Play interactive tour

Edit tour

Windows Analysis Report DHL.com

Overview

General Information

Sample Name:	DHL.com (renamed file extension from com to exe)
Analysis ID:	490026
MD5:	8fab6753620475b356fb55cb3339aa8f
SHA1:	d1d7badd885b824b212be62c7caa7ff33d419d05
SHA256:	83e4ae7f04653b03a31836d92b1d70b1d9264a2fe7a4570cf39f4be1bf134e2b
Tags:	comDHLexeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

DHL.exe (PID: 5732 cmdline: 'C:\Users\user\Desktop\DHL.exe' MD5: 8FAB6753620475B356FB55CB3339AA8F)

ieinstal.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\DHL.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\DHL.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://107.189.4.115/ncHJfummF147.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: DHL.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://107.189.4.115/ncHJfummF147.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: DHL.exe	Virustotal: Detection: 28%			Perma Link
Source: DHL.exe	ReversingLabs: Detection: 11%

Machine Learning detection for sample

Show sources

Source: DHL.exe

Joe Sandbox ML: detected

Source: 1.2.DHL.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 1.0.DHL.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Source: DHL.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://107.189.4.115/ncHJfummF147.bin

Source: DHL.exe, 00000001.00000002.712237574.000000000071A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: DHL.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: DHL.exe, 00000001.00000002.712188985.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe
Source: DHL.exe	Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe

Source: DHL.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B2214	1_2_023B2214
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AFA47	1_2_023AFA47
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023ADB58	1_2_023ADB58
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A563C	1_2_023A563C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0034	1_2_023B0034
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A5628	1_2_023A5628
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4017	1_2_023A4017
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A5846	1_2_023A5846
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EB0	1_2_023A4EB0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B00B5	1_2_023B00B5
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EAD	1_2_023A4EAD
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A409A	1_2_023A409A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EF0	1_2_023A4EF0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A58E0	1_2_023A58E0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A56CA	1_2_023A56CA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4933	1_2_023A4933
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AF37A	1_2_023AF37A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A594A	1_2_023A594A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A574C	1_2_023A574C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A59A3	1_2_023A59A3
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A598D	1_2_023A598D
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0B86	1_2_023B0B86
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AEFE8	1_2_023AEFE8
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A59D2	1_2_023A59D2
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A3FC2	1_2_023A3FC2
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A57C3	1_2_023A57C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030E2214	26_2_030E2214
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D574C	26_2_030D574C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D57C3	26_2_030D57C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D3FC2	26_2_030D3FC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D5628	26_2_030D5628
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D563C	26_2_030D563C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D56CA	26_2_030D56CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D4933	26_2_030D4933
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D594A	26_2_030D594A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D598D	26_2_030D598D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D59A3	26_2_030D59A3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D59D2	26_2_030D59D2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D4017	26_2_030D4017
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D5846	26_2_030D5846
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D409A	26_2_030D409A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D58E0	26_2_030D58E0

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B2214 NtResumeThread,	1_2_023B2214
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B1C6C NtProtectVirtualMemory,	1_2_023B1C6C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AFA47 NtAllocateVirtualMemory,	1_2_023AFA47

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\DHL.exe	Process Stats: CPU usage > 98%

Source: DHL.exe	Virustotal: Detection: 28%
Source: DHL.exe	ReversingLabs: Detection: 11%

Source: DHL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DHL.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFBEC8D2F5C809F532.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00402416 push 0040107Ch; ret	1_2_00402433
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00402434 push 0040107Ch; ret	1_2_00402447
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00408695 push 0000007Bh; iretd	1_2_004087CD
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_004090BB push 00000054h; iretd	1_2_004090BA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00404F07 push ebp; retf	1_2_00404EFF
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00408FD0 push 00000054h; iretd	1_2_004090BA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A50F2 pushfd ; retf	1_2_023A50FE
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A155E push ebp; iretd	1_2_023A1560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D0763 push cs; iretd	26_2_030D076B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D091D push FFFFFF96h; iretd	26_2_030D091F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D155E push ebp; iretd	26_2_030D1560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D50F1 pushfd ; retf	26_2_030D50FE

Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\DHL.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE-3){
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DHL.exe

Code function: 1_2_023A4E28 rdtsc

1_2_023A4E28

Source: C:\Users\user\Desktop\DHL.exe

System information queried: ModuleInformation

Jump to behavior

Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe-3){
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\DHL.exe

Thread information set: HideFromDebugger

Jump to behavior

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0B86 mov eax, dword ptr fs:[00000030h]	1_2_023B0B86
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AEBEB mov eax, dword ptr fs:[00000030h]	1_2_023AEBEB
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AF5DE mov eax, dword ptr fs:[00000030h]	1_2_023AF5DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030DEBEB mov eax, dword ptr fs:[00000030h]	26_2_030DEBEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030DF5DE mov eax, dword ptr fs:[00000030h]	26_2_030DF5DE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DHL.exe

Code function: 1_2_023A4E28 rdtsc

1_2_023A4E28

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 26_2_030E2214 RtlAddVectoredExceptionHandler,

26_2_030E2214

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DHL.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30D0000

Jump to behavior

Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'			Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'			Jump to behavior

Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Virtualization/Sandbox Evasion31	Input Capture1	Security Software Discovery411	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL.exe	29%	Virustotal		Browse
DHL.exe	11%	ReversingLabs	Win32.Trojan.Mucc
DHL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.DHL.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen		Download File
1.0.DHL.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://107.189.4.115/ncHJfummF147.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://107.189.4.115/ncHJfummF147.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	490026
Start date:	24.09.2021
Start time:	21:26:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.6% (good quality ratio 6.2%) Quality average: 13.2% Quality standard deviation: 24.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 20.199.120.85, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62, 20.199.120.182 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.36618367187466
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL.exe
File size:	147456
MD5:	8fab6753620475b356fb55cb3339aa8f
SHA1:	d1d7badd885b824b212be62c7caa7ff33d419d05
SHA256:	83e4ae7f04653b03a31836d92b1d70b1d9264a2fe7a4570cf39f4be1bf134e2b
SHA512:	f2b2c1fc9739bd3421455de4c71556d44efa29715756c0cf4d804465c6ebb577d891e9cbf6853059929373355ce5b782b8e5e3c47848b129b9a5751e1d0dcd6d
SSDEEP:	3072:gGFZ3bD6eWdxHrDZ9PM/zw0q8Lwtp1eW:gmqJlr19Pp0q8ctTe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L......R..........................................@........................

File Icon


Icon Hash:	ccf0e8f8e8e8f864

Static PE Info

General
Entrypoint:	0x401088
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x52FFCCE0 [Sat Feb 15 20:24:00 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	48a41634a91a3d58d7574e90175db383

Entrypoint Preview

Instruction
push 00401A7Ch
call 00007F9A287B4A95h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx-4Fh], dh
pop dword ptr [ebx]
mov ah, 94h
or dword ptr [ebx+eax*4+45h], eax
or byte ptr [eax], dh
lds eax, fword ptr [eax]
arpl word ptr [eax+eax+00h], ax
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 56h
push 00000072h
jnc 00007F9A287B4B03h
je 00004AA3h
add byte ptr [eax], al
add ah, ah
daa
xchg eax, ecx
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
push es
add dword ptr [ebx+40B07806h], esp
inc dword ptr [esp+ebp*4-47h]
cmpsd
sub edi, ebp
nop
and bl, byte ptr [edx-6Eh]
mov ebp, EDE620CBh
imul ecx, dword ptr [esi-52h], A4h
call far 3A88h : 05DD6527h
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, dword ptr [edx]
add byte ptr [eax], al
nop
add dword ptr [eax], eax
add byte ptr [eax], al
pop es
add byte ptr [ebp+79h], ch
outsd
jo 00007F9A287B4B07h
bound esp, dword ptr [ecx+00h]
or eax, 45000901h
js 00007F9A287B4B17h
insd
bound esi, dword ptr [edx+61h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ae44	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x8654	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x220	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x34	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19f30	0x1a000	False	0.496300330529	data	6.35084151068	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x1e50	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x8654	0x9000	False	0.488498263889	data	5.80900365728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1d290	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
CUSTOM	0x1d590	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
CUSTOM	0x1de50	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
CUSTOM	0x1e150	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
RT_ICON	0x1e450	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x1e8b8	0x988	data
RT_ICON	0x1f240	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x202e8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x22890	0x2ac7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x25358	0x4c	data
RT_VERSION	0x253a4	0x2b0	data	English	United States

Imports

DLL	Import
MSVBVM60.DLL	MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	SEMIQUOTE
FileVersion	1.00
CompanyName	PolyPass Games
Comments	PolyPass Games
ProductName	PolyPass Games
ProductVersion	1.00
FileDescription	PolyPass Games
OriginalFilename	SEMIQUOTE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 24, 2021 21:27:56.714267015 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:27:56.743170023 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:23.014545918 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:23.049551010 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:42.511373043 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:42.531070948 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:50.544855118 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:50.568617105 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:50.946224928 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:50.965361118 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:51.589273930 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:51.616388083 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:52.096020937 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:52.144557953 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:52.552022934 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:52.573268890 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:53.093544006 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:53.112736940 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:53.552822113 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:53.572673082 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:54.461477041 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:54.495018005 CEST	53	52914	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:55.258459091 CEST	64569	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:55.336710930 CEST	53	64569	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:56.825628996 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:56.853480101 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:57.012238979 CEST	50781	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:57.029611111 CEST	53	50781	8.8.8.8	192.168.2.7
Sep 24, 2021 21:28:57.385459900 CEST	54230	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:28:57.419279099 CEST	53	54230	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:00.476371050 CEST	54911	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:00.497201920 CEST	53	54911	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:06.298036098 CEST	49958	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:06.316865921 CEST	53	49958	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:23.591329098 CEST	50860	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:23.611385107 CEST	53	50860	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:32.491617918 CEST	50452	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:32.518929005 CEST	53	50452	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:34.237916946 CEST	59730	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:34.273744106 CEST	53	59730	8.8.8.8	192.168.2.7
Sep 24, 2021 21:29:50.218405962 CEST	59310	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:29:50.237246037 CEST	53	59310	8.8.8.8	192.168.2.7
Sep 24, 2021 21:30:22.824285030 CEST	51919	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:30:22.841037989 CEST	53	51919	8.8.8.8	192.168.2.7
Sep 24, 2021 21:31:23.926156998 CEST	64296	53	192.168.2.7	8.8.8.8
Sep 24, 2021 21:31:23.943835020 CEST	53	64296	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL.exe PID: 5732 Parent PID: 5432

General

Start time:	21:27:57
Start date:	24/09/2021
Path:	C:\Users\user\Desktop\DHL.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	8FAB6753620475B356FB55CB3339AA8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 7140 Parent PID: 5732

General

Start time:	21:30:19
Start date:	24/09/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\DHL.exe'
Imagebase:	0x300000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6800 Parent PID: 5732

General

Start time:	21:30:20
Start date:	24/09/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL.exe'
Imagebase:	0x300000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL.exe PID: 5732 Parent PID: 5432 DHL.exeCOMMON

Executed Functions

Function 023B2214, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

F%r, xrefs: 023B28B6
n, xrefs: 023B2234

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: F%r$n
API String ID: 0-4137789598
Opcode ID: c3f7174b476fc1d23768df1f0f5342ca9e09e6dfd3fee4a719f5429fe1707695
Instruction ID: 31616e103a3ec8b1ae7af35ff3844507b33d21b9e348083e54356bceefc3780c
Opcode Fuzzy Hash: c3f7174b476fc1d23768df1f0f5342ca9e09e6dfd3fee4a719f5429fe1707695
Instruction Fuzzy Hash: 62B18B7160434ACFDF369E34C9A83E737A6EF56350F41432ACE8A8BE55D7308981CA42

Uniqueness

Uniqueness Score: -1.00%

Function 023AFA47, Relevance: 1.8, APIs: 1, Instructions: 342memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(AD537927,?,0000AC3D), ref: 023AFD52

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4a839cb41d4563182932952e372e55bf757495f162659aa6698f1c8e0e6d939d
Instruction ID: a6f13bc8324258039ed4d42daefdd28d568d7b5a3c315f4b9162686316c1a410
Opcode Fuzzy Hash: 4a839cb41d4563182932952e372e55bf757495f162659aa6698f1c8e0e6d939d
Instruction Fuzzy Hash: 70B16B706087579FD726DE28CC987DA7BA69F46760F044279CCAA8F6E6D7308143CA81

Uniqueness

Uniqueness Score: -1.00%

Function 023ADB58, Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(000000A5,083BBA3D), ref: 023AE091

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 185a40ef47ec0fa30f57b653e06c83335809cc73af4ab50d99f14232afd91453
Instruction ID: 56b95f0929acab225d36a5e962d28e084a5d06a966f54fe885bccef4aec8b686
Opcode Fuzzy Hash: 185a40ef47ec0fa30f57b653e06c83335809cc73af4ab50d99f14232afd91453
Instruction Fuzzy Hash: 0E413476208309CFDB204E248DA47FA33AAEF96250F260A3F99D356D56D3304481CB02

Uniqueness

Uniqueness Score: -1.00%

Function 023B1C6C, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 023B1D4C

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bf4c6d639a09a853971ba58eaaf655a1587879d38448f549de4a238abf68ca89
Instruction ID: b16a7a28f5d9949c173ca4bf3e9157ce89d1e7f7fbd2b0c2107f8310def5a0c8
Opcode Fuzzy Hash: bf4c6d639a09a853971ba58eaaf655a1587879d38448f549de4a238abf68ca89
Instruction Fuzzy Hash: D6F081741052859FDB30DF69C9445FAB7E6FFD8300F45842EE98997605C230A941C716

Uniqueness

Uniqueness Score: -1.00%

Function 00401088, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040108D

Strings

VB5!6&*, xrefs: 00401088

Memory Dump Source

Source File: 00000001.00000002.712172054.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.712167862.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.712184740.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.712188985.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e73ecd2c2930bb6e91bbe6a794baeb8e0bfaddfcb9c0e343aa130ded90d2b7e3
Instruction ID: e54fe6f0211ffab8fbe4c1962618d1af217c7be3fa2282477070502ed73a9896
Opcode Fuzzy Hash: e73ecd2c2930bb6e91bbe6a794baeb8e0bfaddfcb9c0e343aa130ded90d2b7e3
Instruction Fuzzy Hash: 6451776554E3C18FD3038B7498696947FB0AF17224B1A46EBC4C1CF0F3D26C084ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 023A11C0, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396605a5fa7cdc4828d15e13ca3d417cbae4c31cc705f849d9e6a50f0a5af374
Instruction ID: 5bd389ac96faed9aca933cb8a665254c88c487eee77f39fb06f86a18ebd617d9
Opcode Fuzzy Hash: 396605a5fa7cdc4828d15e13ca3d417cbae4c31cc705f849d9e6a50f0a5af374
Instruction Fuzzy Hash: C7310571188BA38FC717CE788C54645BBE4DF43620F0886B9C5E98F6E2EB205547C691

Uniqueness

Uniqueness Score: -1.00%

Function 023A114C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,023AEEED,?,?,00000000,023AEDF8,?,?,?,-00000020,?,?,?,?,?,00000040), ref: 023A110D

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: fa498462389da4c1ccd72d57665643502b53dcfd316b1c1b062ae956295b8976
Instruction ID: da4a1f13c2eb218232e402c602c6bea6c77ac13d52f447f660552e39763eb2d0
Opcode Fuzzy Hash: fa498462389da4c1ccd72d57665643502b53dcfd316b1c1b062ae956295b8976
Instruction Fuzzy Hash: B3110370648AA74FD323CE298CA8959BFA4DF43520F1887B9C5F98FAD7DB104147CA91

Uniqueness

Uniqueness Score: -1.00%

Function 023A10D2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,023AEEED,?,?,00000000,023AEDF8,?,?,?,-00000020,?,?,?,?,?,00000040), ref: 023A110D

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: a7b9190cdb3d026bd531e8f1ddd99a37e308a85395476cc08193913817fe7d99
Instruction ID: ec58f392b41a632bfb5013ed494a845b81d2ba0b6ad9ff69cb68c1b2e5857df0
Opcode Fuzzy Hash: a7b9190cdb3d026bd531e8f1ddd99a37e308a85395476cc08193913817fe7d99
Instruction Fuzzy Hash: 92019E32644B868FC326CF749C616967FE0EF97110F2485B9C8C9CB916DA355C47C742

Uniqueness

Uniqueness Score: -1.00%

Function 023AEBFC, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 023AEDEA

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce8f7de6e3f07dcec45ef94472dd73e0ac12c9f632dfc65ec39714c17c7946ea
Instruction ID: 2008b5df1646762140df956fb05d28055140e202fb9d06d590c7de0f6ae3fc51
Opcode Fuzzy Hash: ce8f7de6e3f07dcec45ef94472dd73e0ac12c9f632dfc65ec39714c17c7946ea
Instruction Fuzzy Hash: 540119786052869FEB709E6D89B5BCB3AA6EF49340F41443AAC4ECB200D731CA098B11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023B0034, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

+~3, xrefs: 023B048E

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +~3
API String ID: 0-888034136
Opcode ID: e482fd2085bfc0d0448d598751abd922422c66fc22f152a6f5ef852451ca6d76
Instruction ID: 0dac424b169b8b1b8caa51d61eddfed5a7593c6cc392d7842445a13f2b2fac4c
Opcode Fuzzy Hash: e482fd2085bfc0d0448d598751abd922422c66fc22f152a6f5ef852451ca6d76
Instruction Fuzzy Hash: 07A15671A0834ADFDB399E6889E47EF73A2EF55350F45012ECD8A9BA40D3305985CF42

Uniqueness

Uniqueness Score: -1.00%

Function 023A56CA, Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: de3a943bc2283ecf133f9ec4d973005310647a383c317e26fb53eb864042693e
Instruction ID: e7f8742305932e4ef01fde2343c153de571011b64785e0f4018acdea2654dcf0
Opcode Fuzzy Hash: de3a943bc2283ecf133f9ec4d973005310647a383c317e26fb53eb864042693e
Instruction Fuzzy Hash: D6A17472A083569FCB309E288D547EA77A5EF01360F85452EDCD9EB690D3308986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023A563C, Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: f6bc759e480ab730b9fa81a8e4431a296fe31a89b402eb97ee1f145e8fa1bc93
Instruction ID: ee85af3940bac6188d1a98fb7d61e58f5032c4877cfc3ede37f1e028aa24711a
Opcode Fuzzy Hash: f6bc759e480ab730b9fa81a8e4431a296fe31a89b402eb97ee1f145e8fa1bc93
Instruction Fuzzy Hash: B5917372A08356DFCB30AE288D547EA77E5EF15350F86452EDCD9EB650D3308986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023A5628, Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: 3206a255c6717b84831c6a2bf848cbb1dcf5a6a6e9c93f973a9591b363a950af
Instruction ID: 59df8010ef823c9c69ca25d13b0b409097a4fe16571cf5c7573cd9861609fcae
Opcode Fuzzy Hash: 3206a255c6717b84831c6a2bf848cbb1dcf5a6a6e9c93f973a9591b363a950af
Instruction Fuzzy Hash: 7D911272918354DFCB749E6889647EB77A6EF14350F86482EDCCAEB614D3308985CB83

Uniqueness

Uniqueness Score: -1.00%

Function 023A574C, Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: f9eb725789ec6ec35ce325c08a4b377262b0405cd6a672b65ab7e4f2a73e96d8
Instruction ID: ba51f0a2544f13dc979f742e2e1f0a068151adda5a689fa20c3395add6baa894
Opcode Fuzzy Hash: f9eb725789ec6ec35ce325c08a4b377262b0405cd6a672b65ab7e4f2a73e96d8
Instruction Fuzzy Hash: 75817571A08356DFCB309E288C547EA77A5EF05360F85452EDCDDEB690D3308A82CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023A5846, Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: 67a8363f1fe9106854c5125c438d9497e2562e3ea6b63218e177eba463f2d09b
Instruction ID: e8587dba6342ef4cc2180ba2f4f4d536f64887d011f81a137363ab51b7bc918f
Opcode Fuzzy Hash: 67a8363f1fe9106854c5125c438d9497e2562e3ea6b63218e177eba463f2d09b
Instruction Fuzzy Hash: CD7167719083669FCB319E2C8C547DB77A5AF06720F85462EDC9DEB694D3308A42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 023A57C3, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: ce7fef5eae43590e17961290ea190fedaa0e1bcdd64daff6382e373149c8ffbd
Instruction ID: bd639edb2c69457a2a83b4cd257f184ea35a914be4dc1a8551d06ed145d9a3fe
Opcode Fuzzy Hash: ce7fef5eae43590e17961290ea190fedaa0e1bcdd64daff6382e373149c8ffbd
Instruction Fuzzy Hash: 6E718671908356DFCB309E288C547DA77E5EF05360F85462ADC9DEB694D3308A82CB92

Uniqueness

Uniqueness Score: -1.00%

Function 023A594A, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: ae3cf4f429528325ad2022761553441d9813f6babb64b228c378f934def845f1
Instruction ID: f8354a919cf8ee0db0ddd077c0e530fd26c93a27552e6892f13ad271719ffe4c
Opcode Fuzzy Hash: ae3cf4f429528325ad2022761553441d9813f6babb64b228c378f934def845f1
Instruction Fuzzy Hash: 9E517D715483679FC7329E7C8C586DA77A5AF02720F89862D8CE9DF1D5D3308942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023B00B5, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

9, xrefs: 023B00E6

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 77b6decd95de94af4242995379bfd6dbd8529603c4d5aa07482554f06de6a688
Instruction ID: 22eb243e26e20e5a48b9dc230fccde59c39e1f5d735490b3346d6c7b19eb622b
Opcode Fuzzy Hash: 77b6decd95de94af4242995379bfd6dbd8529603c4d5aa07482554f06de6a688
Instruction Fuzzy Hash: F75116716487969FCB3A8E698DD47DB77A2EF41350F45022ECC5A9FAC1C3305682CB52

Uniqueness

Uniqueness Score: -1.00%

Function 023A58E0, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: b6d30d4e8a2a633ddd27f575d4b2246817f9adf79ac96061064845268b84e159
Instruction ID: 2c22f5acf1f26062552471059b444e2b3fa89fcaedbb9a933d219b0b8c5e1045
Opcode Fuzzy Hash: b6d30d4e8a2a633ddd27f575d4b2246817f9adf79ac96061064845268b84e159
Instruction Fuzzy Hash: 0451AB71948366DFCB319E788C547DB77A5AF01320F85462ECCD9EB294D3308A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 023A598D, Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: 25eb78d4711341bb3b3b7745491a7453cd6566e6170783089b62d01535c93e19
Instruction ID: 8ff63a2514107d74fda2f99bf0d82fe4f1a3ca145bab28147d4db822cd49dec7
Opcode Fuzzy Hash: 25eb78d4711341bb3b3b7745491a7453cd6566e6170783089b62d01535c93e19
Instruction Fuzzy Hash: 84518E71948362DFCB315E788D646DB7BA5AF02710FC6462ECCD9AB195D3304986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023A59D2, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: d7c9e53261a6f18ff1390b5fe5a3fae1ae69647eaaf6f635abcad8b598f83e23
Instruction ID: 65a1e10bbf3dcb7831cd5956845d1d2a763c86943b506a01b14708bbab79ee66
Opcode Fuzzy Hash: d7c9e53261a6f18ff1390b5fe5a3fae1ae69647eaaf6f635abcad8b598f83e23
Instruction Fuzzy Hash: EC51AE71948363DFC7325E7C8D546DB77A5AF02720F89862D8CE9AB1D4D3304986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 023A4EAD, Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

`, xrefs: 023A50A8

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 12b4d3c0e5156efb85b5a46418a81e8b871a32f2741c4d6e381ebe02f1c507d6
Instruction ID: 21d930415a3ecf84f47027cf4dc038442166ceb3bbe445565cfb26e9da9160f9
Opcode Fuzzy Hash: 12b4d3c0e5156efb85b5a46418a81e8b871a32f2741c4d6e381ebe02f1c507d6
Instruction Fuzzy Hash: CC414C36A14359CBDF389E288DB47DA32A7EF84350F95813ADD4A47909C7358947CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023A4EB0, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

`, xrefs: 023A50A8

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 3990d11b9a12bbcac849cac916f738ee8f5617f8f668b654c6c5ebb28a16fc7a
Instruction ID: 81c6b317b5c0bae8e134e40fe8194dfe9369a6049fc77e2e14e134222b603a87
Opcode Fuzzy Hash: 3990d11b9a12bbcac849cac916f738ee8f5617f8f668b654c6c5ebb28a16fc7a
Instruction Fuzzy Hash: 07417C71604366CFEF358D2C8CA47DA32A6AF81720F99C23ADC5D4B6C5C7348543CA91

Uniqueness

Uniqueness Score: -1.00%

Function 023A4EF0, Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

`, xrefs: 023A50A8

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 081df89327d73dfc04bc3c5e45849b6169bbf35b63a2dbbf2cd2bc963d9b9ebf
Instruction ID: a8c50e3dc664d840e5688268d31095e2f9fecc3e127b6c5b8918377a5a966f45
Opcode Fuzzy Hash: 081df89327d73dfc04bc3c5e45849b6169bbf35b63a2dbbf2cd2bc963d9b9ebf
Instruction Fuzzy Hash: DD418D71604356CBEF36DD2D8CA47DA76A6AF81720F89823ADC5D4B6C9C3308543CA91

Uniqueness

Uniqueness Score: -1.00%

Function 023AF37A, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

o2, xrefs: 023AF451

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: o2
API String ID: 0-1802187799
Opcode ID: e44f81fbc4d84cffafb56cbb86e6a2eeec6c96c6264338e02fac98f4464375ca
Instruction ID: ea201a6704ed54b54401790f240f31d591a0cd24379bfb45dfba980409366f75
Opcode Fuzzy Hash: e44f81fbc4d84cffafb56cbb86e6a2eeec6c96c6264338e02fac98f4464375ca
Instruction Fuzzy Hash: 5B31463560834ADFCF349F78C9A47EA33A1EF5A254F544428CC868FA16E3369846CB45

Uniqueness

Uniqueness Score: -1.00%

Function 023A59A3, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

wA, xrefs: 023A5BA4

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: wA
API String ID: 0-545033416
Opcode ID: 5128d953cae615008aeb41f85e154bd8af1a8924aad791ce1ae9984e34e9d222
Instruction ID: af142acd1289d2fe1d0983655eccd884177b97cf3aefd8385315946982865077
Opcode Fuzzy Hash: 5128d953cae615008aeb41f85e154bd8af1a8924aad791ce1ae9984e34e9d222
Instruction Fuzzy Hash: 9B415472858365DFCB705EB88A217DB77AAEF10300FC6052E8CC9AB514D3305E89CB82

Uniqueness

Uniqueness Score: -1.00%

Function 023B0B86, Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4f069a90456da8a9c71cb40e8fe66f8d8b22a0e2cf4a240acf4feca2f67f031d
Instruction ID: de304915c4bcc8a96f328b0037991ebf4588d65b0dee921689dda08bee2a7851
Opcode Fuzzy Hash: 4f069a90456da8a9c71cb40e8fe66f8d8b22a0e2cf4a240acf4feca2f67f031d
Instruction Fuzzy Hash: 6E42F9706083858FDB36CF38C9A47DA7BE25F56360F48826ACDDA8F696D3348546C712

Uniqueness

Uniqueness Score: -1.00%

Function 023A409A, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcb5626f5c8a4d45755ea3293bd206a6eef4de693f324193bcf6f030af52004
Instruction ID: 710b5428c9329b8135d720c517abed57b885c21c57ba8e99641cdc9ed7d99974
Opcode Fuzzy Hash: fdcb5626f5c8a4d45755ea3293bd206a6eef4de693f324193bcf6f030af52004
Instruction Fuzzy Hash: 536198716082579FDB32AE288C04BDF77B7AF95720F49822EDC999B2D4C7308542CB50

Uniqueness

Uniqueness Score: -1.00%

Function 023AEFE8, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fbb237565dc591c3a56c4920088aba32a9bbda6c45c2af02b9fb97e7c42bb6
Instruction ID: 315bac3f5a69933e61c6cf56b451655bc8d3fa5690d717d0273bdf76a60dc258
Opcode Fuzzy Hash: 75fbb237565dc591c3a56c4920088aba32a9bbda6c45c2af02b9fb97e7c42bb6
Instruction Fuzzy Hash: A0519C716182868FDB36CF38CCE56DA7BE1EF5A350F44466AC5D9CB6A2C7308506CB40

Uniqueness

Uniqueness Score: -1.00%

Function 023A4017, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d4bc2fe97b26e193ef65328236ec1731f8bf120d4260c3add5274936a826a5
Instruction ID: 95efdd61fee26a629a12eb08ffc4ee420b37b70ce3e261fe22ea899153467f59
Opcode Fuzzy Hash: b4d4bc2fe97b26e193ef65328236ec1731f8bf120d4260c3add5274936a826a5
Instruction Fuzzy Hash: DA5148716042969FCB36AE288C04ADF77B7AF99760F45822EEC99DB294C7308542CB40

Uniqueness

Uniqueness Score: -1.00%

Function 023A3FC2, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9244ff772f082898e737b8b74ae73906d03dce3a56bf2a0e648d5a2f3328aff5
Instruction ID: 2de474c9afa4d753272eb2e270a12f70cfc391544c92b4658027c6b964f73307
Opcode Fuzzy Hash: 9244ff772f082898e737b8b74ae73906d03dce3a56bf2a0e648d5a2f3328aff5
Instruction Fuzzy Hash: 1F514672A0428ADFDB74AE248C14BDF37B7AFE8350F55412EEC899B214C7718982CB01

Uniqueness

Uniqueness Score: -1.00%

Function 023A4933, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14fb515f00135f0eff54490fc6b1fc6c4a7f16038649429c8fc7ba598d40065
Instruction ID: 43ea440d7c2bf579d11f75a54cc5f61169e183dd8b83da72ec959c71fd68c16a
Opcode Fuzzy Hash: c14fb515f00135f0eff54490fc6b1fc6c4a7f16038649429c8fc7ba598d40065
Instruction Fuzzy Hash: 2F41F176B0138A9BDB30AF24CC947DA36A6BF94380F964039DD4D9B241DB304A41C741

Uniqueness

Uniqueness Score: -1.00%

Function 023AF5DE, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90af2324954dd0052259530ff8348ee498254d43e44935a5283aafa1401dbfa4
Instruction ID: 612e620d913a9a9b5567a1167553c7d6a570b082a770b680fd5a5df810e7a15d
Opcode Fuzzy Hash: 90af2324954dd0052259530ff8348ee498254d43e44935a5283aafa1401dbfa4
Instruction Fuzzy Hash: 7A117975A057A5CFCB34DE28CA94BD573A0EF2D320F95426ADC098BB71C332A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023A4E28, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f7478f8decca7778eb0d516f15f5c5379cf43a5e22996280212c5a140230ed
Instruction ID: 07049d3a27fc4ae843044f086970667a3fee14661bf31f6ab147f23fe163ea07
Opcode Fuzzy Hash: 33f7478f8decca7778eb0d516f15f5c5379cf43a5e22996280212c5a140230ed
Instruction Fuzzy Hash: 97C02B03935023051EF31A38320485F049A57A05203654D302418E3008F4C38E8548D2

Uniqueness

Uniqueness Score: -1.00%

Function 023AEBEB, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 6800 Parent PID: 5732 ieinstal.exeCOMMON

Executed Functions

Function 030E2214, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

F%r, xrefs: 030E28B6
n, xrefs: 030E2234

Memory Dump Source

Source File: 0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: F%r$n
API String ID: 0-4137789598
Opcode ID: c3f7174b476fc1d23768df1f0f5342ca9e09e6dfd3fee4a719f5429fe1707695
Instruction ID: e3806aa1714de0623f33a4af7fba06ef9cd49fbea615479186c2d4deaeda6864
Opcode Fuzzy Hash: c3f7174b476fc1d23768df1f0f5342ca9e09e6dfd3fee4a719f5429fe1707695
Instruction Fuzzy Hash: B5B1487270634ACFDF35EE34C9A43EA37EEAF95350F554A2ACC8A8B254D3344585CA42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DHL.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: DHL.exe PID: 5732 Parent PID: 5432

General