Play interactive tour

Edit tour

Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:	FACTURA.exe
Analysis ID:	499407
MD5:	740463ed3266f7aee8331978f50c731c
SHA1:	a9310948476693d72be937f23e1b53b3607bf92f
SHA256:	fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Tags:	exeguloader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

FACTURA.exe (PID: 4840 cmdline: 'C:\Users\user\Desktop\FACTURA.exe' MD5: 740463ED3266F7AEE8331978F50C731C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=dor"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dor"}

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=dor

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A78BE NtAllocateVirtualMemory,	0_2_021A78BE
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7A9E NtAllocateVirtualMemory,	0_2_021A7A9E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A78C2 NtAllocateVirtualMemory,	0_2_021A78C2
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7973 NtAllocateVirtualMemory,	0_2_021A7973

Source: FACTURA.exe, 00000000.00000000.286217984.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe
Source: FACTURA.exe, 00000000.00000002.809631589.00000000022A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCounterfoil7.exeFE2XCollides Systems, Inc. Collides Systems, Inc. vs FACTURA.exe
Source: FACTURA.exe	Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe

Source: FACTURA.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A78BE	0_2_021A78BE
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABD75	0_2_021ABD75
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABE16	0_2_021ABE16
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AAE3D	0_2_021AAE3D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AA22C	0_2_021AA22C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABE7E	0_2_021ABE7E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7E6A	0_2_021A7E6A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A626C	0_2_021A626C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AB68E	0_2_021AB68E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A76B0	0_2_021A76B0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A5EAA	0_2_021A5EAA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A5B0A	0_2_021A5B0A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABF0E	0_2_021ABF0E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AA302	0_2_021AA302
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AAF36	0_2_021AAF36
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A6349	0_2_021A6349
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABF6C	0_2_021ABF6C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A8362	0_2_021A8362
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7F90	0_2_021A7F90
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABFB9	0_2_021ABFB9
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A5FB4	0_2_021A5FB4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A53A7	0_2_021A53A7
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A57C6	0_2_021A57C6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AB3C6	0_2_021AB3C6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AA7FA	0_2_021AA7FA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A540E	0_2_021A540E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A5C38	0_2_021A5C38
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A642E	0_2_021A642E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AA456	0_2_021AA456
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AB056	0_2_021AB056
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A809A	0_2_021A809A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7093	0_2_021A7093
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A54AC	0_2_021A54AC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC0A4	0_2_021AC0A4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A50D1	0_2_021A50D1
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AB0D4	0_2_021AB0D4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A78C2	0_2_021A78C2
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AACC4	0_2_021AACC4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A58FC	0_2_021A58FC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A60E2	0_2_021A60E2
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A650A	0_2_021A650A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC151	0_2_021AC151
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AB148	0_2_021AB148
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7973	0_2_021A7973
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AAD64	0_2_021AAD64
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A1991	0_2_021A1991
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABDAA	0_2_021ABDAA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A7DA7	0_2_021A7DA7
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AA1A5	0_2_021AA1A5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC1D6	0_2_021AC1D6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A51EB	0_2_021A51EB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A59E6	0_2_021A59E6

Source: C:\Users\user\Desktop\FACTURA.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF9C88DFC12285A65.TMP

Jump to behavior

Source: FACTURA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A0B20 push ds; iretd	0_2_021A0B5F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A3CBF push es; retf	0_2_021A3D20
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A4191 push es; iretd	0_2_021A42B3
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A2DC7 push esi; iretd	0_2_021A2DC8

Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\FACTURA.exe

RDTSC instruction interceptor: First address: 000000000040F386 second address: 000000000040F386 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 mfence 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 cmp eax, 000000F9h 0x0000000e dec edi 0x0000000f wait 0x00000010 cmp eax, 67h 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007F49089A7E50h 0x00000018 pushfd 0x00000019 popfd 0x0000001a wait 0x0000001b pushad 0x0000001c mfence 0x0000001f mfence 0x00000022 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021A7514 rdtsc

0_2_021A7514

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A9A96 mov eax, dword ptr fs:[00000030h]	0_2_021A9A96
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A9A94 mov eax, dword ptr fs:[00000030h]	0_2_021A9A94
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A6FB7 mov eax, dword ptr fs:[00000030h]	0_2_021A6FB7
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021A9FE0 mov eax, dword ptr fs:[00000030h]	0_2_021A9FE0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AACC4 mov eax, dword ptr fs:[00000030h]	0_2_021AACC4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021A7514 rdtsc

0_2_021A7514

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABD75 RtlAddVectoredExceptionHandler,	0_2_021ABD75
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABE16 RtlAddVectoredExceptionHandler,	0_2_021ABE16
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABE7E RtlAddVectoredExceptionHandler,	0_2_021ABE7E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABF0E RtlAddVectoredExceptionHandler,	0_2_021ABF0E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC30D RtlAddVectoredExceptionHandler,	0_2_021AC30D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABF6C RtlAddVectoredExceptionHandler,	0_2_021ABF6C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABFB9 RtlAddVectoredExceptionHandler,	0_2_021ABFB9
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC0A4 RtlAddVectoredExceptionHandler,	0_2_021AC0A4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC151 RtlAddVectoredExceptionHandler,	0_2_021AC151
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021ABDAA RtlAddVectoredExceptionHandler,	0_2_021ABDAA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021AC1D6 RtlAddVectoredExceptionHandler,	0_2_021AC1D6

Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499407
Start date:	08.10.2021
Start time:	10:52:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FACTURA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.4% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 184.28.85.136, 20.82.210.154, 93.184.221.240, 20.199.120.151, 20.199.120.182, 20.82.209.183, 20.199.120.85, 2.20.178.24, 2.20.178.33, 52.251.79.25, 20.54.110.249, 40.112.88.60, 20.50.102.62 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/499407/sample/FACTURA.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2442298972838195
TrID:	Win32 Executable (generic) a (10002005/4) 99.01% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Visual Basic Script (13500/0) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	FACTURA.exe
File size:	143360
MD5:	740463ed3266f7aee8331978f50c731c
SHA1:	a9310948476693d72be937f23e1b53b3607bf92f
SHA256:	fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
SHA512:	15bd20faadbcc09b236e8408cf0b5f0903ad39cb1183b99e9a767e0a58ddc65624f27fa0fc983900af669bbe43a7766e7e6493d4e002833b3d3e5026b63079af
SSDEEP:	3072:tPM2YNAkMB0fkeX4QKDmBnmY4tmT9tzh/jrVB:tPM2YNAkMBykeX4wrLrVB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....+.N..........................................@........

File Icon


Icon Hash:	00e4d2c2dac20042

Static PE Info

General
Entrypoint:	0x4018dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E922BCC [Sun Oct 9 23:18:36 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0ac0bdf3a5152bcac064d77eed21690

Entrypoint Preview

Instruction
push 004106A8h
call 00007F4908DD8DD3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, bh
lodsb
fdiv qword ptr [ecx+68h]
and byte ptr [esi+46h], bh
xchg eax, ebp
add al, EFh
mov bh, A9h
sbb al, E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
jo 00007F4908DD8E55h
jne 00007F4908DD8E47h
outsd
jnc 00007F4908DD8E56h
jne 00007F4908DD8E46h
imul ebp, dword ptr [edi+75h], 00796C73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
cmp bl, cl
cmc
push eax
and ebx, dword ptr [ebx+4Eh]
add dword ptr [ebp+eax*4-7Dh], eax
and dword ptr [ebx], edi
add al, CFh
mov dh, byte ptr [ebp-6650AD4Bh]
xchg eax, esp
test al, 67h
inc edi
call far 8565h : 7219F9CBh
mov ebp, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ebx, ebp
add byte ptr [eax], al
call far 0005h : 00000001h
push 736B6E61h
add byte ptr [41000E01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18e84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x75f9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x184f0	0x19000	False	0.479140625	data	6.34090617011	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0xd20	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1b000	0x75f9	0x8000	False	0.238891601562	data	5.20756276635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1b628	0x6fd1	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x1b500	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1b4ec	0x14	data
RT_VERSION	0x1b140	0x3ac	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaInStr, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collides Systems, Inc.
InternalName	Counterfoil7
FileVersion	4.00
CompanyName	Collides Systems, Inc.
LegalTrademarks	Collides Systems, Inc.
Comments	Collides Systems, Inc.
ProductName	Collides Systems, Inc.
ProductVersion	4.00
FileDescription	Collides Systems, Inc.
OriginalFilename	Counterfoil7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: FACTURA.exe PID: 4840 Parent PID: 4928

General

Start time:	10:53:12
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\FACTURA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FACTURA.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	740463ED3266F7AEE8331978F50C731C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FACTURA.exe PID: 4840 Parent PID: 4928 FACTURA.exeCOMMON

Executed Functions

Function 021ABD75, Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 902COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
I1>, xrefs: 021AC1A8
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$I1>$W>$\
API String ID: 0-959752970
Opcode ID: be2c283909480e4262350221e87d19306597d012db6ca9ee1b676bdc0dcd1755
Instruction ID: d2db493a0a27b2f9d6e6dc1c872fcddcd246c8b20f13cdeaf2decb18a0747553
Opcode Fuzzy Hash: be2c283909480e4262350221e87d19306597d012db6ca9ee1b676bdc0dcd1755
Instruction Fuzzy Hash: 8482EB75644389DFDB789F34CD647EABBB2BF95300F55812ADC8A9B254C3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021A78BE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021A7B10

Strings

Nogv, xrefs: 021A7C57
Nogv, xrefs: 021A7C52

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Nogv$Nogv
API String ID: 2167126740-4112769317
Opcode ID: 92b27d832d05fcbee53caa753b85b3cbaccc2253f5149f5e18db042a8b40326d
Instruction ID: bcb30a56a8d50e27198754c559c90591c08f8648295ea4cc85ff8fa74a6970b2
Opcode Fuzzy Hash: 92b27d832d05fcbee53caa753b85b3cbaccc2253f5149f5e18db042a8b40326d
Instruction Fuzzy Hash: 7E9101B5648389DFDB349F28DCA47ED77A2AF49314F95402EED8D9B201D7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021ABDAA, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: 6869baca99a8bc38a0d68e0db0044201581be7893bdd8d7212a4ae90c0fdbc7f
Instruction ID: 7f5c399e99d884f324a2094637d923e5175a92774095a11e030e24bc6b33e149
Opcode Fuzzy Hash: 6869baca99a8bc38a0d68e0db0044201581be7893bdd8d7212a4ae90c0fdbc7f
Instruction Fuzzy Hash: E87158395842898FDB79CE34DC613EA7BA36F91320F65412FCC0A9F251D73186818B86

Uniqueness

Uniqueness Score: -1.00%

Function 021ABE16, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: cf8afecb5a1e1f30006054d69a9763a2c39cc221616c2b80ad28a57eab8d41b9
Instruction ID: 0ed2052d068f47a8659976f715190f3de41090afd16b636409d1679e1856d7b0
Opcode Fuzzy Hash: cf8afecb5a1e1f30006054d69a9763a2c39cc221616c2b80ad28a57eab8d41b9
Instruction Fuzzy Hash: 0F715639584289CFDB39CE74DC613EA7BA3AF91320F65412BCC069F651D7318681CB86

Uniqueness

Uniqueness Score: -1.00%

Function 021ABE7E, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: e6a316add10f043d41311562001216aaed76899032fdab1729c703475c5f82c9
Instruction ID: 0aeb3205403fb53c95d0df63d065c5643d2f633838dbcfc71ddfd55cba0ffb58
Opcode Fuzzy Hash: e6a316add10f043d41311562001216aaed76899032fdab1729c703475c5f82c9
Instruction Fuzzy Hash: C1716939584289CFDB39CE74DC613EA7BA36F91320F65412BCC069F651D7318682CB86

Uniqueness

Uniqueness Score: -1.00%

Function 021ABFB9, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: 2b2fa956321bf2485e00d8b4768da2bec4e127eb7855486765eed494eee2928f
Instruction ID: 234943965af264db94b52c9e14cef04eb9a32254799855647653a600e89ddfd5
Opcode Fuzzy Hash: 2b2fa956321bf2485e00d8b4768da2bec4e127eb7855486765eed494eee2928f
Instruction Fuzzy Hash: 656176395842858FDB3ACE74DC603EA7BA36F91320F65412FCC169F652C7358582CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 021ABF0E, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: 228d6ad476949eee9fd0fbbc10f8bf20dd4e8387c589ad4b9bd691d59ddcf4e1
Instruction ID: 10e89def683a31e69565668186ba28db0580f8b6eacd7c5ec741febbf5129f55
Opcode Fuzzy Hash: 228d6ad476949eee9fd0fbbc10f8bf20dd4e8387c589ad4b9bd691d59ddcf4e1
Instruction Fuzzy Hash: 026156395802498FDB3ACE74DC613EA7BA3AF91320F65412BDC169F251D7318682CB96

Uniqueness

Uniqueness Score: -1.00%

Function 021ABF6C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: c3c1e6c3eff65f057e555e3b91800b078c3503fa79d28b7fa96f898b5b9dcbfb
Instruction ID: 2e112b31d472491925a896aeb40fa78f8edda9e4ed5a8a4e1d5bda39f1b651f9
Opcode Fuzzy Hash: c3c1e6c3eff65f057e555e3b91800b078c3503fa79d28b7fa96f898b5b9dcbfb
Instruction Fuzzy Hash: 096146796802498FDB39CE34DC617EA7BA3AF91320F65412BCC168F355D7318682CB96

Uniqueness

Uniqueness Score: -1.00%

Function 021AC0A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I1>
API String ID: 0-1395174688
Opcode ID: 6f810cde9b46f26ea52839f12648928d09a034d6e01498d8009941f6d603eff9
Instruction ID: 2b7afd72f3c40348133673a6fd5f0ed72e3992c4131d5716510ea2b707998a14
Opcode Fuzzy Hash: 6f810cde9b46f26ea52839f12648928d09a034d6e01498d8009941f6d603eff9
Instruction Fuzzy Hash: DC516639580249CFDB35CE79DC607EA3BA3AF91320F65412BCC169F251C7318582CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 021AC151, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021AC383

Strings

I1>, xrefs: 021AC1A8

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: I1>
API String ID: 3310709589-1395174688
Opcode ID: 52e594e2e57354e0d036e3685c85b8fde556bd74873137e98b22ff6bbbd37eea
Instruction ID: 8576c7f72d2a7efeed16d1ba09353d258896ee973acddc023ac9904ca6c23909
Opcode Fuzzy Hash: 52e594e2e57354e0d036e3685c85b8fde556bd74873137e98b22ff6bbbd37eea
Instruction Fuzzy Hash: F341D339644289CFDB39DE29D8A4BEB7B73AF94310F56412BC80A8F251D73185418B8A

Uniqueness

Uniqueness Score: -1.00%

Function 021A78C2, Relevance: 1.7, APIs: 1, Instructions: 176memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021A7B10

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 08ed6dc278394aec0d4fb684ac12bf2a53e91ab237b296ab652e0d057de1743c
Instruction ID: 49b2c60407d6e6b6f0eb226ae259d7b1ba36332e34a5d6f1c7b4d232727f3ab6
Opcode Fuzzy Hash: 08ed6dc278394aec0d4fb684ac12bf2a53e91ab237b296ab652e0d057de1743c
Instruction Fuzzy Hash: 615178B55443498FDB218F74EC913EDBBA6AF09320F65002FEC999F612D3358685CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021A7973, Relevance: 1.6, APIs: 1, Instructions: 145memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021A7B10

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ef9de6683d5cf213ae83f047c6b3062836aeb62023a3df8aab57a73a37492979
Instruction ID: 1dec65376d31211e5fe61f940dc57cf853e2f6363d43a58b05354bdb41d53142
Opcode Fuzzy Hash: ef9de6683d5cf213ae83f047c6b3062836aeb62023a3df8aab57a73a37492979
Instruction Fuzzy Hash: B04124B55443498FDB308F74EC913EDBBA6AF09360F65012FEC599B612C3359685CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021AC1D6, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021AC383

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: fe803fd26486cbe037556c1c946f2ce0d8b08610ec7fa02e06e47aa1aa3a6958
Instruction ID: ff56a0c96993756ce40795b6ee82e581f7a541472e3b6bcc46cb065b35c7bb0e
Opcode Fuzzy Hash: fe803fd26486cbe037556c1c946f2ce0d8b08610ec7fa02e06e47aa1aa3a6958
Instruction Fuzzy Hash: 5A31F6385802499FDB3ACE65D8A47EA7BA2AF40320F64402FDC065F642D735C6C1CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 021A7A9E, Relevance: 1.6, APIs: 1, Instructions: 91memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021A7B10

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: acb4e937a4c38d171473f447ee105927ac065a915665c699cffaaffd8e5712b7
Instruction ID: 183bd2a0c62d940278fdfe186fd453521fb08110c5949803a032d80a5e9d8c28
Opcode Fuzzy Hash: acb4e937a4c38d171473f447ee105927ac065a915665c699cffaaffd8e5712b7
Instruction Fuzzy Hash: F721487908424ACFDB318F60E8916EDBBA6AB04320F64006BFC559E612D33597C2CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 021AC30D, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021AC383

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: cadcbc569cb4f9edc507d44f51edf5fd5316d0fe370f3e8db8b39aef3bc96ec2
Instruction ID: 55ffb6b8bc372853d378754b06ef3a8406432b3f8e1716d413321db680c363d0
Opcode Fuzzy Hash: cadcbc569cb4f9edc507d44f51edf5fd5316d0fe370f3e8db8b39aef3bc96ec2
Instruction Fuzzy Hash: FF1186394C029A8ED717C9F0A8552E97FA71F41230F38006BEC516DD13C565D2C2C3D5

Uniqueness

Uniqueness Score: -1.00%

Function 004141B0, Relevance: 420.0, APIs: 221, Strings: 18, Instructions: 1754COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401646), ref: 004141CE
__vbaOnError.MSVBVM60(00000000,?,?,?,?,00401646), ref: 00414215
__vbaNew2.MSVBVM60(004112D0,0041A5E4,?,?,?,?,00401646), ref: 00414235
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000014), ref: 0041429E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000E8), ref: 00414307
__vbaStrMove.MSVBVM60 ref: 0041433E
__vbaFreeObj.MSVBVM60 ref: 0041434A
__vbaStrCopy.MSVBVM60 ref: 00414362
#524.MSVBVM60(?,00004008), ref: 00414393
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004143BB
__vbaFreeVar.MSVBVM60 ref: 004143CE
#613.MSVBVM60(?,00000002), ref: 0041440C
__vbaStrVarMove.MSVBVM60(?), ref: 00414419
__vbaStrMove.MSVBVM60 ref: 00414427
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041443D
#612.MSVBVM60(?,?,?,00401646), ref: 00414454
__vbaStrVarMove.MSVBVM60(?,?,?,00401646), ref: 00414461
__vbaStrMove.MSVBVM60(?,?,00401646), ref: 0041446F
__vbaFreeVar.MSVBVM60(?,?,00401646), ref: 0041447B
__vbaNew2.MSVBVM60(004112D0,0041A5E4,?,?,00401646), ref: 004144A2
__vbaChkstk.MSVBVM60(00004182,?), ref: 004144F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000034), ref: 00414553
__vbaObjSet.MSVBVM60(?,?), ref: 0041458C
#670.MSVBVM60(?), ref: 004145A0
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004145C8
__vbaFreeVar.MSVBVM60 ref: 004145DB
#536.MSVBVM60(00000002), ref: 00414612
__vbaStrMove.MSVBVM60 ref: 00414620
__vbaFreeVar.MSVBVM60 ref: 0041462C
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 0041464C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000014), ref: 004146B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000110), ref: 0041471E
__vbaStrMove.MSVBVM60 ref: 00414755
__vbaFreeObj.MSVBVM60 ref: 00414761
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00414788
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,0000001C), ref: 004147F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410FDC,00000064), ref: 00414856
__vbaFreeObj.MSVBVM60 ref: 0041487F
#651.MSVBVM60(00000002), ref: 004148A7
__vbaStrMove.MSVBVM60 ref: 004148B5
__vbaStrCmp.MSVBVM60(Out of string space,00000000), ref: 004148C1
__vbaFreeStr.MSVBVM60 ref: 004148DC
__vbaFreeVar.MSVBVM60 ref: 004148E8
#706.MSVBVM60(00000001,00000000,00000000), ref: 0041490A
__vbaStrMove.MSVBVM60 ref: 00414918
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00414938
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000014), ref: 004149A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000B8), ref: 00414A0A
__vbaFreeObj.MSVBVM60 ref: 00414A33
__vbaVarDup.MSVBVM60 ref: 00414A67
#600.MSVBVM60(00000002,00000002), ref: 00414A76
__vbaFreeVar.MSVBVM60 ref: 00414A88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,00000114), ref: 00414ACC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,00000110), ref: 00414B27
__vbaOnError.MSVBVM60(00000000), ref: 00414B5C
#611.MSVBVM60 ref: 00414B69
__vbaStrMove.MSVBVM60 ref: 00414B77
__vbaChkstk.MSVBVM60 ref: 00414BB1
__vbaChkstk.MSVBVM60 ref: 00414BE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,000002B0), ref: 00414C3F
#541.MSVBVM60(00000002,18:18:18), ref: 00414C6A
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414C77
__vbaStrMove.MSVBVM60 ref: 00414C82
__vbaFreeVar.MSVBVM60 ref: 00414C8E
#613.MSVBVM60(?,00000002), ref: 00414CBD
__vbaStrVarMove.MSVBVM60(?), ref: 00414CCA
__vbaStrMove.MSVBVM60 ref: 00414CD5
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00414CEB
#677.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40100000,0000000A,0000000A), ref: 00414D46
__vbaFpR8.MSVBVM60 ref: 00414D4C
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00414D94
__vbaOnError.MSVBVM60(00000000,?,?,?,?,?,00401646), ref: 00414DB5
__vbaNew2.MSVBVM60(004112D0,0041A5E4,?,?,?,?,?,00401646), ref: 00414DD5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000014), ref: 00414E3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000060), ref: 00414EA1
__vbaStrMove.MSVBVM60 ref: 00414ED8
__vbaFreeObj.MSVBVM60 ref: 00414EE4
#568.MSVBVM60(00000038), ref: 00414EFA
__vbaBoolStr.MSVBVM60(True,?,?,?,?,?,00401646), ref: 00414F12
#594.MSVBVM60(0000000A), ref: 00414F44
__vbaFreeVar.MSVBVM60 ref: 00414F50
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00414F70
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000014), ref: 00414FD9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000108), ref: 00415042
__vbaFreeObj.MSVBVM60 ref: 0041506B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,00000084), ref: 004150D3
#651.MSVBVM60(00000002), ref: 0041510D
__vbaStrMove.MSVBVM60 ref: 0041511B
__vbaStrCmp.MSVBVM60(Out of string space,00000000), ref: 00415127
__vbaFreeStr.MSVBVM60 ref: 00415142
__vbaFreeVar.MSVBVM60 ref: 0041514E
#705.MSVBVM60(00000002,00000000), ref: 00415183
__vbaStrMove.MSVBVM60 ref: 0041518E
__vbaFreeVar.MSVBVM60 ref: 0041519A
__vbaOnError.MSVBVM60(00000000), ref: 004151A9
#568.MSVBVM60(000000CD), ref: 004151C2
__vbaI4Str.MSVBVM60(0041141C), ref: 004151D7
__vbaOnError.MSVBVM60(00000000), ref: 004151EF
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041521F
__vbaStrMove.MSVBVM60 ref: 0041522D
__vbaFreeVar.MSVBVM60 ref: 00415239
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00415260
__vbaChkstk.MSVBVM60(00000002), ref: 004152BE
__vbaChkstk.MSVBVM60(00000002), ref: 004152ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112C0,00000038), ref: 0041534F
__vbaVar2Vec.MSVBVM60(?,00000002), ref: 00415375
__vbaAryMove.MSVBVM60(?,?), ref: 00415386
__vbaFreeVar.MSVBVM60 ref: 00415392
__vbaVarDup.MSVBVM60 ref: 004153BF
#518.MSVBVM60(?,00000002), ref: 004153D3
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004153FB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00415418
#541.MSVBVM60(?,23:23:23,?,?,?,?,?,?,?,?,00401646), ref: 00415443
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00401646), ref: 00415450
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041545E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041546A
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,0000000A,0000000A,0000000A), ref: 004154DD
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A), ref: 004154FD
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401646), ref: 0041550D
__vbaUI1Str.MSVBVM60(0041141C,?,?,?,?,?,?,?,?,00401646), ref: 0041551F
#706.MSVBVM60(00000001,00000000,00000000,?,?,?,?,?,?,?,?,00401646), ref: 0041553D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00415548
#598.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00415555
__vbaRecDestructAnsi.MSVBVM60(00410FF0,?,00416308), ref: 004161F0
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004161F9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416202
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041620B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416214
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041621D
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416226
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041622F
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416238
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416241
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041624A
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00416256
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041625F
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041626B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416277
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416283
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041628F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 0041629B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162A7
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162B3
__vbaRecDestruct.MSVBVM60(00410FF0,?), ref: 004162C5
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162D1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162DD
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162E9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 004162F5
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401646), ref: 00416301

Strings

ADVERTENTLY, xrefs: 00415F21
FLOKKEDES, xrefs: 00415C4D
KKeY6SrIXfLLXZvNr9t72, xrefs: 00415FA9
Fangstkvoters, xrefs: 004156F6
CHRISTIANES, xrefs: 004160D0
23:23:23, xrefs: 00415437
Cleanish, xrefs: 00416076
Forsumpendes8, xrefs: 0041528A
sanglrere, xrefs: 00415655
Out of string space, xrefs: 004148BC, 00415122
True, xrefs: 00414F0D
z, xrefs: 0041529E
18:18:18, xrefs: 00414C5E
OVERPRISERNE, xrefs: 00415601
cheetal, xrefs: 00414A47
g, xrefs: 0041616A
nyctanthes, xrefs: 00416101
Undertided6, xrefs: 004145A6

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$New2$Chkstk$ErrorList$Destruct$#541#568#613#651#706$#518#524#536#594#598#600#611#612#670#677#680#703#705AnsiBoolCopyVar2
String ID: 18:18:18$23:23:23$ADVERTENTLY$CHRISTIANES$Cleanish$FLOKKEDES$Fangstkvoters$Forsumpendes8$KKeY6SrIXfLLXZvNr9t72$OVERPRISERNE$Out of string space$True$Undertided6$cheetal$g$nyctanthes$sanglrere$z
API String ID: 1733619460-1650823408
Opcode ID: c9ccae6aa2ee98aead2849bb6bc8c17b39d82a45718a0b31577ac95d77012dd5
Instruction ID: c3aba7899219e54ef523a8d2df8b1b4062eed9e9dc123425ebcb0a5b37f28f7d
Opcode Fuzzy Hash: c9ccae6aa2ee98aead2849bb6bc8c17b39d82a45718a0b31577ac95d77012dd5
Instruction Fuzzy Hash: 8113E574901328DFDB64DF50CD88BDABBB5BB48304F1081DAE54AA72A0DB785AC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00413F30, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00411368,00000011), ref: 00413F8E
#631.MSVBVM60(FGFG,00000002,?), ref: 00413FAD
__vbaStrMove.MSVBVM60 ref: 00413FB8
__vbaStrCmp.MSVBVM60(00410FD8,00000000), ref: 00413FC4
__vbaFreeStr.MSVBVM60 ref: 00413FD7
__vbaFreeVar.MSVBVM60 ref: 00413FE0
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00414001
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 0041402C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000B8), ref: 0041405A
__vbaFreeObj.MSVBVM60 ref: 0041405F
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00414077
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 0041409C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000F8), ref: 004140C2
__vbaStrMove.MSVBVM60 ref: 004140CD
__vbaFreeObj.MSVBVM60 ref: 004140D6
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 004140EE
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,0000001C), ref: 00414113
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410FDC,00000064), ref: 00414135
__vbaFreeObj.MSVBVM60 ref: 0041413A
__vbaFreeStr.MSVBVM60(00414182), ref: 00414169
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041417B

Strings

FGFG, xrefs: 00413FA1

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#631Construct2Destruct
String ID: FGFG
API String ID: 2737565602-2759163656
Opcode ID: 89ff2231def5c795e8cb3b41f5e1146eedb7785f95695ba218ccd26010599930
Instruction ID: 93a342deb502b583fe923ecc13ffeae4dcc97300e07a36fd9248de090a89d265
Opcode Fuzzy Hash: 89ff2231def5c795e8cb3b41f5e1146eedb7785f95695ba218ccd26010599930
Instruction Fuzzy Hash: 60617F70A40209EFCB10DFA0CD89EDDBBB9FB58745F20412AF206B71A1D7786985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004018DC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6!*), ref: 004018E1

Strings

VB5!6!*, xrefs: 004018DC

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6!*
API String ID: 1341478452-2574520878
Opcode ID: 1e6ff10e021fe285ab4e8ec57e2486150c5d4c5c3681e7253cdd24df6372ec01
Instruction ID: 16d9e8790b5084e6bca9c1b612d0d616898714010187e4209b9935ff0eef50b2
Opcode Fuzzy Hash: 1e6ff10e021fe285ab4e8ec57e2486150c5d4c5c3681e7253cdd24df6372ec01
Instruction Fuzzy Hash: F44185A294E7C18FC7038B7459652907FB06E53228B1E45EBC8D1DF0E3E26D484ACB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021AACC4, Relevance: 11.3, Strings: 8, Instructions: 1341COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
~V|M, xrefs: 021AB494
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$~V|M$_$3U$W>$\
API String ID: 0-4083729259
Opcode ID: 793fd171ccb7407dc6ecde72a96540eec4a15ef047bd4a481ee575b0e261ea02
Instruction ID: 9a97cf346a8c4a21dc7aad5c43be311109d0da4b1658e959dc523ec9f73771c4
Opcode Fuzzy Hash: 793fd171ccb7407dc6ecde72a96540eec4a15ef047bd4a481ee575b0e261ea02
Instruction Fuzzy Hash: B0C223756483899FCB35CF38CCA87DABBA2BF55310F45816EDC9A8B295D3308641CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021A7093, Relevance: 9.4, Strings: 7, Instructions: 677COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$W>$\
API String ID: 0-1351121682
Opcode ID: 438884113659e22304abfc57e17a8b70aae0121fa06add852439790dda02d0ec
Instruction ID: 4ccaa3b283dc2222511c9ff40488e1fd699553a0de2bf9aeffc0b17047cb7151
Opcode Fuzzy Hash: 438884113659e22304abfc57e17a8b70aae0121fa06add852439790dda02d0ec
Instruction Fuzzy Hash: 0262B8B56483899FDB788F34CD557DABBB2FF58340F458129DC8A9B264C3345A828F42

Uniqueness

Uniqueness Score: -1.00%

Function 021A57C6, Relevance: 9.4, Strings: 7, Instructions: 645COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$W>$\
API String ID: 0-1351121682
Opcode ID: ddd5ee882a2622f09c12c08ee4089a5fa7e7068455aa1229a8705e0141c6a447
Instruction ID: 359ab206d45d4641ac2124beb6e6d18dbd479ef3eafde3e4d0d0e7fa60b687b1
Opcode Fuzzy Hash: ddd5ee882a2622f09c12c08ee4089a5fa7e7068455aa1229a8705e0141c6a447
Instruction Fuzzy Hash: 7352B9B56483899FDB788F34CD597DABBB2BF55350F45412ADC899B220C3349A81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 021A58FC, Relevance: 9.4, Strings: 7, Instructions: 607COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$W>$\
API String ID: 0-1351121682
Opcode ID: 53464bc11cb078281601e906e8217e9d1f7531a785a1d54c3838bea93edaf1db
Instruction ID: 66e45e323a8d0f4166cf60fa6474722066b9db639f4d21c4c81bf5a628adbe89
Opcode Fuzzy Hash: 53464bc11cb078281601e906e8217e9d1f7531a785a1d54c3838bea93edaf1db
Instruction Fuzzy Hash: 8542C9B56443899FDB788F34DD997DABBB2FF55340F45812ADC899B220C3309A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021A59E6, Relevance: 9.3, Strings: 7, Instructions: 576COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$W>$\
API String ID: 0-1351121682
Opcode ID: 5b00a4bfd3ce27056fe0dd83d8dabe0c39a39e6d8db6b993ccfda90e730baf44
Instruction ID: b521dd2e325887dbcc7ad897dfcc498be1b5609e06b50d33e77b8fd0a0921180
Opcode Fuzzy Hash: 5b00a4bfd3ce27056fe0dd83d8dabe0c39a39e6d8db6b993ccfda90e730baf44
Instruction Fuzzy Hash: B642DAB56443899FDB388F34DC957DABBB6FF45340F55812ADC999B220C3309A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 021A5B0A, Relevance: 9.3, Strings: 7, Instructions: 529COMMON

Download Yara Rule

Strings

W>, xrefs: 021A5BFC
8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$W>$\
API String ID: 0-1351121682
Opcode ID: e5c7065b8f56733d6bffa5e47b066f410620d125d1f38643b78d0d0643c78d72
Instruction ID: d3d040f516c351295f7d4ffa7faca036edaf6d65c800d0ddc3197ea58e02343c
Opcode Fuzzy Hash: e5c7065b8f56733d6bffa5e47b066f410620d125d1f38643b78d0d0643c78d72
Instruction Fuzzy Hash: 4432EBB52843899FDB388F34DD997DABBB2FF45350F55412ADC899B620C3349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021A5C38, Relevance: 8.0, Strings: 6, Instructions: 470COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
_, xrefs: 021A5E5E
\, xrefs: 021A65BE
)#B, xrefs: 021A5CAD

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )#B$8sU$xb&$_$3U$\
API String ID: 0-4165453372
Opcode ID: 4d77d0dc2ba6c68e9ae4c032f9bf8eb1090ddec1d9eab01160881a4afbe2dbc1
Instruction ID: 6fa45349dade9481c53c1a235e3f8727e5f1d4d8c89316dcf882919afde6e961
Opcode Fuzzy Hash: 4d77d0dc2ba6c68e9ae4c032f9bf8eb1090ddec1d9eab01160881a4afbe2dbc1
Instruction Fuzzy Hash: F822DAB52843899FDF788F34DD597DABBB6BF55340F45412ADC999B220C3309A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021A5EAA, Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$xb&$3U$\
API String ID: 0-2884902489
Opcode ID: 4b390337a3f3fff2baa780319cbe9fc2c7867fd7bcdc5b33a773e3b16a3a0e8a
Instruction ID: 5f5d939dddaa000163bacded7aadf8e210088181e101d6b352e9460c63b57ea8
Opcode Fuzzy Hash: 4b390337a3f3fff2baa780319cbe9fc2c7867fd7bcdc5b33a773e3b16a3a0e8a
Instruction Fuzzy Hash: 75F1CAB52882889FDF79CF34DC597DA7BB6BF54350F54402AEC999A221C3319A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 021A5FB4, Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$xb&$3U$\
API String ID: 0-2884902489
Opcode ID: 9a04404fab11e15edee84be09473cab82cdba674a4a3b5c32e682146dc40bbf7
Instruction ID: 564dfac2b64281a3da17591cdfce33fff2f7db82d34588e454492240d6ff6662
Opcode Fuzzy Hash: 9a04404fab11e15edee84be09473cab82cdba674a4a3b5c32e682146dc40bbf7
Instruction Fuzzy Hash: F1E1B8B52842889FDF79CE34DC597DA7BB6BF44310F14802AEC999A221C3319A81CB46

Uniqueness

Uniqueness Score: -1.00%

Function 021A60E2, Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$xb&$3U$\
API String ID: 0-2884902489
Opcode ID: c398ce36e93bb08a91295f1f0215138df62560e6afbe01a8b60d04b1cbbe041e
Instruction ID: 4e93440d25b22fa6c9797941319d6e6e4b2bcc3c7320372fb5417f0df934bf7b
Opcode Fuzzy Hash: c398ce36e93bb08a91295f1f0215138df62560e6afbe01a8b60d04b1cbbe041e
Instruction Fuzzy Hash: FAD1DAB52842889FDF79CF34DC597DE7BB6BF44340F14802AEC999A225C3319682CB46

Uniqueness

Uniqueness Score: -1.00%

Function 021A626C, Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
xb&, xrefs: 021A62AA
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$xb&$3U$\
API String ID: 0-2884902489
Opcode ID: 70d792ef8516dd15e72aded176700c49b9c8654714791422f5a8982e92117bca
Instruction ID: a841cb02317c764a3711e582fb3027c9f202f9be2ab048660b36d587b88cb14f
Opcode Fuzzy Hash: 70d792ef8516dd15e72aded176700c49b9c8654714791422f5a8982e92117bca
Instruction Fuzzy Hash: A8A187B56452889FDF78DF34CCA9BDE3BB6BF58340F448129DC998A224C33156818F46

Uniqueness

Uniqueness Score: -1.00%

Function 021A6349, Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$3U$\
API String ID: 0-3385502062
Opcode ID: 71f930a5d31865764616457ba0080d7c42119bb9279d3e6c73a9d20786d595e6
Instruction ID: 68a64088787603d45ae9f0bc99913d89573594543a569f3e843fc566199f8549
Opcode Fuzzy Hash: 71f930a5d31865764616457ba0080d7c42119bb9279d3e6c73a9d20786d595e6
Instruction Fuzzy Hash: BF9186B02442889FDF79DF38DD99BDA3BA6BF59340F048129DC998A225C3319A85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 021A642E, Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$3U$\
API String ID: 0-3385502062
Opcode ID: c2771831c80d29a4301189165b9a241fb91fc6d4f091f3afd3b62bbb8d736e93
Instruction ID: f4eb8c240bc221f0241a3009cf8bae1e1ba48202491ae9bb207b1ffaa8e18ff2
Opcode Fuzzy Hash: c2771831c80d29a4301189165b9a241fb91fc6d4f091f3afd3b62bbb8d736e93
Instruction Fuzzy Hash: CE71CAB02843889FCF75CF34DC997DA3BA6BF05354F54412AED999A222C3318A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 021A650A, Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

8sU, xrefs: 021A67F6
3U, xrefs: 021A6838
\, xrefs: 021A65BE

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8sU$3U$\
API String ID: 0-3385502062
Opcode ID: b807e89310b984f52a8e47ea4d9389797ab3e729561284dbdf5098cf15b14cf1
Instruction ID: dd92788d661483d70f9a9ed76b6a18637cfde9e03a640b4fee06bf34b9e9865d
Opcode Fuzzy Hash: b807e89310b984f52a8e47ea4d9389797ab3e729561284dbdf5098cf15b14cf1
Instruction Fuzzy Hash: 2E51EF741843899FCF36CF74DC597DE3BA6AF05354F54412AEC599A622C3328681CF85

Uniqueness

Uniqueness Score: -1.00%

Function 021AA1A5, Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

a, xrefs: 021AA3A8
-d(, xrefs: 021AA3F1

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -d($a
API String ID: 0-3090535537
Opcode ID: 7bdc4bc03233edd7c14198a1da3df4e2a46e8643e1131fa8a16528c566e7ef7a
Instruction ID: 8f15f844111c57f42d1f09889eef2d5c5fcd73580895a4243e380ba9ce22c52b
Opcode Fuzzy Hash: 7bdc4bc03233edd7c14198a1da3df4e2a46e8643e1131fa8a16528c566e7ef7a
Instruction Fuzzy Hash: 0D91227A9443969FDB749E28C8A47EE77B2AF58314F46402EDC8DAB704D7305A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021AA22C, Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

a, xrefs: 021AA3A8
-d(, xrefs: 021AA3F1

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -d($a
API String ID: 0-3090535537
Opcode ID: db48bb25416d2f879a121a5716adecee2dc4570cef079b7a54a71cff26c9ef58
Instruction ID: 41a95573da6a9ab69c052443a68dce4c3fa77199c6002805ff153fa8f294c8b0
Opcode Fuzzy Hash: db48bb25416d2f879a121a5716adecee2dc4570cef079b7a54a71cff26c9ef58
Instruction Fuzzy Hash: 1D613B7A4443969BDB35CE7898653EA7BB2AF04320F49012FEC896B605C33456C1CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 021AA302, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

a, xrefs: 021AA3A8
-d(, xrefs: 021AA3F1

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -d($a
API String ID: 0-3090535537
Opcode ID: 458eeec6d4c8dad8cba6fead784486ed6ef9345e13cd5b0478a632a11d7130fd
Instruction ID: 3d1012b6fdfba63b206417d6dc38e085d4b23531d6b0cb7a419d4009434f00e2
Opcode Fuzzy Hash: 458eeec6d4c8dad8cba6fead784486ed6ef9345e13cd5b0478a632a11d7130fd
Instruction Fuzzy Hash: 1E51297A8443969BCB35CE7888653EA7BB2AF04314F89012FEC897B605C33456C1CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 021AA456, Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

a, xrefs: 021AA3A8
-d(, xrefs: 021AA3F1

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -d($a
API String ID: 0-3090535537
Opcode ID: c24ce1f71bcf04bf9eff0571d6a24cdd8a3102ee0e85de88d3f21f0d20f10b2a
Instruction ID: 285611cc35b95ea324a3fea049de4d570150e0e5ab5add65fd36c46bbc250e55
Opcode Fuzzy Hash: c24ce1f71bcf04bf9eff0571d6a24cdd8a3102ee0e85de88d3f21f0d20f10b2a
Instruction Fuzzy Hash: 2451287A8443969BCB35CE7888653EA7BB2AF44314F89012FEC896B605C33456C1CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 021A540E, Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

+#M, xrefs: 021A5648
[#\, xrefs: 021A5614

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +#M$[#\
API String ID: 0-1999591645
Opcode ID: 7fe84f5e52c76f9773faf60a2e0ec132792fad58f7e965683f79bee704549cf8
Instruction ID: 0fe5f65cf4373c921bd2fd3966083375ff7918c2f3ddea7b18fb541660eb26f3
Opcode Fuzzy Hash: 7fe84f5e52c76f9773faf60a2e0ec132792fad58f7e965683f79bee704549cf8
Instruction Fuzzy Hash: 6141077A8843499FCB30CE6698913E67BE3AF44214F68412FDC0E6E605C334A6828795

Uniqueness

Uniqueness Score: -1.00%

Function 021A53A7, Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

+#M, xrefs: 021A5648
[#\, xrefs: 021A5614

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +#M$[#\
API String ID: 0-1999591645
Opcode ID: d8b787f498c6f5be5f4fd46bf0fbb3338f5ccc3fb104887fceb518353941993c
Instruction ID: 3b6bf7a8612476491a077654c6bb733b01117912ffc0870b8855fdd6cf904ada
Opcode Fuzzy Hash: d8b787f498c6f5be5f4fd46bf0fbb3338f5ccc3fb104887fceb518353941993c
Instruction Fuzzy Hash: 3951F675998704EFCB74CE1AD8A07EB76F3AF88344F94452EC90E9B604D330AA42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 021A54AC, Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

+#M, xrefs: 021A5648
[#\, xrefs: 021A5614

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +#M$[#\
API String ID: 0-1999591645
Opcode ID: a6562d5f70494c4ec28213c2ef70edd7ddda0fc600c6ece289d67596753c3efa
Instruction ID: cbd4709fc3bd9d50db349e8c7525c5f8637dee80c8d136dc3baefe6a0f04ce3d
Opcode Fuzzy Hash: a6562d5f70494c4ec28213c2ef70edd7ddda0fc600c6ece289d67596753c3efa
Instruction Fuzzy Hash: D031F376994748EFCB74CE2688A07E677F3FF88204F58412EC90E9B614D730A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 021AB3C6, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

~V|M, xrefs: 021AB494

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ~V|M
API String ID: 0-1232228710
Opcode ID: f48cc18812bb5bb792857f5a88e3126cf94f31e321d4b8f8c29c41d623a85533
Instruction ID: 67f21d0b95305c2ccfa6890b1f640880efe8b6fe2b7d15ab0f364ef1167d9703
Opcode Fuzzy Hash: f48cc18812bb5bb792857f5a88e3126cf94f31e321d4b8f8c29c41d623a85533
Instruction Fuzzy Hash: CE518A758482C58BCB358E7898A43EA7B935B62224F59412FDC576F246C7708282C796

Uniqueness

Uniqueness Score: -1.00%

Function 021A1991, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

cLB, xrefs: 021A1B28

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: cLB
API String ID: 0-721842453
Opcode ID: eea1efd7402764b53691972de3727f947dbef1a7f6cb236dfc372c8891be8107
Instruction ID: 72d8506f71dcfd0b75a4d680091dada9ea4bfb426e864bfba1f0e5786a4b2ce6
Opcode Fuzzy Hash: eea1efd7402764b53691972de3727f947dbef1a7f6cb236dfc372c8891be8107
Instruction Fuzzy Hash: 8141EF3A85938ADFC329CFB4C8252DABBB5BF16320F09492DC9A95B515D3305507CB80

Uniqueness

Uniqueness Score: -1.00%

Function 021A76B0, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

jYtw, xrefs: 021A76D6

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: jYtw
API String ID: 0-2474673449
Opcode ID: da46b07a508fcc2338d470d273570b8e9e4b5a14199ad95676d22928a8e69e3f
Instruction ID: 9c7c0735f43f8df2523445fe7c3ca4e5b2aeb7dec750dcdad515ed780bd4ffb3
Opcode Fuzzy Hash: da46b07a508fcc2338d470d273570b8e9e4b5a14199ad95676d22928a8e69e3f
Instruction Fuzzy Hash: B8313676601348CFCBA89E35C895BDF7BE1AF88710F46441DDC8ADB246C3314A86CB46

Uniqueness

Uniqueness Score: -1.00%

Function 021AAD64, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659ade5d58c8050121bc66679927aecac608f1b5fa8590293732b2f182f6bc11
Instruction ID: 36583eeac680ad74013531a4f11ef5e6a83bb7683421b55db0571cada58a76d5
Opcode Fuzzy Hash: 659ade5d58c8050121bc66679927aecac608f1b5fa8590293732b2f182f6bc11
Instruction Fuzzy Hash: FAC1F5215483C58EDB368F3888A97D6BFE26F12320F59C2AAC8994F6D7D3758245C316

Uniqueness

Uniqueness Score: -1.00%

Function 021A7DA7, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c24e6dd8b4c8c9c712a68853329e4265f8abededb1890922d3cd090f6fdb63
Instruction ID: 4fd98be7bd5f570f7e842ca032e14e8f3b77161efe30f300dead353960b86a96
Opcode Fuzzy Hash: d7c24e6dd8b4c8c9c712a68853329e4265f8abededb1890922d3cd090f6fdb63
Instruction Fuzzy Hash: 1BD1AA7468438ADFDF34DF24CD64BEE37A2AF59340F45852ADC49AB254E7308A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021AAE3D, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9440de076a413e753644c6a9bb2c75e4356706e67abbdfac3f5cc4de73b250
Instruction ID: 64ea09e18256f674a28bca359f8075a25001c2b346ce368a2db63b251002700f
Opcode Fuzzy Hash: 0a9440de076a413e753644c6a9bb2c75e4356706e67abbdfac3f5cc4de73b250
Instruction Fuzzy Hash: 1CB14A355883C58ECB368F3488A87D6BFD26F12220F5982AFCC998F597D3758245C356

Uniqueness

Uniqueness Score: -1.00%

Function 021A50D1, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3beb58882ad6c10947dc610e391a0a3b8a557be20e878d7abb3a904ed2a6ab1
Instruction ID: fb6c1394ab40cf0c45e0d7404b24c5deeecc9f3b1f3fb32638cf1e34f1a3476d
Opcode Fuzzy Hash: c3beb58882ad6c10947dc610e391a0a3b8a557be20e878d7abb3a904ed2a6ab1
Instruction Fuzzy Hash: 0A7179754883869FC722CFB88C946D6BFA2AF02330F58429ED8918E583D7648546CB92

Uniqueness

Uniqueness Score: -1.00%

Function 021AAF36, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0092b12c01ad6ec3214aedd96c6d344fa06217bd2290babd46c087b5ce3abcf
Instruction ID: 2209f75e68824df1b66547448934330371b6fea8136cd348ce50f640fdcd9c77
Opcode Fuzzy Hash: b0092b12c01ad6ec3214aedd96c6d344fa06217bd2290babd46c087b5ce3abcf
Instruction Fuzzy Hash: 4C8157755883C58BCF35CE349CA47EABBE26F21320F5881AFDC9A8E646D7348241C756

Uniqueness

Uniqueness Score: -1.00%

Function 021A7E6A, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850f54fec8cbbd24dfbc6fd5205737123d2d88496d185888b11435555e30b179
Instruction ID: b5666e652de3be4b0d15d82861c66a84b37cfdfe412a8b301cde0f02d7dd8bdd
Opcode Fuzzy Hash: 850f54fec8cbbd24dfbc6fd5205737123d2d88496d185888b11435555e30b179
Instruction Fuzzy Hash: DF81247568439ADFDF34CE74CD517EB3BA6AF45310F45802ADC49AB611E7308A82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021A8362, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65601cecb3be72249d37bb09b6557062ac9eab19ee5c9f2888e399d65d4ed0b3
Instruction ID: 10dba2da0a8872b084a2803e2ebd31ead2af102adf231bb4bb3ffee398d1ae7f
Opcode Fuzzy Hash: 65601cecb3be72249d37bb09b6557062ac9eab19ee5c9f2888e399d65d4ed0b3
Instruction Fuzzy Hash: 9C91DF756443CADFDF749E24CD60BEF37A2AF59340F45812ADC4AAB260E7308A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021AB056, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316748ec054c4457727fbaf55881b50972b78cee02175d5dd571de68ba223635
Instruction ID: 1b24c99cc4158fd92320c3561fe4f3ddaa38a05c958c2e7f34bf6ff9fe1f2e40
Opcode Fuzzy Hash: 316748ec054c4457727fbaf55881b50972b78cee02175d5dd571de68ba223635
Instruction Fuzzy Hash: 045179354883C58BCF36CE749C993EABFA26F51220F1981AFDC569E646C3348282C756

Uniqueness

Uniqueness Score: -1.00%

Function 021A7F90, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3885e29eeb12ab36583ceffecf3dd6e3424caee861e6427ffaad3b54c8fc296b
Instruction ID: 59daaed82fb786583289e5817072f89ee6b4a14e53e699979087b3c521153ab9
Opcode Fuzzy Hash: 3885e29eeb12ab36583ceffecf3dd6e3424caee861e6427ffaad3b54c8fc296b
Instruction Fuzzy Hash: C55104756843CADFEF34CE61CD517EB7BA6AF44310F55802ADC49AB611E7308A82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021AA7FA, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da17075229c2291ffdda4d34d67ebaba28232e7d57b08428c1254e2e6cc02ca
Instruction ID: 58564039dd1c8d483788fbcd846a3190c9679a361a237bff6231a3103cad1326
Opcode Fuzzy Hash: 1da17075229c2291ffdda4d34d67ebaba28232e7d57b08428c1254e2e6cc02ca
Instruction Fuzzy Hash: F851EF756483899FDF34AE74CDA97EE37A1BF58320F95442AE94E9B205C7308A81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021AB148, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ea8b662007a3ea7deb2076cedef7d04203b77dd5a874553a246be3178e6aba
Instruction ID: febc8e67b3fa21907b1ea885165319a8167e4319a4165567ce80093a72440adf
Opcode Fuzzy Hash: 25ea8b662007a3ea7deb2076cedef7d04203b77dd5a874553a246be3178e6aba
Instruction Fuzzy Hash: 00418B761883C58FDF35CE7098953EA7BE2AF54220F69806FDC4A9E606C3758382C756

Uniqueness

Uniqueness Score: -1.00%

Function 021AB68E, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e9857910d623494fbc2d64bc63ea57f4d5ada30da621fddddfdf68643f9c11
Instruction ID: 0c27dd7a64d068b0440d92edfbc519fb333bddfc3e35d129129d3830c77eb24c
Opcode Fuzzy Hash: c1e9857910d623494fbc2d64bc63ea57f4d5ada30da621fddddfdf68643f9c11
Instruction Fuzzy Hash: 3D41DE76C4C3C58BCB299E3898B13EA7F56AF21268F09415FD88B9B287E7614704C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 021AB0D4, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e177fd2f6a90ddb498064bf4a00aa573bb735afb28952f745500e208971a3d3b
Instruction ID: 268612e0fb20fda6f5ff8dfe2bdda37c1a8b22024ba0ea532dfe1fd50658bfbc
Opcode Fuzzy Hash: e177fd2f6a90ddb498064bf4a00aa573bb735afb28952f745500e208971a3d3b
Instruction Fuzzy Hash: 1B5107759483C48FDF75CF3898A87EABBA2AF65210F45816FCC8A8F249D3354641C726

Uniqueness

Uniqueness Score: -1.00%

Function 021A809A, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0ed8b61a8a2fdb1fcfed1c4e1a7e99d5d97b7a34dc7b47ba07a82f7ec4a547
Instruction ID: 22a24b2b06cfdb2b4a5f6a4ea2b72470ff59340b9c7f46182cfce0a0b5ef94db
Opcode Fuzzy Hash: 4b0ed8b61a8a2fdb1fcfed1c4e1a7e99d5d97b7a34dc7b47ba07a82f7ec4a547
Instruction Fuzzy Hash: AB4103752803CADFDB35CE60DD517EA7BA6AF00360F54413BED195EA12E7308682C795

Uniqueness

Uniqueness Score: -1.00%

Function 021A51EB, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e6bb2ad57a2c55bd91acf94936fd42312d3cb7d602437f34e381e6bba41695
Instruction ID: 7449b28db0c6ab1fdb78f840292f929e0de654a2e15f4edb8d56015283a461ae
Opcode Fuzzy Hash: 25e6bb2ad57a2c55bd91acf94936fd42312d3cb7d602437f34e381e6bba41695
Instruction Fuzzy Hash: BF3117356487819BCF39CE78CCD4BD57B92AF46324F48C2ADC9994A2CBE7759502CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021A9FE0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedf91001135a6467ea7b123416491abd966f6f687a62f27386b184d0979bc55
Instruction ID: e7941a47bfc82c47b7fab4f8ccd8d1fa489e8835bb58b44f46d2866cd62991f6
Opcode Fuzzy Hash: eedf91001135a6467ea7b123416491abd966f6f687a62f27386b184d0979bc55
Instruction Fuzzy Hash: D121C339244748CFCB24CE28C9D4A8ABBB5BF58720F55885AD919CB352D770EA80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 021A9A96, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaf740bf12913b652e17553aba868090d9d3539c19c0d90ffef65c6ad920533
Instruction ID: 925d0de9933ad24347e934d327866ad21dcd5776eef1c98ad1461857f8be3108
Opcode Fuzzy Hash: bbaf740bf12913b652e17553aba868090d9d3539c19c0d90ffef65c6ad920533
Instruction Fuzzy Hash: F3F04F6A4C02AA9EC713C5F1B8462E1BF9A2B0117177C01ABFC617DE13D499D2C6C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 021A6FB7, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fd55a237db9f4da844de117962d105f1d3bbf84b04c9d1a6910f99b21dc83e
Instruction ID: 28f6077530f2dac2f54157063c1144bb39ea0b9b36a91de1bdd965a40e78cc47
Opcode Fuzzy Hash: b7fd55a237db9f4da844de117962d105f1d3bbf84b04c9d1a6910f99b21dc83e
Instruction Fuzzy Hash: C7C08CB3210081CFEB07CF08F761B90B360AF259A4B4301A0E822CF321C319ED01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 021A9A94, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28b1c5f5c153a03686a4f72a152268cc56ef5194a41258164af628c8cf138ea
Instruction ID: 9ee967d9e364db13bc775690f37e543efa6d99cbd326c6a68dc26718a7656ca1
Opcode Fuzzy Hash: b28b1c5f5c153a03686a4f72a152268cc56ef5194a41258164af628c8cf138ea
Instruction Fuzzy Hash: 95B092393926408FCA66CE28C2E0F8073A4BF59A80F034480EC138BB91D364E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 021A7514, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00413960, Relevance: 105.4, APIs: 54, Strings: 6, Instructions: 379COMMON

Download Yara Rule

APIs

__vbaInStr.MSVBVM60(00000000,004112AC,ABC,00000002), ref: 00413A01
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00413A22
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 00413A4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000E8), ref: 00413A7B
__vbaStrMove.MSVBVM60 ref: 00413A86
__vbaFreeObj.MSVBVM60 ref: 00413A8F
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00413AA7
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 00413ACC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000140), ref: 00413AF5
__vbaFreeObj.MSVBVM60 ref: 00413AFA
__vbaVarDup.MSVBVM60 ref: 00413B1D
#600.MSVBVM60(?,00000002), ref: 00413B29
__vbaFreeVar.MSVBVM60 ref: 00413B34
__vbaHresultCheckObj.MSVBVM60(00000000,004011D8,00410C14,000000B0), ref: 00413B67
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00413B96
__vbaStrMove.MSVBVM60 ref: 00413BA1
__vbaFreeVar.MSVBVM60 ref: 00413BAA
#546.MSVBVM60(00000002), ref: 00413BB4
__vbaVarMove.MSVBVM60 ref: 00413BC0
#531.MSVBVM60(Skovrider), ref: 00413BCB
#598.MSVBVM60 ref: 00413BD1
__vbaVarDup.MSVBVM60 ref: 00413BF4
#663.MSVBVM60(?,00411324,?,00000001,00000001), ref: 00413C0B
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413C31
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413C4A
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00413C72
__vbaStrMove.MSVBVM60 ref: 00413C7D
__vbaFreeVar.MSVBVM60 ref: 00413C86
#554.MSVBVM60 ref: 00413C92
__vbaVarDup.MSVBVM60 ref: 00413CF8
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00413D29
__vbaStrMove.MSVBVM60 ref: 00413D34
__vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,?,?,?,?), ref: 00413D67
#554.MSVBVM60 ref: 00413D74
#614.MSVBVM60(00000000,40220000), ref: 00413D7D
__vbaFpR8.MSVBVM60 ref: 00413D83
#554.MSVBVM60 ref: 00413D96
#598.MSVBVM60 ref: 00413D98
__vbaFpI4.MSVBVM60 ref: 00413DA9
__vbaHresultCheckObj.MSVBVM60(00000000,004011D8,00410C14,000002C8), ref: 00413DDF
__vbaHresultCheckObj.MSVBVM60(00000000,004011D8,00410C14,000000B0), ref: 00413E0C
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00413E3F
__vbaStrMove.MSVBVM60 ref: 00413E4A
__vbaFreeVar.MSVBVM60 ref: 00413E53
#546.MSVBVM60(00000002), ref: 00413E5D
__vbaVarMove.MSVBVM60 ref: 00413E69
#531.MSVBVM60(Nazard4), ref: 00413E74
__vbaFreeStr.MSVBVM60(00413F02), ref: 00413EDB
__vbaFreeVar.MSVBVM60 ref: 00413EE6
__vbaFreeStr.MSVBVM60 ref: 00413EEB
__vbaFreeStr.MSVBVM60 ref: 00413EF0
__vbaFreeStr.MSVBVM60 ref: 00413EF5
__vbaFreeStr.MSVBVM60 ref: 00413EFA
__vbaFreeVar.MSVBVM60 ref: 00413EFF

Strings

higgins, xrefs: 00413CE4
Skovrider, xrefs: 00413BC6
LEBRANCHO, xrefs: 00413B09
Nazard4, xrefs: 00413E6F
10/10/10, xrefs: 00413BE0
ABC, xrefs: 0041399C

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#554#703$#531#546#598ListNew2$#596#600#614#663
String ID: 10/10/10$ABC$LEBRANCHO$Nazard4$Skovrider$higgins
API String ID: 1007972871-2729675800
Opcode ID: 5ce7ebca162a3209d3f4135d028bc467d2cf848221d398d674e5819f5d5904d5
Instruction ID: b90574d13b565cd7f864b919cefa5a4a2ff541a5980e822e6af11f455f8d61ba
Opcode Fuzzy Hash: 5ce7ebca162a3209d3f4135d028bc467d2cf848221d398d674e5819f5d5904d5
Instruction Fuzzy Hash: 26F13870900229AFDB14CFA4DD88BEDBBB9FF58301F10425AE14AB71A1DB741A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00416330, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,00000114), ref: 0041639C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,00000110), ref: 004163C1
#705.MSVBVM60(?,00000000), ref: 004163E4
__vbaStrMove.MSVBVM60 ref: 004163F5
__vbaFreeVar.MSVBVM60 ref: 00416400
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00416415
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 0041643A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000F8), ref: 00416464
__vbaStrMove.MSVBVM60 ref: 00416477
__vbaFreeObj.MSVBVM60 ref: 0041647C
#716.MSVBVM60(00000002,Undisagreeable3,00000000), ref: 0041648D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 004164B5
__vbaFreeVar.MSVBVM60 ref: 004164BE
#572.MSVBVM60(?), ref: 004164E0
__vbaStrMove.MSVBVM60 ref: 004164EB
__vbaStrCmp.MSVBVM60(004115B8,00000000), ref: 004164F3
__vbaFreeStr.MSVBVM60 ref: 00416506
__vbaFreeVar.MSVBVM60 ref: 0041650F
#611.MSVBVM60 ref: 0041651A
__vbaStrMove.MSVBVM60 ref: 00416525
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 0041653A
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 00416565
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,000000F0), ref: 00416593
__vbaStrMove.MSVBVM60 ref: 004165A2
__vbaFreeObj.MSVBVM60 ref: 004165A7
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 004165C0
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,0000001C), ref: 004165E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410FDC,0000005C), ref: 00416625
__vbaStrMove.MSVBVM60 ref: 00416638
__vbaFreeObj.MSVBVM60 ref: 00416641
__vbaFreeStr.MSVBVM60(00416693), ref: 00416673
__vbaFreeStr.MSVBVM60 ref: 00416678
__vbaFreeObj.MSVBVM60 ref: 0041667D
__vbaFreeStr.MSVBVM60 ref: 00416686
__vbaFreeStr.MSVBVM60 ref: 0041668B
__vbaFreeStr.MSVBVM60 ref: 00416690

Strings

K, xrefs: 004164D1
Undisagreeable3, xrefs: 00416487

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#572#611#705#716Late
String ID: K$Undisagreeable3
API String ID: 608027661-3188433082
Opcode ID: 27a10a298024179ddaa673059ce20779ec2fe27c5c714fede52f9971c516a32f
Instruction ID: 8b380e17d1c792917e7f446102ade2c9b742cd12221fe4a882acb5163b7e06b1
Opcode Fuzzy Hash: 27a10a298024179ddaa673059ce20779ec2fe27c5c714fede52f9971c516a32f
Instruction Fuzzy Hash: FFA17070A00218AFCB04DFA5DD85EDEBBB9FF48704F10412AE505B72A1D774A945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004166B0, Relevance: 59.7, APIs: 32, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000000), ref: 0041670C
__vbaVarDup.MSVBVM60 ref: 00416726
#553.MSVBVM60(?,?), ref: 00416734
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 00416756
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00416769
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 0041678D
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 004167B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000108), ref: 004167E9
__vbaFreeObj.MSVBVM60 ref: 004167EE
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 00416806
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 0041682B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000060), ref: 0041684B
__vbaStrMove.MSVBVM60 ref: 00416856
__vbaFreeObj.MSVBVM60 ref: 0041685F
__vbaFpI4.MSVBVM60 ref: 00416870
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410C14,000002C8), ref: 004168A8
#584.MSVBVM60(00000000,00000000), ref: 004168B4
__vbaFpR8.MSVBVM60 ref: 004168BA
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004168EB
__vbaStrMove.MSVBVM60 ref: 004168F6
__vbaFreeVar.MSVBVM60 ref: 00416905
__vbaNew2.MSVBVM60(004112D0,0041A5E4), ref: 0041691A
__vbaHresultCheckObj.MSVBVM60(00000000,022A004C,004112C0,00000014), ref: 0041693F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004112E0,00000108), ref: 00416968
__vbaFreeObj.MSVBVM60 ref: 0041696D
__vbaVarDup.MSVBVM60 ref: 00416987
#667.MSVBVM60(00000002), ref: 00416991
__vbaStrMove.MSVBVM60 ref: 0041699C
__vbaFreeVar.MSVBVM60 ref: 004169A5
__vbaFreeStr.MSVBVM60(004169EF), ref: 004169E2
__vbaFreeStr.MSVBVM60 ref: 004169E7
__vbaFreeStr.MSVBVM60 ref: 004169EC

Strings

stereotyprernes, xrefs: 00416973
01/01/01, xrefs: 00416712

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#553#584#667#702ErrorList
String ID: 01/01/01$stereotyprernes
API String ID: 3778086413-1334917049
Opcode ID: 34af193c71c2b545ce5e0f46cc3490a8c75ad6d3b1023d46a6b23f110ed6adb5
Instruction ID: d054d4d94695c5e4bb4fb505bd9a61bfab29f478192072e2d468429b2f7bf60a
Opcode Fuzzy Hash: 34af193c71c2b545ce5e0f46cc3490a8c75ad6d3b1023d46a6b23f110ed6adb5
Instruction Fuzzy Hash: AF915D70901208AFCB14DF95DE88EDEBBB9FB08744F20412AF545B72A0DB786945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00418D30, Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 00418D90
__vbaStrVarVal.MSVBVM60(?,?), ref: 00418D9E
#516.MSVBVM60(00000000), ref: 00418DA5
__vbaFreeStr.MSVBVM60 ref: 00418DB9
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00418DC9
#617.MSVBVM60(00000002,?,000000FF), ref: 00418DEA
#617.MSVBVM60(00000002,?,00000000), ref: 00418E08
__vbaStrVarMove.MSVBVM60(00000002), ref: 00418E12
__vbaStrMove.MSVBVM60 ref: 00418E1D
__vbaFreeVar.MSVBVM60 ref: 00418E26
__vbaFreeStr.MSVBVM60(00418E5A), ref: 00418E53

Memory Dump Source

Source File: 00000000.00000002.809239359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.809234539.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.809263581.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.809269696.000000000041B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#617Move$#516#632List
String ID:
API String ID: 3155365896-0
Opcode ID: 5ddd4211284cdd2d61603b44decfa1eb92a6fcd76af73006a96bc0ff7295efea
Instruction ID: 0121da5bf0d636832048bc9dea9f1dbf48eef3237e8947b4289e6adbf56ba5dd
Opcode Fuzzy Hash: 5ddd4211284cdd2d61603b44decfa1eb92a6fcd76af73006a96bc0ff7295efea
Instruction Fuzzy Hash: D331E4B5800219EFCB04DF94DD89EEEBBB8FF58701F14462AE602B6164E774154ACBA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: FACTURA.exe PID: 4840 Parent PID: 4928

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FACTURA.exe PID: 4840 Parent PID: 4928 FACTURA.exeCOMMON

Executed Functions

Function 021ABD75, Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 902COMMON

Function 021A78BE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246memorynativeCOMMON

Function 021ABDAA, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210COMMON