Play interactive tour

Edit tour

Windows Analysis Report Hesap Hareketleri 28-09-2021.exe

Overview

General Information

Sample Name:	Hesap Hareketleri 28-09-2021.exe
Analysis ID:	491950
MD5:	2fca7a3e51417ee2e8aefafede0847d9
SHA1:	931518250bed6cd21b6cab529ed3ad9ead83cdcf
SHA256:	bffbffc2b1be154742fb81ecea14cb779b8fd81581ffce2855cf588f21a8020f
Tags:	exegeoTUR
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Hesap Hareketleri 28-09-2021.exe (PID: 6572 cmdline: 'C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe' MD5: 2FCA7A3E51417EE2E8AEFAFEDE0847D9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id"}

Multi AV Scanner detection for submitted file

Show sources

Source: Hesap Hareketleri 28-09-2021.exe

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Show sources

Source: Hesap Hareketleri 28-09-2021.exe

Joe Sandbox ML: detected

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867529345.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000000.344162020.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe
Source: Hesap Hareketleri 28-09-2021.exe	Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071727D	1_2_0071727D
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071BB62	1_2_0071BB62
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715A60	1_2_00715A60
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071C264	1_2_0071C264
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071AA45	1_2_0071AA45
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717447	1_2_00717447
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071584B	1_2_0071584B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071A64C	1_2_0071A64C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071604F	1_2_0071604F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715630	1_2_00715630
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071743A	1_2_0071743A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715625	1_2_00715625
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071262A	1_2_0071262A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071522C	1_2_0071522C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071561F	1_2_0071561F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715E04	1_2_00715E04
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00713AF5	1_2_00713AF5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715CD4	1_2_00715CD4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715ADA	1_2_00715ADA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007156DD	1_2_007156DD
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007162C4	1_2_007162C4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007176B9	1_2_007176B9
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007150AA	1_2_007150AA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00710480	1_2_00710480
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715F75	1_2_00715F75
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715561	1_2_00715561
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071595B	1_2_0071595B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071A727	1_2_0071A727
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007107F5	1_2_007107F5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007163E5	1_2_007163E5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071ABDA	1_2_0071ABDA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715BC0	1_2_00715BC0
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007155B3	1_2_007155B3
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071079A	1_2_0071079A

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071727D NtAllocateVirtualMemory,	1_2_0071727D
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007176B9 NtAllocateVirtualMemory,	1_2_007176B9
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717890 NtAllocateVirtualMemory,	1_2_00717890
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717719 NtAllocateVirtualMemory,	1_2_00717719

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Process Stats: CPU usage > 98%

Source: Hesap Hareketleri 28-09-2021.exe

ReversingLabs: Detection: 26%

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4ED96077179BC113.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, type: MEMORY

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: real checksum: 0x24c6f should be: 0x20bce

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00402AE8 push es; ret	1_2_00402B24
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_004064F7 push 13C55635h; retf	1_2_00406525
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0040431A pushfd ; retf	1_2_0040431B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711A34 push ebp; iretd	1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711EFD push esi; iretd	1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711544 push ecx; ret	1_2_00711545
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711922 push esi; iretd	1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711927 push ebp; iretd	1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071712B push ds; iretd	1_2_0071712E
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717112 push ds; iretw	1_2_00717114
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711915 push ebp; iretd	1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711915 push esi; iretd	1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711993 push ebp; iretd	1_2_00711A95

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	RDTSC instruction interceptor: First address: 000000000040EB3B second address: 000000000040EB3B instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 000000A1h 0x00000008 cmp eax, 000000C9h 0x0000000d popad 0x0000000e lfence 0x00000011 lfence 0x00000014 dec edi 0x00000015 lfence 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F72DC9E1FC6h 0x0000001f lfence 0x00000022 cmp eax, 00000089h 0x00000027 pushad 0x00000028 mfence 0x0000002b wait 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	RDTSC instruction interceptor: First address: 0000000000716F2F second address: 0000000000716F2F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8219BBE4h 0x00000007 xor eax, 75E10D96h 0x0000000c sub eax, 173DA739h 0x00000011 sub eax, E0BB0F38h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F72DCE2065Eh 0x0000001b test al, dl 0x0000001d call 00007F72DCE20618h 0x00000022 lfence 0x00000025 mov edx, C4E9AE68h 0x0000002a xor edx, 87763148h 0x00000030 xor edx, B74B9B40h 0x00000036 xor edx, 8B2A0474h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 jmp 00007F72DCE2065Ah 0x00000048 cmp dl, bl 0x0000004a add edi, edx 0x0000004c dec ecx 0x0000004d mov dword ptr [ebp+00000182h], ecx 0x00000053 mov ecx, 9B298471h 0x00000058 xor ecx, C9916611h 0x0000005e add ecx, 132F64BEh 0x00000064 add ecx, 9A17B8E2h 0x0000006a cmp dword ptr [ebp+00000182h], ecx 0x00000070 mov ecx, dword ptr [ebp+00000182h] 0x00000076 jne 00007F72DCE20583h 0x0000007c mov dword ptr [ebp+000001D9h], esi 0x00000082 mov esi, ecx 0x00000084 push esi 0x00000085 mov esi, dword ptr [ebp+000001D9h] 0x0000008b call 00007F72DCE206C4h 0x00000090 call 00007F72DCE20689h 0x00000095 lfence 0x00000098 mov edx, C4E9AE68h 0x0000009d xor edx, 87763148h 0x000000a3 xor edx, B74B9B40h 0x000000a9 xor edx, 8B2A0474h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071726F rdtsc

1_2_0071726F

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00719EDE mov eax, dword ptr fs:[00000030h]	1_2_00719EDE
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00716D70 mov eax, dword ptr fs:[00000030h]	1_2_00716D70
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00719913 mov eax, dword ptr fs:[00000030h]	1_2_00719913
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071ABDA mov eax, dword ptr fs:[00000030h]	1_2_0071ABDA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071726F rdtsc

1_2_0071726F

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071BB62 RtlAddVectoredExceptionHandler,

1_2_0071BB62

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Hesap Hareketleri 28-09-2021.exe	27%	ReversingLabs	Win32.Trojan.Generic
Hesap Hareketleri 28-09-2021.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491950
Start date:	28.09.2021
Start time:	08:03:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Hesap Hareketleri 28-09-2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.4% (good quality ratio 7.5%) Quality average: 20.1% Quality standard deviation: 32.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7538699249737375
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hesap Hareketleri 28-09-2021.exe
File size:	90112
MD5:	2fca7a3e51417ee2e8aefafede0847d9
SHA1:	931518250bed6cd21b6cab529ed3ad9ead83cdcf
SHA256:	bffbffc2b1be154742fb81ecea14cb779b8fd81581ffce2855cf588f21a8020f
SHA512:	4d56a20cc61aa096fbd1e181ce72a79d237d90b7e20078fed0e3c767dfead51a5b1d150307ca911fbaffac206ef3679c99e9dc93dd37b3f5f419a55bb683220a
SSDEEP:	1536:tM0wFjVxFXrMGm0tEM5eoz/s74HEgKhs:tM0wFjV7XrXltPXs7SJgs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...A6.L.................0... ...............@....@........

File Icon


Icon Hash:	821ca88c8e8c8c00

Static PE Info

General
Entrypoint:	0x4012c8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4C923641 [Thu Sep 16 15:22:41 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e73b8c032c82c64991ebe487a7ffcd43

Entrypoint Preview

Instruction
push 0040FF80h
call 00007F72DC9BEC83h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+edx*2], ch
and dword ptr [edx], esp
std
sbb eax, 52944436h
push esp
sbb byte ptr [esi], al
sar dword ptr [eax+00000000h], 1
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 73h
popad
jc 00007F72DC9BECF5h
push 73676E69h
add byte ptr [eax], al
sbb al, 29h
sbb al, 03h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
cmp byte ptr [edx+ecx*8-66h], ch
outsd
adc eax, A74A902Eh
mov bl, D9h
dec esi
pop ebp
push esi
dec esp
stosd
mov dword ptr [76B9991Fh], eax
xor eax, 74B8462Ah
add ch, ah
call 00007F7289EB2702h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
jmp far 0000h : 01A90000h
add byte ptr [eax+eax], cl
dec eax
jc 00007F72DC9BED06h
imul esp, dword ptr [ecx+62h], 65h
jc 00007F72DC9BED00h
xor dword ptr [eax], eax
or eax, 50001201h
outsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13684	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x540	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12aec	0x13000	False	0.519377055921	data	6.24667059185	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0xcf4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x540	0x1000	False	0.1298828125	data	1.4104134768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15418	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x15404	0x14	data
RT_VERSION	0x150f0	0x314	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	ChatSwipe
InternalName	TOBENET
FileVersion	4.04.0001
CompanyName	ChatSwipe
LegalTrademarks	ChatSwipe
Comments	ChatSwipe
ProductName	ChatSwipe
ProductVersion	4.04.0001
FileDescription	ChatSwipe
OriginalFilename	TOBENET.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:04:43.679177046 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:04:43.706648111 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:11.663681984 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:11.702028990 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:12.749793053 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:12.784634113 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:13.378412008 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:13.439718962 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:13.796654940 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:13.816284895 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:14.339658976 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:14.359230995 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.067100048 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.088597059 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.551141024 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.574536085 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.585517883 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.600014925 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:16.310364008 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:16.330646992 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:17.862464905 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:17.879365921 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:18.499778986 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:18.517704964 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:34.030338049 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:34.057075024 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:38.985905886 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:39.016797066 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 28, 2021 08:06:02.887357950 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:06:02.918589115 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 28, 2021 08:06:07.316895008 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:06:07.349633932 CEST	53	52811	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888

General

Start time:	08:04:14
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	2FCA7A3E51417EE2E8AEFAFEDE0847D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888 Hesap Hareketleri 28-09-2021.exeCOMMON

Executed Functions

Function 0071BB62, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

n, xrefs: 0071BB82

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: 3ed04998b117ea2fb9cad8e16a170a08dda871760bd1ce51bed2fb5143907b2a
Instruction ID: 6b8a972a401af6d5e5c8b84d36e5151f9d9f7c2cd775897f0ef414839a47a7a7
Opcode Fuzzy Hash: 3ed04998b117ea2fb9cad8e16a170a08dda871760bd1ce51bed2fb5143907b2a
Instruction Fuzzy Hash: 3971F2B1640349CFDF759E6CCD987EA37A2AF55310F61812ACC499F395C7388A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0071727D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(56F46B7A), ref: 00717908

Strings

Wck, xrefs: 007176E1

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Wck
API String ID: 2167126740-3592206839
Opcode ID: 4e1a04d4ad47fab5a0dde21c3e2f6a3ca68335936eab8650e57fdfbeed83db0e
Instruction ID: 142038521ac5350fc54c1d329aba0abde863e3bea70476d96f50f6841cead253
Opcode Fuzzy Hash: 4e1a04d4ad47fab5a0dde21c3e2f6a3ca68335936eab8650e57fdfbeed83db0e
Instruction Fuzzy Hash: 805126B1604249CFDB34DF29DC957EE77A2AF99314F50811AEC4D9F3A4D6348A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 007176B9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(56F46B7A), ref: 00717908

Strings

Wck, xrefs: 007176E1

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Wck
API String ID: 2167126740-3592206839
Opcode ID: 16392a4b168e2abdc0762a309cd6abea27fe555a043514b03e331bb1116da14b
Instruction ID: 393134a3ad2ddf453a60ad5342552b302433282e135e324edb3ce845e8e1b560
Opcode Fuzzy Hash: 16392a4b168e2abdc0762a309cd6abea27fe555a043514b03e331bb1116da14b
Instruction Fuzzy Hash: DC51F6B16042499FDB74DE29DC847EE77E2AF98314F50C01AEC4DDB354D6308A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00717719, Relevance: 1.7, APIs: 1, Instructions: 165memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(56F46B7A), ref: 00717908

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: de3b5c46b8f33f7bbd50a8d7dea196fe0d00437d29c58c557bb46cd218912b01
Instruction ID: 5938f3e265de8c546f5c8f0d64e6c45d41f63d4ff22f0d8a9c28d8e0e6483a4f
Opcode Fuzzy Hash: de3b5c46b8f33f7bbd50a8d7dea196fe0d00437d29c58c557bb46cd218912b01
Instruction Fuzzy Hash: 6A5115715047458FEB34EE198E827DEBBA2FF98710F20C02EEDC84A365D6714A818F85

Uniqueness

Uniqueness Score: -1.00%

Function 00717890, Relevance: 1.6, APIs: 1, Instructions: 93memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(56F46B7A), ref: 00717908

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f004260efa8c7d05827aa404c76b56d86ef024d1aa772db25802f5230667ae5f
Instruction ID: 64aca19fe080250593c0bf624d874e071cac4556b59cbcacc68b774bf6cb9c90
Opcode Fuzzy Hash: f004260efa8c7d05827aa404c76b56d86ef024d1aa772db25802f5230667ae5f
Instruction Fuzzy Hash: 3021A3314096548FE734AE198B426DEFFA1FF49B10F14801EEDC84A372C6B15A909FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00412CD0, Relevance: 75.6, APIs: 39, Strings: 4, Instructions: 329COMMON

Download Yara Rule

APIs

#612.MSVBVM60(?), ref: 00412D52
__vbaStrVarMove.MSVBVM60(?), ref: 00412D5C
__vbaStrMove.MSVBVM60 ref: 00412D67
__vbaFreeVar.MSVBVM60 ref: 00412D70
#575.MSVBVM60(?,?), ref: 00412D8C
__vbaVarTstNe.MSVBVM60(?,?), ref: 00412DAE
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00412DC1
__vbaNew2.MSVBVM60(00410A2C,004145C0), ref: 00412DE1
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,00410A1C,00000034,?,?,00000ACB,?), ref: 00412E2B
__vbaObjSet.MSVBVM60(?,?,?,?,00000ACB,?), ref: 00412E3C
__vbaStrToAnsi.MSVBVM60(?,snappishly,00000000), ref: 00412E4C
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00412E5F
__vbaFreeStr.MSVBVM60(?,?,00000ACB,?), ref: 00412E7E
__vbaFpI4.MSVBVM60(?,?,00000ACB,?), ref: 00412E91
__vbaHresultCheckObj.MSVBVM60(00000000,004010F0,004104CC,000002C8), ref: 00412EC7
__vbaSetSystemError.MSVBVM60(00000000,00000002,00000002), ref: 00412EDD
__vbaNew2.MSVBVM60(00410A2C,004145C0), ref: 00412F05
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,00410A1C,0000004C), ref: 00412F2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410A5C,0000001C,?,?,?,?), ref: 00412F7A
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00412F8B
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00412F94
__vbaHresultCheckObj.MSVBVM60(00000000,004010F0,004104FC,000006F8), ref: 00412FBC
__vbaStrCopy.MSVBVM60 ref: 00412FCA
__vbaFreeStr.MSVBVM60 ref: 00413003
__vbaHresultCheckObj.MSVBVM60(00000000,004010F0,004104CC,000002B4), ref: 00413030
__vbaStrToAnsi.MSVBVM60(?,SINGFEST,00267EEC), ref: 0041304D
__vbaSetSystemError.MSVBVM60(000C5DB5,00000000), ref: 00413064
__vbaFreeStr.MSVBVM60 ref: 00413083
__vbaNew2.MSVBVM60(00410A2C,004145C0), ref: 0041309C
__vbaLateMemCallLd.MSVBVM60(00000002,?,WkKauIFp5j1bv26pBJsl8jmR69NV785,00000000), ref: 004130B8
__vbaObjVar.MSVBVM60(00000000), ref: 004130C2
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004130CD
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,00410A1C,0000000C), ref: 004130E7
__vbaFreeObj.MSVBVM60 ref: 004130F0
__vbaFreeVar.MSVBVM60 ref: 004130F9
__vbaFreeObj.MSVBVM60(0041315A), ref: 00413144
__vbaFreeStr.MSVBVM60 ref: 00413149
__vbaFreeObj.MSVBVM60 ref: 00413152
__vbaFreeObj.MSVBVM60 ref: 00413157

Strings

SINGFEST, xrefs: 00413047
Palmira, xrefs: 00412FC2
snappishly, xrefs: 00412E46
WkKauIFp5j1bv26pBJsl8jmR69NV785, xrefs: 004130AC

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ErrorNew2System$AnsiMove$#575#612AddrefCallCopyLateList
String ID: Palmira$SINGFEST$WkKauIFp5j1bv26pBJsl8jmR69NV785$snappishly
API String ID: 1255662601-1278630523
Opcode ID: 94999e1dd70b8fb1b6cf79238a6265bd7675cf32dfd1d97fcdf1c0a948519dd4
Instruction ID: ee16c47224e641c8e7acdc8fca8ea5a2ecf9cd293214033b8d2bcf783c518a74
Opcode Fuzzy Hash: 94999e1dd70b8fb1b6cf79238a6265bd7675cf32dfd1d97fcdf1c0a948519dd4
Instruction Fuzzy Hash: 20D17BB0900209EFDB10DFA0DE89ADEBBB9FF48700F10812AF545A72A1D7745985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004012C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 72%

			_entry_() {
				signed char _t39;
				intOrPtr* _t40;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				intOrPtr* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t80;

				_push("VB5!6!*"); // executed
				L004012C0(); // executed
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 ^ _t39;
				 *_t39 =  *_t39 + _t39;
				_t40 = _t39 + 1;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *((intOrPtr*)(_t46 + _t66 * 2)) =  *((intOrPtr*)(_t46 + _t66 * 2)) + _t65;
				_t41 = _t40 - 0x53;
				 *_t66 =  *_t66 & _t80;
				asm("std");
				asm("sbb eax, 0x52944436");
				_push(_t80);
				asm("sbb [esi], al");
				 *_t41 =  *_t41 >> 1;
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				_t67 = _t66 + 1;
				 *_t75 =  *_t75 + _t41;
				_push(_t41);
				 *_t65 =  *_t65 + 0x73;
				asm("popad");
				if( *_t65 >= 0) {
					_push(0x73676e69);
					 *_t41 =  *_t41 + _t41;
					asm("sbb al, 0x29");
					asm("sbb al, 0x3");
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 ^ _t41;
					asm("outsd");
					asm("adc eax, 0xa74a902e");
					_t75 = _t75 - 1;
					_push(_t75);
					_t80 = _t80;
					asm("stosd");
					 *0x76b9991f = _t41;
					_t44 = _t41 ^ 0x74b8462a;
					_t65 = _t65 + _t44;
					asm("repne call 0xad4f3a72");
					_t45 = _t44;
					asm("stosb");
					 *((intOrPtr*)(_t45 - 0x2d)) =  *((intOrPtr*)(_t45 - 0x2d)) + _t45;
					_t41 = 0x000000d9 ^  *(_t65 - 0x48ee309a);
					_t46 = _t45;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
				}
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				 *_t75 =  *_t75 + _t65;
				goto 0;
				 *((intOrPtr*)(_t41 + _t41)) =  *((intOrPtr*)(_t41 + _t41)) + _t65;
				_t42 = _t41 - 1;
				if(_t42 < 0) {
					L7:
					 *_t42 =  *_t42 + _t42;
					L8:
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42;
					 *_t42 =  *_t42;
					 *((intOrPtr*)(_t42 + 0x800080)) =  *((intOrPtr*)(_t42 + 0x800080)) + _t42;
					 *_t42 =  *_t42 + _t42;
					L9:
					 *((intOrPtr*)(_t42 - 0x7fff8000)) =  *((intOrPtr*)(_t42 - 0x7fff8000)) + _t42;
					 *_t42 =  *_t42;
					asm("rol al, 0xc0");
					 *((intOrPtr*)(_t42 + 0x8080)) =  *((intOrPtr*)(_t42 + 0x8080)) + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + 1;
					 *_t42 =  *_t42 + _t42;
					asm("invalid");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + 1;
					asm("invalid");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					asm("sti");
					asm("sti");
					asm("sti");
					asm("sti");
					asm("sti");
					asm("sti");
					asm("lock add [edi-0x40b04041], bh");
					asm("sti");
					asm("lock add [edi-0x40bb4b41], bh");
					asm("hlt");
					asm("sti");
					asm("lock add [edi-0x40bb4b41], bh");
					asm("sti");
					asm("lock add [edi-0x40b04041], bh");
					asm("sti");
					asm("sti");
					asm("sti");
					asm("sti");
					asm("lock add [eax], al");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *((intOrPtr*)(_t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 - 0xfffffffffffffffc)) =  *((intOrPtr*)(_t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 + _t46 - 0xfffffffffffffffc)) + _t65;
					asm("sti");
					asm("sti");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					asm("invalid");
					asm("invalid");
					 *_t42 =  *_t42 + 0xff;
					 *((intOrPtr*)(_t42 - 0x7f000100)) =  *((intOrPtr*)(_t42 - 0x7f000100)) + 1;
					 *((intOrPtr*)(_t42 - 0x7f000100)) =  *((intOrPtr*)(_t42 - 0x7f000100)) + 1;
					 *((intOrPtr*)(_t42 - 0x7f000100)) =  *((intOrPtr*)(_t42 - 0x7f000100)) + 1;
					 *((intOrPtr*)(_t42 - 0x7f000100)) =  *((intOrPtr*)(_t42 - 0x7f000100)) + 1;
					 *((intOrPtr*)(_t42 - 0x7f000100)) =  *((intOrPtr*)(_t42 - 0x7f000100)) + 1;
					if (_t42 + 1 > 0) goto L10;
					goto L10;
					goto __eax;
					L10:
					asm("invalid");
				}
				_t80 =  *(_t65 + 0x62) * 0x65;
				if(_t80 < 0) {
					goto L8;
				}
				 *[gs:eax] =  *[gs:eax] ^ _t42;
				_t42 = _t42 | 0x50001201;
				asm("outsd");
				if(_t42 >= 0) {
					goto L9;
				}
				 *_t65 =  *_t65 + _t46;
				 *_t42 =  *_t42 + _t42;
				_t68 = _t67 + 1;
				 *_t68 =  *_t68 + _t42;
				_t80 = _t80 +  *_t46;
				_t76 = _t75 + 1;
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)(_t80 + _t76 * 2)) =  *((intOrPtr*)(_t80 + _t76 * 2)) + _t65;
				 *_t76 =  *_t76 + _t46;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t65 =  *_t65 + _t42;
				 *_t65 =  *_t65 + _t42;
				 *_t42 =  *_t42 + _t68;
				asm("adc [eax], dl");
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t65;
				 *_t42 =  *_t42 + _t42;
				 *_t76 =  *_t76 + _t68;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t65;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t68;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t65 =  *_t65 + _t42;
				 *((intOrPtr*)(_t42 + _t42)) =  *((intOrPtr*)(_t42 + _t42)) + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t68;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				goto L7;
			}

0x004012c8
0x004012cd
0x004012d2
0x004012d4
0x004012d6
0x004012d8
0x004012da
0x004012dc
0x004012dd
0x004012df
0x004012e1
0x004012e3
0x004012e4
0x004012e6
0x004012e8
0x004012e9
0x004012ee
0x004012f0
0x004012f2
0x004012f8
0x004012fa
0x004012fc
0x004012fe
0x004012ff
0x00401301
0x00401302
0x00401305
0x00401307
0x00401309
0x0040130e
0x00401310
0x00401312
0x00401314
0x00401316
0x0040131a
0x00401320
0x00401321
0x00401328
0x0040132a
0x0040132b
0x0040132c
0x0040132d
0x00401332
0x00401337
0x00401339
0x00401346
0x00401348
0x00401349
0x0040134c
0x0040134c
0x0040134d
0x0040134f
0x00401351
0x00401353
0x00401355
0x00401357
0x00401359
0x0040135b
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401365
0x00401367
0x00401369
0x0040136b
0x0040136b
0x0040136c
0x0040136e
0x00401370
0x00401372
0x00401379
0x0040137c
0x0040137d
0x004013f3
0x004013f3
0x004013f4
0x004013f4
0x004013f6
0x004013f8
0x004013fb
0x004013fe
0x00401404
0x00401405
0x00401405
0x0040140b
0x0040140e
0x00401411
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401423
0x0040142b
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d
0x0040143f
0x00401441
0x00401443
0x00401444
0x00401445
0x00401446
0x00401447
0x00401448
0x00401449
0x00401458
0x00401459
0x00401466
0x00401468
0x00401469
0x00401478
0x00401479
0x00401485
0x00401486
0x00401487
0x00401488
0x00401489
0x0040148c
0x0040148e
0x00401490
0x00401492
0x00401494
0x00401495
0x00401496
0x00401498
0x0040149a
0x0040149c
0x0040149e
0x004014a0
0x004014a2
0x004014a4
0x004014a6
0x004014a8
0x004014aa
0x004014ac
0x004014ae
0x004014b0
0x004014b2
0x004014b4
0x004014b6
0x004014b9
0x004014c1
0x004014c9
0x004014d1
0x004014d9
0x004014e3
0x004014e3
0x004014e5
0x004014e4
0x004014e4
0x004014e4
0x00401380
0x00401384
0x00000000
0x00000000
0x00401386
0x00401389
0x0040138e
0x0040138f
0x00000000
0x00000000
0x0040139f
0x004013a1
0x004013a3
0x004013a4
0x004013a6
0x004013a8
0x004013a9
0x004013ab
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013c9
0x004013cb
0x004013cd
0x004013cf
0x004013d1
0x004013d3
0x004013d5
0x004013d7
0x004013da
0x004013dc
0x004013de
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x00000000

APIs

#100.MSVBVM60(VB5!6!*), ref: 004012CD

Strings

VB5!6!*, xrefs: 004012C8

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6!*
API String ID: 1341478452-2574520878
Opcode ID: df8125bc5a8ddfdce40f4cbe5a9234fd422e66fc90b327145c480f83633bd1a2
Instruction ID: 7dd47f73646846096bb12824db8aad5583f9b51b104aece86531a8bb888952a7
Opcode Fuzzy Hash: df8125bc5a8ddfdce40f4cbe5a9234fd422e66fc90b327145c480f83633bd1a2
Instruction Fuzzy Hash: A711426118E3C15FC3139B748D266457FB0AE2326071A45EBC4D0CF0E3D119094AC7BA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0071AA45, Relevance: 2.0, Strings: 1, Instructions: 724COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: cf6cfaae7b262ac6f3a23101a8624bf8d8fc27a2c4ec067f8876e3ff453d7827
Instruction ID: fc8f319f31159acd2a8bb10219c2934355813ec57e258e1cbd913dff2ad66e42
Opcode Fuzzy Hash: cf6cfaae7b262ac6f3a23101a8624bf8d8fc27a2c4ec067f8876e3ff453d7827
Instruction Fuzzy Hash: 1A62F0B2604389DFDB748F39CD857DA7BB2BF98300F558529DC899B254D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00715561, Relevance: 1.9, Strings: 1, Instructions: 682COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 06e27962d498017e73cfee17ab8d24a372afff0b4ac38f4408e875850ac13b7a
Instruction ID: ce41d1227beeb94007fba79a33abd6f2cf20eff136484b1812fb6d3db1486fc6
Opcode Fuzzy Hash: 06e27962d498017e73cfee17ab8d24a372afff0b4ac38f4408e875850ac13b7a
Instruction Fuzzy Hash: BA52EFB2604789DFDB748F39CD857DABBB2BF94300F558129DC899B264D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 007155B3, Relevance: 1.9, Strings: 1, Instructions: 679COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 052473b96c21bc97b8f10aadcdf7002e9eb4073de483a1862685d5ffe216cf9e
Instruction ID: ac2b1711a5ce612664caebddff8fd4159ace661569849d45eb9731389106d4ca
Opcode Fuzzy Hash: 052473b96c21bc97b8f10aadcdf7002e9eb4073de483a1862685d5ffe216cf9e
Instruction Fuzzy Hash: 8C52EDB2604789CFDB749F29CD857DABBB2BF94300F558129DC899B260D3349A91CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071743A, Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 18921afb9a3613d84f0fd4f77cfe06993297c0dd9690f6e077b1fb240cd1219f
Instruction ID: 1f3b0325c71d5a9a1cea654d6f3df87b4c92cfcff199f111c343c800262e30c6
Opcode Fuzzy Hash: 18921afb9a3613d84f0fd4f77cfe06993297c0dd9690f6e077b1fb240cd1219f
Instruction Fuzzy Hash: FE52FFB2604789CFDB748F39CD857DABBB2BF98310F558129DC899B254D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 007156DD, Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 1e2a1caf85d856d9d20c270b906e1f3ce34daf47fc6a6b721d35585715ea1591
Instruction ID: bd8df8ff8393734d3950ed5f78b391871edb51e8eb991627f30bba63f9de1f81
Opcode Fuzzy Hash: 1e2a1caf85d856d9d20c270b906e1f3ce34daf47fc6a6b721d35585715ea1591
Instruction Fuzzy Hash: 2C420EB2604749CFDB749F29CD857DABBB2BF94300F558129DC899B260D3349A91CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00715625, Relevance: 1.9, Strings: 1, Instructions: 640COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 43d320cc274b41b7a9951732aeace20fa24f81887ed2a98ea9abaa00ab94a9fa
Instruction ID: a560c938d7ba6e164673529011c20bcde1c3c4ed39d8d3b9d5f19961c7c8a92b
Opcode Fuzzy Hash: 43d320cc274b41b7a9951732aeace20fa24f81887ed2a98ea9abaa00ab94a9fa
Instruction Fuzzy Hash: AF52EEB2604789CFDB748F39CD857DABBB2BF94300F558529DC899B264D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0071561F, Relevance: 1.9, Strings: 1, Instructions: 631COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: bb8d698059b59d0124e3f61afff75f6338560d8091a874cfe515b39b65f36b57
Instruction ID: 683d7f145816f173d974cf002723d5d4c701e467939de96cb06e927723c06168
Opcode Fuzzy Hash: bb8d698059b59d0124e3f61afff75f6338560d8091a874cfe515b39b65f36b57
Instruction Fuzzy Hash: 2752EEB2604789CFDB748F39CD857DABBB2BF94310F558129DC899B264D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00715630, Relevance: 1.9, Strings: 1, Instructions: 627COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: ad8dc8585e55954cdf37558c3633dc07fd1bc0cd44dea45ce53bba844d752807
Instruction ID: c472f5796394d61e56db8a04aa6f23d9bad179bb813bec86659b35e02a6ba3dc
Opcode Fuzzy Hash: ad8dc8585e55954cdf37558c3633dc07fd1bc0cd44dea45ce53bba844d752807
Instruction Fuzzy Hash: B152FFB2604789CFDB748F39CD857DABBB2BF94310F558129DC899B264D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0071584B, Relevance: 1.8, Strings: 1, Instructions: 584COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: d8e8461bc17131060167b56bab42cb0919258292d32f833da9d39a67b98e5e2e
Instruction ID: 1b90ea873acb44e02a5732ae971173bb012c755a5fa09bbfcffe05800b03d577
Opcode Fuzzy Hash: d8e8461bc17131060167b56bab42cb0919258292d32f833da9d39a67b98e5e2e
Instruction Fuzzy Hash: 9242FEB2604789CFDB749F29CD857DABBB2BF94310F158129DC899B260D3349A91CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071595B, Relevance: 1.8, Strings: 1, Instructions: 549COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 09b6b29b347e6c881121cc80715c955c49d51dbd015bc50dcd2ca75def195af5
Instruction ID: d3ee6124070738f144fc688ce108a93a054bbe339f68faa0184f0e547dda0c80
Opcode Fuzzy Hash: 09b6b29b347e6c881121cc80715c955c49d51dbd015bc50dcd2ca75def195af5
Instruction Fuzzy Hash: F3320EB2605789CFDB749F28CD857DABBB2FF54310F15812ADC899B260D3359A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00715ADA, Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 8baadaa2ec357eda7070573c2f34be36a77c1cb7451753322a1fdb25040d8633
Instruction ID: f3c41232cf7a1b35bfbb8740e7723adfebc87af104e324922dfccdf248d9f55a
Opcode Fuzzy Hash: 8baadaa2ec357eda7070573c2f34be36a77c1cb7451753322a1fdb25040d8633
Instruction Fuzzy Hash: D722FDB2604789CFDB749F28CD857DABBB2BF54310F15812ADC899B260D7359A81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00715A60, Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

KMw], xrefs: 00715B62

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KMw]
API String ID: 0-1622662347
Opcode ID: 882c4fac8ee7f6623808b7b7b481248beaae0b06e0f50357cd4a2ad4205bc5b9
Instruction ID: c172cf4ad7176e479dbb1cff3a4d9b17b5e85c68572a367ddae6773871332eb1
Opcode Fuzzy Hash: 882c4fac8ee7f6623808b7b7b481248beaae0b06e0f50357cd4a2ad4205bc5b9
Instruction Fuzzy Hash: 7622EBB2604749CFDB749F28CD457DABBB2BF54310F15812ADC899B260D3359A91CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0071ABDA, Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

P>f, xrefs: 00710C39

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID: P>f
API String ID: 0-2051741125
Opcode ID: db666eef0c75eafd4ec3ec045e24b6934d5603e31ba3d061faf5c92b91c716e9
Instruction ID: bc15a70a3858575528c8c09461fe3028a8e007208696266b542bfa862b720777
Opcode Fuzzy Hash: db666eef0c75eafd4ec3ec045e24b6934d5603e31ba3d061faf5c92b91c716e9
Instruction Fuzzy Hash: 4F22D4716083C58FDB35CF38C8987DABBE2AF56310F59819AC8998F2D6D3358586C712

Uniqueness

Uniqueness Score: -1.00%

Function 00715BC0, Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bba278adc304dbc882cb1130af31e3fffbfbaed592f5dd0517fa2634d73a76
Instruction ID: de2adae55daf8d57cc5a43225eff47c2ebe52494498430e1a9231d8946a387c4
Opcode Fuzzy Hash: 09bba278adc304dbc882cb1130af31e3fffbfbaed592f5dd0517fa2634d73a76
Instruction Fuzzy Hash: 1B12FEB2604789CFDB749E28CD857DA7BB2BF54310F15802ADC899B260D7759A81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00715CD4, Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517d73a530e5801f3bd010da16da5e062c18701bb721ac9dccc5341399d91720
Instruction ID: b7495b05b300aa258968ccf930eb5f7481d50abff8f763ca02d8f7e522dfa24b
Opcode Fuzzy Hash: 517d73a530e5801f3bd010da16da5e062c18701bb721ac9dccc5341399d91720
Instruction Fuzzy Hash: B102FFB2604689CFDB749F28CD85BDA7BB2FF54310F55802ADC899B260D7758A81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00715E04, Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a342da1b46d611a91466488abfd5aaa0001cab59cd7ef4bfce300bbc58e2c01f
Instruction ID: 0a53eaff8b165cb2085e54042863387961f2ab46ced8960c10ea71ca470124dd
Opcode Fuzzy Hash: a342da1b46d611a91466488abfd5aaa0001cab59cd7ef4bfce300bbc58e2c01f
Instruction Fuzzy Hash: 72E1ECB2604689CFDB749F28CD85BDA7BB2FF54310F15802AEC899B260D7754A81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00715F75, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c068f5c311b39398eb641dc4117356f1ba64f74905ad0b07c86e543c3cc0c788
Instruction ID: 241b4726cb0cf61291e46ace1dbe8d9d43349c8fdc29d1674db1f4460629f09d
Opcode Fuzzy Hash: c068f5c311b39398eb641dc4117356f1ba64f74905ad0b07c86e543c3cc0c788
Instruction Fuzzy Hash: 6BC1EE72604689CFDB749F28CE45BDA7BB2FF54310F14812ADC899B260D7754A81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071604F, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421c3ce9e6fc61d1f752c3982ba64909050baba476c12eb848c5fc6a0b6571ed
Instruction ID: 16a8bbc1201617dffe7619ba05d277d5b5057b99838a1a8e681cd06a46164209
Opcode Fuzzy Hash: 421c3ce9e6fc61d1f752c3982ba64909050baba476c12eb848c5fc6a0b6571ed
Instruction Fuzzy Hash: 8CB1F072604689CFDF749E28CE85BDA7BB2FF64310F14812ADD889B264D7754A81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071079A, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33896ba8ee30e2a34454117f310c7c4c296d0157ed514b2b53d4f230dd528bca
Instruction ID: 9bda89bccc58c481622cf23ec4357bbeb144691d9f2ddb3589645d5f99dea048
Opcode Fuzzy Hash: 33896ba8ee30e2a34454117f310c7c4c296d0157ed514b2b53d4f230dd528bca
Instruction Fuzzy Hash: F9819636008385CFD72AAF788A465DABFA0FF52700F24489ED5C14A263D7A595D2CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0071262A, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a337ae0841d77d81f10490dacbfa2f1e4ed142db963f6e52e4f39209de8540f4
Instruction ID: a576be66f4a846d97118cd8f3e13e5f2103130f265f5726307808199acbc1aaa
Opcode Fuzzy Hash: a337ae0841d77d81f10490dacbfa2f1e4ed142db963f6e52e4f39209de8540f4
Instruction Fuzzy Hash: 44617931009389CFD7369F788A5A6CA7FB0EF12600F18048ED9C54E6E3D72946A2DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00710480, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f07c8c2c007663a83a38c63b924aaa2adfd5f717a132048c7b5f3703178f24
Instruction ID: 2c1857147c156b7c82a88b2f5be895e004ca5ed73bd62bee31cf03ad301b7e53
Opcode Fuzzy Hash: e5f07c8c2c007663a83a38c63b924aaa2adfd5f717a132048c7b5f3703178f24
Instruction Fuzzy Hash: 8751F0324493C58FD7255E788D4A6C9BFA1FF53660F28898DC9C40B2A3C3655AD6CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007107F5, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da922e3dce1f96768a709b93e76dd747085f954396165055c26cf31cd7bf52f
Instruction ID: 02654b024604b315d76785dcf11259bcf45e231a88e74d21673897955e8ba7a4
Opcode Fuzzy Hash: 4da922e3dce1f96768a709b93e76dd747085f954396165055c26cf31cd7bf52f
Instruction Fuzzy Hash: B6615336008344CFD729AE7486875DEFFA0FF11700F24489EDAC14A762D7A59592CF96

Uniqueness

Uniqueness Score: -1.00%

Function 007162C4, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d378ee726cdae514f66a89ad9355e2e40e57b3da1c2993bc9e4d3d854fea2c
Instruction ID: 9a55d332d7c4ee42e7df598075f807eb805a58c0501086869ddeecb614e6da2a
Opcode Fuzzy Hash: 22d378ee726cdae514f66a89ad9355e2e40e57b3da1c2993bc9e4d3d854fea2c
Instruction Fuzzy Hash: 8B61A071204689CFDF74AF28CE86BDA7BB2FF54310F148029ED888A261D7755A91DF81

Uniqueness

Uniqueness Score: -1.00%

Function 007163E5, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c6f02d5bf3d8bbbd83e16e9d89b18c358fd1019b216443c1f614a856a60871
Instruction ID: 263e92c486c0440f4995f1a32cf68399d2c5d45ff1005d39e6d71881ca06db8e
Opcode Fuzzy Hash: b3c6f02d5bf3d8bbbd83e16e9d89b18c358fd1019b216443c1f614a856a60871
Instruction Fuzzy Hash: 8351B571105689CFDB74AF28CA42ADEBBB1FF15710F24801DED884A361C7715A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0071A64C, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07db32c0e73dcb422a4f7e89ae76961da7dafe9f7ff199cad9ffa5eeef1112a9
Instruction ID: 07442067d04591699f97448689fa8344c58edcdab17d304278bfeb13afc84d6b
Opcode Fuzzy Hash: 07db32c0e73dcb422a4f7e89ae76961da7dafe9f7ff199cad9ffa5eeef1112a9
Instruction Fuzzy Hash: 89417B716053859FCF318E7888D53DB77A6EF56300F29826ACC859B146E73499C6C743

Uniqueness

Uniqueness Score: -1.00%

Function 0071522C, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6568518d7a529d1064e6f6857a4fa1ce1f037f786a30a167e0ea5c57961a0978
Instruction ID: e78bb68b2b134e6b67411bc0ff02896cffd1bb038bbb0ebee6ba96c0d863efb6
Opcode Fuzzy Hash: 6568518d7a529d1064e6f6857a4fa1ce1f037f786a30a167e0ea5c57961a0978
Instruction Fuzzy Hash: 44418F71605B44CFDB38CE29C9D47EB76F3BF88300F94421A894D9B645D239AA80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00717447, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9df98c4b1c2bbf461159060912880d0cdb561805ea2e9ef7e68f64d816e0ab
Instruction ID: c7c630a99f4dbfafffe0e16833f0c2a1bc5ecb14895f4c76ff3af0edbb39d736
Opcode Fuzzy Hash: 3f9df98c4b1c2bbf461159060912880d0cdb561805ea2e9ef7e68f64d816e0ab
Instruction Fuzzy Hash: 2A315E70609341CBDB289E38CCA97FA7BB1BF65740F00862ED99F97254D7300545CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00713AF5, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9801134c6aa1ea0070e2280215eb78f13518ac88dd62dbbe623bb04f3b09976a
Instruction ID: 52b5683c95879588abf30caff31ba33b2972d0f5302af1934034ff674e207787
Opcode Fuzzy Hash: 9801134c6aa1ea0070e2280215eb78f13518ac88dd62dbbe623bb04f3b09976a
Instruction Fuzzy Hash: 1E11ABB21192889BC7652F748E483CA3BA7AF65380F540818E999CB207E3388C01CB05

Uniqueness

Uniqueness Score: -1.00%

Function 007150AA, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1710d48740f7ebf96322079842d5f1cc3be6add2d686cb5ca4477bdf9387aaa1
Instruction ID: 84f3cb37c90fea42356d84de880bb29def19422587cb3e1e4fcf74d15c409cc5
Opcode Fuzzy Hash: 1710d48740f7ebf96322079842d5f1cc3be6add2d686cb5ca4477bdf9387aaa1
Instruction Fuzzy Hash: 5E31D5311087998BDB32CEB888C8BC6BB90BF16724F48829DCC995F287E7355646C781

Uniqueness

Uniqueness Score: -1.00%

Function 0071C264, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32b032bcb8a384654280a0b6a33004b3e0086ff4ed531653bd0ee6e377ccd29
Instruction ID: adfda173c87de2b01f154937fd217b3b1465047bd7bd49c42aefb1a1a6a9730f
Opcode Fuzzy Hash: c32b032bcb8a384654280a0b6a33004b3e0086ff4ed531653bd0ee6e377ccd29
Instruction Fuzzy Hash: DD1104706483529FEB65CF6886C57DB77E1AF5A700F44865ADC88CA2A5D33988C0CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0071A727, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa419556218e3472d5488bee3ad235ed04d121f1bc0042259b17e6c1396ce7
Instruction ID: 6d33b0234849c0282332620a49584dcc90f14e36d272ff6724c80cbde39c0dc0
Opcode Fuzzy Hash: 18fa419556218e3472d5488bee3ad235ed04d121f1bc0042259b17e6c1396ce7
Instruction Fuzzy Hash: B0112CB25042549FDB749FBCC8727EA7BA1FF15710F15045ECA8ACB160C77846818B46

Uniqueness

Uniqueness Score: -1.00%

Function 00719EDE, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e088115610517c2099be3fdd46ef04a67506d04fc54f60e963e01c709fa49ae4
Instruction ID: 795b4491e09a603be9151c4f53149e16c8e9888433038351458dd5103058a8c4
Opcode Fuzzy Hash: e088115610517c2099be3fdd46ef04a67506d04fc54f60e963e01c709fa49ae4
Instruction Fuzzy Hash: 11014C75609384DFCB30CF18C894AD577E5BB08750F454466EA08AB251D234EDC2CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0071726F, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00716D70, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00719913, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00413490, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 004134DC
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 004134E2
__vbaNew2.MSVBVM60(00410A2C,004145C0,?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 00413507
__vbaLateMemCallLd.MSVBVM60(?,?,qTu9tyktlIOgozvLrZMBbdZxTILvo43,00000000), ref: 00413523
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 0041352D
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 00413538
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,00410A1C,0000000C), ref: 00413552
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 0041355B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401176), ref: 00413564
__vbaFreeObj.MSVBVM60(00413596), ref: 0041358F

Strings

qTu9tyktlIOgozvLrZMBbdZxTILvo43, xrefs: 00413517

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#672AddrefCallCheckHresultLateNew2
String ID: qTu9tyktlIOgozvLrZMBbdZxTILvo43
API String ID: 263512575-2009357870
Opcode ID: e143ca7f7ca64cbf14d2e9699071cd1780a0963eeccdedec69310f165ab222f4
Instruction ID: ba17d885862f88a977f57c6f232e675be8c2314d900233752d6c022e5a730a68
Opcode Fuzzy Hash: e143ca7f7ca64cbf14d2e9699071cd1780a0963eeccdedec69310f165ab222f4
Instruction Fuzzy Hash: F5216DB0900245BBCB109F95DE49FAFBBB8FB94B41F10402AF541B21A0C7781581CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00413180, Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00410ADC,00000005), ref: 004131BC
#682.MSVBVM60(?,?), ref: 004131FD
__vbaFpR8.MSVBVM60 ref: 00413203
__vbaFreeVar.MSVBVM60 ref: 00413227
_adj_fdiv_m64.MSVBVM60 ref: 00413259
__vbaFpI4.MSVBVM60(42FC0000,?,436E0000), ref: 00413287
__vbaHresultCheckObj.MSVBVM60(00000000,?,004104CC,000002C0,?,436E0000), ref: 004132BB
__vbaAryDestruct.MSVBVM60(00000000,?,004132E6), ref: 004132DF

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#682CheckConstruct2DestructFreeHresult_adj_fdiv_m64
String ID:
API String ID: 4111779564-0
Opcode ID: 365bcc2ffb2d1d42b247759ae572e051801a77ccc6f41b4c566d10bbb66056ae
Instruction ID: 05f956e4f874be062e57a6bb8b374471f0b3f179716212e89d58b0290ccb101e
Opcode Fuzzy Hash: 365bcc2ffb2d1d42b247759ae572e051801a77ccc6f41b4c566d10bbb66056ae
Instruction Fuzzy Hash: 5B318F74D00209EBCB04DF90DE49BEEBBB8FB48701F108166F641BA2A4C7B85981CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00413300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00413364
__vbaInStr.MSVBVM60(00000000,Bebyrdelses9,Hvislendes8,FF96B5C0), ref: 0041337F

Strings

Bebyrdelses9, xrefs: 00413379
Hvislendes8, xrefs: 00413374

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba
String ID: Bebyrdelses9$Hvislendes8
API String ID: 3524132090-1996639642
Opcode ID: ad96702cd3860126589890ae83ed879256dcbe2d30e795e081c2eb491a4638e7
Instruction ID: 02d117570229b29660cf0d642aa012324e780893d2bb14338c654fb33d265e0f
Opcode Fuzzy Hash: ad96702cd3860126589890ae83ed879256dcbe2d30e795e081c2eb491a4638e7
Instruction Fuzzy Hash: E0010CB0910258EBCB10DF98C989BDEBFB8BF08B44F14811AF504B6295D7B85585CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004133C0, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00410A2C,004145C0), ref: 00413403
__vbaHresultCheckObj.MSVBVM60(00000000,02A5004C,00410A1C,0000004C), ref: 00413428
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410A5C,00000028), ref: 00413448
__vbaFreeObj.MSVBVM60 ref: 00413451

Memory Dump Source

Source File: 00000001.00000002.867300469.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.867246964.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.867355072.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.867372185.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: f2a72388bfce72f12105fc6f2506b2b47d44927073887adb15b13b5da8607b79
Instruction ID: e7e351d49562a7c22c1b86de1c6460f3e1743cd66202150204c9dcde1a6303df
Opcode Fuzzy Hash: f2a72388bfce72f12105fc6f2506b2b47d44927073887adb15b13b5da8607b79
Instruction Fuzzy Hash: C9119174600204ABD7009F65CE09FDB7BF8FB18B41F104125F640F32A1E3B859858AA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Hesap Hareketleri 28-09-2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888 Hesap Hareketleri 28-09-2021.exeCOMMON

Executed Functions

Function 004012C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON