000000444000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.932326693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.932334937.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932391901.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932514496.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.932530830.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#704#709AddrefCallLate
String ID: ABC$taYlu9110
API String ID: 1637656164-3143813651
Opcode ID: a4cd9aa0d067797f0ac84f59ce0e150fa9befd5a977bcd3e480bb6ad0808f7f6
Instruction ID: 51b1b71f66db255334225c9bfa73bc7478d54529785a501ff037a8138126cfe5
Opcode Fuzzy Hash: a4cd9aa0d067797f0ac84f59ce0e150fa9befd5a977bcd3e480bb6ad0808f7f6
Instruction Fuzzy Hash: 1C415470940618ABDB01EB95CC86DDE7B79AF48714F20422BF411B31E2DB7C5546CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00445DBA, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00445DBA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				void* _v36;
				intOrPtr* _t20;
				void* _t21;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t45;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_v16 = _t42 - 0x28;
				_v12 = 0x401268;
				_v8 = 0;
				_t20 = _a4;
				_t21 =  *((intOrPtr*)( *_t20 + 4))(_t20, __edi, __esi, __ebx,  *[fs:0x0], 0x401286, _t39);
				_push(0x41a800);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				L0040131C();
				if(_t21 != 0x61) {
					_push(L"SLAVEHANDLERES");
					_push(L"deltaerne");
					_push(L"Blenheim");
					_push(L"Douce");
					L004013A0();
					_t45 =  *0x44764c; // 0x2b0e99c
					if(_t45 == 0) {
						_push(0x44764c);
						_push(0x41a5ec);
						L0040140C();
					}
					_t37 =  *0x44764c; // 0x2b0e99c
					_t23 =  *((intOrPtr*)( *_t37 + 0x14))(_t37,  &_v36);
					asm("fclex");
					if(_t23 < 0) {
						_push(0x14);
						_push(0x41a5dc);
						_push(_t37);
						_push(_t23);
						L00401406();
					}
					_t24 = _v36;
					_t38 = _t24;
					_t21 =  *((intOrPtr*)( *_t24 + 0x60))(_t24,  &_v32);
					asm("fclex");
					if(_t21 < 0) {
						_push(0x60);
						_push(0x41a5fc);
						_push(_t38);
						_push(_t21);
						L00401406();
					}
					_v32 = 0;
					L00401412();
					L00401400();
					_push(L"Afbrnd1");
					L00401316();
				}
				_push(0x445ec6);
				L00401394();
				return _t21;
			}

0x00445dbd
0x00445dcc
0x00445dd9
0x00445ddc
0x00445de5
0x00445de8
0x00445dee
0x00445df1
0x00445df6
0x00445df9
0x00445dfc
0x00445dff
0x00445e08
0x00445e0e
0x00445e13
0x00445e18
0x00445e1d
0x00445e22
0x00445e27
0x00445e2d
0x00445e2f
0x00445e34
0x00445e39
0x00445e39
0x00445e3e
0x00445e4b
0x00445e4e
0x00445e52
0x00445e54
0x00445e56
0x00445e5b
0x00445e5c
0x00445e5d
0x00445e5d
0x00445e62
0x00445e6c
0x00445e6e
0x00445e71
0x00445e75
0x00445e77
0x00445e79
0x00445e7e
0x00445e7f
0x00445e80
0x00445e80
0x00445e8b
0x00445e8e
0x00445e96
0x00445e9b
0x00445ea0
0x00445ea0
0x00445ea5
0x00445ec0
0x00445ec5

APIs

#516.MSVBVM60(0041A800,?,?,?,?,?,?,?,?,?,?,?,?,00401286), ref: 00445DFF
#690.MSVBVM60(Douce,Blenheim,deltaerne,SLAVEHANDLERES,0041A800), ref: 00445E22
__vbaNew2.MSVBVM60(0041A5EC,0044764C,Douce,Blenheim,deltaerne,SLAVEHANDLERES,0041A800), ref: 00445E39
__vbaHresultCheckObj.MSVBVM60(00000000,02B0E99C,0041A5DC,00000014), ref: 00445E5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A5FC,00000060), ref: 00445E80
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401286), ref: 00445E8E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401286), ref: 00445E96
#532.MSVBVM60(Afbrnd1,?,?,?,?,?,?,?,?,?,?,?,?,00401286), ref: 00445EA0
__vbaFreeStr.MSVBVM60(00445EC6,0041A800,?,?,?,?,?,?,?,?,?,?,?,?,00401286), ref: 00445EC0

Strings

Blenheim, xrefs: 00445E18
Afbrnd1, xrefs: 00445E9B
Douce, xrefs: 00445E1D
SLAVEHANDLERES, xrefs: 00445E0E
deltaerne, xrefs: 00445E13

Memory Dump Source

Source File: 00000007.00000002.932472232.0000000000444000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.932326693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.932334937.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932391901.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932514496.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.932530830.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#516#532#690MoveNew2
String ID: Afbrnd1$Blenheim$Douce$SLAVEHANDLERES$deltaerne
API String ID: 2150154894-46999052
Opcode ID: 48629091ab00ff097caf0a9f514738661437cc83ebdd1e77204d7d1aea801639
Instruction ID: eb12d4b1178c0ad508c08cb7746341c0500e832092afa7e1abf5565244267a7e
Opcode Fuzzy Hash: 48629091ab00ff097caf0a9f514738661437cc83ebdd1e77204d7d1aea801639
Instruction Fuzzy Hash: B9217470941604ABDB11EB96CC46EAEBB78AF54704F20401BF400B32A2D77C5552CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00445B28, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00445B28(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				void* _t13;
				signed int _t14;
				void* _t15;
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t27;

				_push(0x401286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t27;
				_v12 = _t27 - 0x1c;
				_v8 = 0x401248;
				_v28 = _v28 & 0x00000000;
				if( *0x44764c == 0) {
					_push(0x44764c);
					_push(0x41a5ec);
					L0040140C();
				}
				_t23 =  *0x44764c; // 0x2b0e99c
				_t13 =  *((intOrPtr*)( *_t23 + 0x4c))(_t23,  &_v28);
				asm("fclex");
				if(_t13 < 0) {
					_push(0x4c);
					_push(0x41a5dc);
					_push(_t23);
					_push(_t13);
					L00401406();
				}
				_t14 = _v28;
				_t24 = _t14;
				_t15 =  *((intOrPtr*)( *_t14 + 0x28))(_t14);
				asm("fclex");
				if(_t15 < 0) {
					_push(0x28);
					_push(0x41a7c4);
					_push(_t24);
					_push(_t15);
					L00401406();
				}
				L00401400();
				_v24 = 0x2bac;
				_push(0x445bcf);
				return _t15;
			}

0x00445b2d
0x00445b38
0x00445b39
0x00445b46
0x00445b49
0x00445b50
0x00445b5b
0x00445b5d
0x00445b62
0x00445b67
0x00445b67
0x00445b6c
0x00445b79
0x00445b7c
0x00445b80
0x00445b82
0x00445b84
0x00445b89
0x00445b8a
0x00445b8b
0x00445b8b
0x00445b90
0x00445b96
0x00445b98
0x00445b9b
0x00445b9f
0x00445ba1
0x00445ba3
0x00445ba8
0x00445ba9
0x00445baa
0x00445baa
0x00445bb2
0x00445bb7
0x00445bbe
0x00000000

APIs

__vbaNew2.MSVBVM60(0041A5EC,0044764C), ref: 00445B67
__vbaHresultCheckObj.MSVBVM60(00000000,02B0E99C,0041A5DC,0000004C), ref: 00445B8B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A7C4,00000028), ref: 00445BAA
__vbaFreeObj.MSVBVM60 ref: 00445BB2

Memory Dump Source

Source File: 00000007.00000002.932472232.0000000000444000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.932326693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.932334937.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932391901.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.932514496.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.932530830.0000000000449000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_NOA_-_CMA_CGM_ARRIVAL_NOTICE.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 3b45c38d72da4dc19979e369623bf2b9d275700a0b51f204a80d41e7414d1876
Instruction ID: d149ebaf9513498a92a241d38026709951041e6138f51d8bd902572ef35da5a4
Opcode Fuzzy Hash: 3b45c38d72da4dc19979e369623bf2b9d275700a0b51f204a80d41e7414d1876
Instruction Fuzzy Hash: 760165B0941604BFEB11AB56CC4AFAB7AB8EB04714F10015EF101B31D3D77C69458AAD

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exe PID: 3604 Parent PID: 5140

General

Chronological Activities

Analysis Process: 7za.exe PID: 3240 Parent PID: 3604

General

Chronological Activities

Analysis Process: conhost.exe PID: 5776 Parent PID: 3240

General

Chronological Activities

Analysis Process: cmd.exe PID: 6264 Parent PID: 3604

General

Function 02DA02A8, Relevance: 3.0, Strings: 2, Instructions: 481
COMMON

Function 0133B0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0133AB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0133A504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 0133A9E2, Relevance: 1.6, APIs: 1, Instructions: 90
pipeCOMMON

Function 0133A120, Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 0133AB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0133B0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0133A77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0133A85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0133A52A, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0133A6BB, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0133A600, Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0133A448, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0133A88E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON