Play interactive tour

Edit tour

Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:	FACTURA.exe
Analysis ID:	502111
MD5:	d9b54bd175163eae11715a5b89b32aba
SHA1:	8a926c701db271e1f2edfec8890a865248e52d24
SHA256:	3e123fbdc89e8c9c59a0c5a3a1c2d8fda13f5d8551da654bef2f17f34f578075
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

FACTURA.exe (PID: 6816 cmdline: 'C:\Users\user\Desktop\FACTURA.exe' MD5: D9B54BD175163EAE11715A5B89B32ABA)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX"}

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7298 NtAllocateVirtualMemory,	0_2_021D7298
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7614 NtAllocateVirtualMemory,	0_2_021D7614
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D763B NtAllocateVirtualMemory,	0_2_021D763B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D727C NtAllocateVirtualMemory,	0_2_021D727C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D72B5 NtAllocateVirtualMemory,	0_2_021D72B5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D775D NtAllocateVirtualMemory,	0_2_021D775D

Source: FACTURA.exe, 00000000.00000000.676817252.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe
Source: FACTURA.exe	Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00401440	0_2_00401440
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_0040167C	0_2_0040167C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_0040162F	0_2_0040162F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00404D2C	0_2_00404D2C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7298	0_2_021D7298
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB9D6	0_2_021DB9D6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7614	0_2_021D7614
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA08	0_2_021DBA08
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5207	0_2_021D5207
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D763B	0_2_021D763B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAA32	0_2_021DAA32
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAE44	0_2_021DAE44
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D727C	0_2_021D727C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA26F	0_2_021DA26F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D566A	0_2_021D566A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA65	0_2_021DBA65
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAABB	0_2_021DAABB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D72B5	0_2_021D72B5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBAD8	0_2_021DBAD8
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5AE0	0_2_021D5AE0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5F15	0_2_021D5F15
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5B2B	0_2_021D5B2B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7B4E	0_2_021D7B4E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9F4A	0_2_021D9F4A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBB47	0_2_021DBB47
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5F40	0_2_021D5F40
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9F6A	0_2_021D9F6A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAB61	0_2_021DAB61
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB386	0_2_021DB386
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D57B4	0_2_021D57B4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7BB3	0_2_021D7BB3
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBBAF	0_2_021DBBAF
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D8FDA	0_2_021D8FDA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA013	0_2_021DA013
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D8400	0_2_021D8400
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAC2D	0_2_021DAC2D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D742B	0_2_021D742B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5C51	0_2_021D5C51
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBC4D	0_2_021DBC4D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D6066	0_2_021D6066
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D58A1	0_2_021D58A1
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7CC5	0_2_021D7CC5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D54EB	0_2_021D54EB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA11F	0_2_021DA11F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAD09	0_2_021DAD09
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB138	0_2_021DB138
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5557	0_2_021D5557
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D516C	0_2_021D516C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5D9D	0_2_021D5D9D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBDBA	0_2_021DBDBA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D59DD	0_2_021D59DD
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D09C5	0_2_021D09C5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7DF4	0_2_021D7DF4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D99F0	0_2_021D99F0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D61E9	0_2_021D61E9

Source: C:\Users\user\Desktop\FACTURA.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6F8D286EA7402917.TMP

Jump to behavior

Source: FACTURA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00403F79 push ss; iretd	0_2_00403F85
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00404B0F push cs; retf	0_2_00404B2B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D338C pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D3457 pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D348A pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9900 push edi; ret	0_2_021D9956

Source: C:\Users\user\Desktop\FACTURA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\FACTURA.exe	RDTSC instruction interceptor: First address: 000000000040F124 second address: 000000000040F124 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 wait 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 wait 0x0000000a dec edi 0x0000000b lfence 0x0000000e pushfd 0x0000000f popfd 0x00000010 cmp edi, 00000000h 0x00000013 jne 00007F2F4096AF93h 0x00000015 nop 0x00000016 pushfd 0x00000017 popfd 0x00000018 pushad 0x00000019 lfence 0x0000001c cmp eax, 4Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FACTURA.exe	RDTSC instruction interceptor: First address: 00000000021D6F4D second address: 00000000021D6F4D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4344BD4Eh 0x00000007 xor eax, 9523C638h 0x0000000c xor eax, 8C421A1Dh 0x00000011 sub eax, 5A25616Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F2F4096DCB8h 0x0000001e lfence 0x00000021 mov edx, FAD6A590h 0x00000026 xor edx, B228D1B3h 0x0000002c xor edx, 57AF33B0h 0x00000032 xor edx, 60AF4787h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000182h], ebx 0x0000004b mov ebx, F34FAB69h 0x00000050 add ebx, D3E79685h 0x00000056 xor ebx, 85E85CE5h 0x0000005c sub ebx, 42DF1D0Bh 0x00000062 cmp ecx, ebx 0x00000064 mov ebx, dword ptr [ebp+00000182h] 0x0000006a jne 00007F2F4096DC70h 0x0000006c mov dword ptr [ebp+00000168h], edi 0x00000072 cmp dx, bx 0x00000075 mov edi, ecx 0x00000077 push edi 0x00000078 mov edi, dword ptr [ebp+00000168h] 0x0000007e call 00007F2F4096DD18h 0x00000083 call 00007F2F4096DCD9h 0x00000088 lfence 0x0000008b mov edx, FAD6A590h 0x00000090 xor edx, B228D1B3h 0x00000096 xor edx, 57AF33B0h 0x0000009c xor edx, 60AF4787h 0x000000a2 mov edx, dword ptr [edx] 0x000000a4 lfence 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021D726A rdtsc

0_2_021D726A

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAA32 mov eax, dword ptr fs:[00000030h]	0_2_021DAA32
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAABB mov eax, dword ptr fs:[00000030h]	0_2_021DAABB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D4794 mov eax, dword ptr fs:[00000030h]	0_2_021D4794
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D4383 mov eax, dword ptr fs:[00000030h]	0_2_021D4383
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D97FC mov eax, dword ptr fs:[00000030h]	0_2_021D97FC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D97FE mov eax, dword ptr fs:[00000030h]	0_2_021D97FE
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D98B3 mov eax, dword ptr fs:[00000030h]	0_2_021D98B3
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D6DDC mov eax, dword ptr fs:[00000030h]	0_2_021D6DDC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9DE9 mov eax, dword ptr fs:[00000030h]	0_2_021D9DE9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021D726A rdtsc

0_2_021D726A

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB9D6 RtlAddVectoredExceptionHandler,	0_2_021DB9D6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA08 RtlAddVectoredExceptionHandler,	0_2_021DBA08
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBE7C RtlAddVectoredExceptionHandler,	0_2_021DBE7C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA65 RtlAddVectoredExceptionHandler,	0_2_021DBA65
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBAD8 RtlAddVectoredExceptionHandler,	0_2_021DBAD8
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBEF5 RtlAddVectoredExceptionHandler,	0_2_021DBEF5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBB47 RtlAddVectoredExceptionHandler,	0_2_021DBB47
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBBAF RtlAddVectoredExceptionHandler,	0_2_021DBBAF
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBC4D RtlAddVectoredExceptionHandler,	0_2_021DBC4D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBDBA RtlAddVectoredExceptionHandler,	0_2_021DBDBA

Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502111
Start date:	13.10.2021
Start time:	16:06:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FACTURA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 39.8% (good quality ratio 29.4%) Quality average: 42.1% Quality standard deviation: 32.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 20.82.210.154, 209.197.3.8, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, cds.d2s7q6s2.hwcdn.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.770492551220603
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURA.exe
File size:	98304
MD5:	d9b54bd175163eae11715a5b89b32aba
SHA1:	8a926c701db271e1f2edfec8890a865248e52d24
SHA256:	3e123fbdc89e8c9c59a0c5a3a1c2d8fda13f5d8551da654bef2f17f34f578075
SHA512:	315c96c4109d3cdcede665b6550b9c55799581a6c193efbb50a0185bf492cc2dde75597b3a8635924f17c43b2f887b10aa88636f4ae97051fb173435a8f1e925
SSDEEP:	1536:t1DeOJvAoJDsEzYRwBVRCFu3oCZTaQFus94kbbnLK3KKPD:t1zhAoJDNzYDQZ7cWLTK6KP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...v.uQ.................@...0...............P....@........

File Icon


Icon Hash:	69e1c892f664c884

Static PE Info

General
Entrypoint:	0x4012b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5175DA76 [Tue Apr 23 00:48:54 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3d3cd1bd8dcc611a5734bf41f4e1a6a6

Entrypoint Preview

Instruction
push 0041044Ch
call 00007F2F407AB273h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx-4F77326Ch], al
in eax, FAh
inc ebp
mov ecx, 1EE07E99h
push esp
pop edi
mov ah, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 42h
jc 00007F2F407AB2F7h
insd
insd
imul ebp, dword ptr [edi+72h], 73h
xor eax, 00AE3400h
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
cmp byte ptr [CCCB72A4h], ch
les eax, fword ptr [1B56A145h]
or bl, byte ptr [esi+esi*4-27h]
cdq
or al, 6Dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14024	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x1c1a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xf0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13418	0x14000	False	0.508483886719	data	6.22648163803	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0xcc4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x1c1a	0x2000	False	0.344970703125	data	3.68013439536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1791c	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors	English	United States
CUSTOM	0x1705e	0x8be	MS Windows icon resource - 1 icon, 32x32, 8 bits/pixel	English	United States
CUSTOM	0x16d60	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel	English	United States
RT_ICON	0x164b8	0x8a8	data
RT_GROUP_ICON	0x164a4	0x14	data
RT_VERSION	0x161a0	0x304	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	ExpressVPN
InternalName	Hippa6
FileVersion	4.00
CompanyName	ExpressVPN
LegalTrademarks	ExpressVPN
Comments	ExpressVPN
ProductName	ExpressVPN
ProductVersion	4.00
FileDescription	ExpressVPN
OriginalFilename	Hippa6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: FACTURA.exe PID: 6816 Parent PID: 5280

General

Start time:	16:07:27
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\FACTURA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FACTURA.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	D9B54BD175163EAE11715A5B89B32ABA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FACTURA.exe PID: 6816 Parent PID: 5280 FACTURA.exeCOMMON

Executed Functions

Function 021DB9D6, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: 27824d52b41fe66a2c0d946c0d793f21921103905475f5671b69a203c7388046
Instruction ID: 62eb96fc87c56b47e1fe481450bbccf3c21a1f872f2483a4581639b732b3ae87
Opcode Fuzzy Hash: 27824d52b41fe66a2c0d946c0d793f21921103905475f5671b69a203c7388046
Instruction Fuzzy Hash: ED811272588688CFDF39CE38CDA57EA77A2BF94314F56412ADC0A9F254D7319B41CA40

Uniqueness

Uniqueness Score: -1.00%

Function 021DBA65, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 202COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: f96703030d95f3edd431104fe23fb2068c719d1887b2d13a098e08219397ed51
Instruction ID: 22eb8a417b44442c9ad5f280ed223a131d8c7083482c2b155cf06967a88af6e7
Opcode Fuzzy Hash: f96703030d95f3edd431104fe23fb2068c719d1887b2d13a098e08219397ed51
Instruction Fuzzy Hash: EC813532448688CFCF359E3889A57EA3BB3BF5A314F56009ACC8A9F255C7319B45CB05

Uniqueness

Uniqueness Score: -1.00%

Function 021DBA08, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: 93b648939b8c481295d0689c787a943a82452458ac14587b195ce0b7b8c29bde
Instruction ID: a6b74ec117eaba776a86323257c023494e3bae1d161949486671ba451e988291
Opcode Fuzzy Hash: 93b648939b8c481295d0689c787a943a82452458ac14587b195ce0b7b8c29bde
Instruction Fuzzy Hash: EB712372448688CFCF359E3889A57EA3BB3BF59314F56009ACC4A9F254C7319B41CB05

Uniqueness

Uniqueness Score: -1.00%

Function 021DBAD8, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: 9572d953d134deb75aacd55caedd2008f4dea80b5a00702a4e7405a3bc29d50b
Instruction ID: 2622c04e442ef141fa82127c45bb195d735aab49adb63f7f3f2eeb2702928702
Opcode Fuzzy Hash: 9572d953d134deb75aacd55caedd2008f4dea80b5a00702a4e7405a3bc29d50b
Instruction Fuzzy Hash: 9D712532448688CFCF359E3889A57EA3BB3BF5A314F56009AC88A9F255C7319B45CB05

Uniqueness

Uniqueness Score: -1.00%

Function 021DBB47, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: ea37d55ae2846dc02c17632b25ad1f154716d1ad9788a32f1de7946611314924
Instruction ID: 77730be8150b00a72a191fc5c385b46ddac4b252a6bbbbbf5388682408e910da
Opcode Fuzzy Hash: ea37d55ae2846dc02c17632b25ad1f154716d1ad9788a32f1de7946611314924
Instruction Fuzzy Hash: E8712232448688CFCF359E3889A5BEA3BB3BF5A314F56409ACC4A9F255C7319B45CB05

Uniqueness

Uniqueness Score: -1.00%

Function 021DBBAF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #v)p$Y!f9$~0.
API String ID: 0-164987819
Opcode ID: 95db39bcd627b9fd13a021cbf5679a85bf0ed01185168fbe367fbc3bad1920cf
Instruction ID: 7c32fa5e2584855d40502d284c206d8f5528b286bcc7076c313296ee30e0bc72
Opcode Fuzzy Hash: 95db39bcd627b9fd13a021cbf5679a85bf0ed01185168fbe367fbc3bad1920cf
Instruction Fuzzy Hash: EF711132448688CFCF359E3889A57EA3BB2BF5A310F56009ACC4A9F255C7319B45CB44

Uniqueness

Uniqueness Score: -1.00%

Function 021DBC4D, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021DBF5C

Strings

#v)p, xrefs: 021DBDEE
Y!f9, xrefs: 021DBD48
~0., xrefs: 021DBD1B

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: #v)p$Y!f9$~0.
API String ID: 3310709589-164987819
Opcode ID: 52b16717670e2d6cc527dfc7604b13e87045a9d3228d1b001b0fd20fcc6ad718
Instruction ID: 4f3f6db534d401b9c78acd314466a9a5d27a2246a6086f6458ae3fe99a22a47b
Opcode Fuzzy Hash: 52b16717670e2d6cc527dfc7604b13e87045a9d3228d1b001b0fd20fcc6ad718
Instruction Fuzzy Hash: 2C513631048688CFCF359E7889A57EA3F73BF5A310F564089CC8A9B265C7319B45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021DBDBA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021DBF5C

Strings

#v)p, xrefs: 021DBDEE

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: #v)p
API String ID: 3310709589-3623626233
Opcode ID: 15e2f7f0e77853c262f1777514d8ffdf1b50401357df3061b41f262b53edd4e7
Instruction ID: 9bb6274737f2ce7dac9730c79d8c3ed69326b9f97121d689ce59df1190d60731
Opcode Fuzzy Hash: 15e2f7f0e77853c262f1777514d8ffdf1b50401357df3061b41f262b53edd4e7
Instruction Fuzzy Hash: 51314636548698CFDF75DE68C999BDE77A2AF88310F12005AD80A9B264C7309B808F55

Uniqueness

Uniqueness Score: -1.00%

Function 021D7298, Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: efee3442a406fc64bbdb59aa278c28ca50b1611d0a7cbaa904153b1cb4150fd8
Instruction ID: e7d5bde2d530b6ba0862145c9c40b20330df1c98cfa388faf3f218c41e3ec329
Opcode Fuzzy Hash: efee3442a406fc64bbdb59aa278c28ca50b1611d0a7cbaa904153b1cb4150fd8
Instruction Fuzzy Hash: DBA177325442A9CFCB21AF748D547EABBB2EF0B310F494469DC89AB252D3319A46C741

Uniqueness

Uniqueness Score: -1.00%

Function 021D72B5, Relevance: 1.8, APIs: 1, Instructions: 269memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021D7834

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d53d6dd546cdde9c0be8eaf939e41d4af3cd6fffc27ab944af29b44cb7d86ce0
Instruction ID: 18937e4417c42b1ba8823a4cc857c1f2e0ecc0942a8a0adcd4e8f3ba944463eb
Opcode Fuzzy Hash: d53d6dd546cdde9c0be8eaf939e41d4af3cd6fffc27ab944af29b44cb7d86ce0
Instruction Fuzzy Hash: C39176315442E88FCB216F748E253E53F72EB0B314F5A4499CCC86B656D3329A4AC746

Uniqueness

Uniqueness Score: -1.00%

Function 021D727C, Relevance: 1.7, APIs: 1, Instructions: 201memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021D7834

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6b6482dc82c63c197ea8c3f9a23b375fb69bc9faa026fde636df9d7540224c76
Instruction ID: 6aadee9b0beb26d72f795d43265f1bc12ac1b54d3d411ce0da14b0753bc0da58
Opcode Fuzzy Hash: 6b6482dc82c63c197ea8c3f9a23b375fb69bc9faa026fde636df9d7540224c76
Instruction Fuzzy Hash: C4618831544298CFCF215F748D257EA7FB2EF0B314F4944A9CC88AB656D3318A4AC746

Uniqueness

Uniqueness Score: -1.00%

Function 021D763B, Relevance: 1.7, APIs: 1, Instructions: 152memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021D7834

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fc54ffd6064b1a8303bd0354ace59ab1710bd3d9198afd56fb0dd1af3bd5c8d8
Instruction ID: e65d6fb75a8dc34605419479991249c6dd374050f4d5843f4ea5354ca9f8e9b2
Opcode Fuzzy Hash: fc54ffd6064b1a8303bd0354ace59ab1710bd3d9198afd56fb0dd1af3bd5c8d8
Instruction Fuzzy Hash: CE5165316442A8CFCF219FB49D657EA3FB2AF4F300F4544A9DC88AB351D3319A068B45

Uniqueness

Uniqueness Score: -1.00%

Function 021D7614, Relevance: 1.6, APIs: 1, Instructions: 131memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021D7834

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 071c4e9f625515ec53d5c2ade1fa7fb44526549dcacd7b54baa462cf0c8d71b9
Instruction ID: 6fc5a83b873150b91e99ba73495bc9ea0ff4350874ed1f46f5f115ea3b7f9345
Opcode Fuzzy Hash: 071c4e9f625515ec53d5c2ade1fa7fb44526549dcacd7b54baa462cf0c8d71b9
Instruction Fuzzy Hash: 3C412076A40259CFDB349F68DC95BEA77A2AF49300F454129EC4DEB390C3309A418B81

Uniqueness

Uniqueness Score: -1.00%

Function 021D775D, Relevance: 1.6, APIs: 1, Instructions: 108memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 021D7834

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b26819b5a0a27aca5c9768c6b9dd06dfa097bc35e16bb7f7181c5a961fe5238a
Instruction ID: 0ecb446c4ab41fbf4bfea9ee68b0ec798fa395b0d2140177a1458f1687b71af5
Opcode Fuzzy Hash: b26819b5a0a27aca5c9768c6b9dd06dfa097bc35e16bb7f7181c5a961fe5238a
Instruction Fuzzy Hash: C6311234104698CECB216F748A657FA3F72BB4F704F594899D8C86B226C632960ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 021DBE7C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021DBF5C

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 578bb7002aa6042270188a1e2170f6f7c337c5a4b90372cdf64c64ecd70c5193
Instruction ID: f050634d24e82b1a24da325cc926280037d4465a3289d0a5f0fe7933f389fa8f
Opcode Fuzzy Hash: 578bb7002aa6042270188a1e2170f6f7c337c5a4b90372cdf64c64ecd70c5193
Instruction Fuzzy Hash: 5C2121301485D4CECF22AF748A687E87F33BB8B614F5A40C5C8985F662C732A786CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021DBEF5, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 021DBF5C

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: aa924f7ab5e99c6bc0e5cea263650b9baf1fc12c117985fe6de7a369038d8c1e
Instruction ID: 1f9ae8b948aa19e5b5bfe1e2a14454ddbaf6e32a4779a2e8558c0b382ba55e77
Opcode Fuzzy Hash: aa924f7ab5e99c6bc0e5cea263650b9baf1fc12c117985fe6de7a369038d8c1e
Instruction Fuzzy Hash: EC0175310485D5CDCB537AB44A387E93F33BB9B614F6B44C4C4D41E62AD632974AC605

Uniqueness

Uniqueness Score: -1.00%

Function 00413960, Relevance: 112.5, APIs: 59, Strings: 5, Instructions: 479COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00410F60,0n), ref: 004139F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413A18
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000000F8), ref: 00413A3E
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413A57
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413A70
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001B4), ref: 00413B20
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413B30
#606.MSVBVM60(00000001,?), ref: 00413B4D
__vbaStrMove.MSVBVM60 ref: 00413B58
__vbaStrCmp.MSVBVM60(00410DCC,00000000), ref: 00413B6A
__vbaFreeStr.MSVBVM60 ref: 00413B79
__vbaFreeVar.MSVBVM60 ref: 00413B88
#706.MSVBVM60(00000001,00000000,00000000), ref: 00413B99
__vbaStrMove.MSVBVM60 ref: 00413BA4
__vbaNew2.MSVBVM60(00410D78,00415590), ref: 00413BBD
__vbaHresultCheckObj.MSVBVM60(00000000,0223004C,00410D68,00000014), ref: 00413BE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D88,00000070), ref: 00413C09
__vbaFreeObj.MSVBVM60 ref: 00413C12
#580.MSVBVM60(Stalakitter,00000001), ref: 00413C1F
#574.MSVBVM60(00000002), ref: 00413C37
__vbaStrMove.MSVBVM60 ref: 00413C42
__vbaStrCmp.MSVBVM60(00410DF0,00000000), ref: 00413C4E
__vbaFreeStr.MSVBVM60 ref: 00413C5D
__vbaFreeVar.MSVBVM60 ref: 00413C66
#594.MSVBVM60(00000002), ref: 00413C81
__vbaFreeVar.MSVBVM60 ref: 00413C8A
#648.MSVBVM60(00000002), ref: 00413C96
__vbaFreeVar.MSVBVM60 ref: 00413C9F
__vbaVarDup.MSVBVM60 ref: 00413CBB
#666.MSVBVM60(?,00000002), ref: 00413CC9
__vbaVarMove.MSVBVM60 ref: 00413CD5
__vbaFreeVar.MSVBVM60 ref: 00413CDE
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413D1A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413D33
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000000F8), ref: 00413D5D
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004109AC,000006F8), ref: 00413D94
__vbaFreeObj.MSVBVM60 ref: 00413D9D
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413DB6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413DCF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,00000130), ref: 00413DF6
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 00413E08
__vbaStrVarMove.MSVBVM60(00000000), ref: 00413E12
__vbaStrMove.MSVBVM60 ref: 00413E1D
__vbaFreeStr.MSVBVM60 ref: 00413E44
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413E54
__vbaFreeVar.MSVBVM60 ref: 00413E60
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413E75
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413E8E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,00000078), ref: 00413EB8
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004109AC,000006FC), ref: 00413F09
__vbaFreeObj.MSVBVM60 ref: 00413F0E
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,0041097C,000002B4), ref: 00413F2F
__vbaVarAdd.MSVBVM60(00000002,?,?), ref: 00413F5D
__vbaVarMove.MSVBVM60 ref: 00413F64
#598.MSVBVM60 ref: 00413F6A
__vbaVarTstLt.MSVBVM60(00000002,?), ref: 00413F88
__vbaFreeVar.MSVBVM60(00413FF2), ref: 00413FE1
__vbaFreeStr.MSVBVM60 ref: 00413FE6
__vbaFreeVar.MSVBVM60 ref: 00413FEF

Strings

Stalakitter, xrefs: 00413C1A
Mallorcinerens, xrefs: 00413CAA
, xrefs: 00413B3C
0n, xrefs: 004139A2, 004139EF, 004139FF, 00413A44, 00413A4D, 00413A5D, 00413D07, 00413D10, 00413D20, 00413DA3, 00413DAC, 00413DBC, 00413E62, 00413E6B, 00413E7B
zk:K&6, xrefs: 00413E96, 00413E9C

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#574#580#594#598#606#648#666#706CallLate
String ID: $0n$Mallorcinerens$Stalakitter$zk:K&6
API String ID: 1003127262-4162119061
Opcode ID: bb90664c0487d9a779c6487a961d76e188d3d30cd431f59afa7af14c20f57c6f
Instruction ID: 937789cae48c46156ab7b725fc86c85e1c32e107243e17b1d695e945e4b9526d
Opcode Fuzzy Hash: bb90664c0487d9a779c6487a961d76e188d3d30cd431f59afa7af14c20f57c6f
Instruction Fuzzy Hash: FE125B70A00219DFDB10DFA4DD88BDEBBB8FF48705F10816AE549A7260DB746A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004012B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6"*), ref: 004012B9

Strings

VB5!6"*, xrefs: 004012B4

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6"*
API String ID: 1341478452-2992194029
Opcode ID: 3840d449ec1ddc23fdaf9bae2caad7b453dc487ed87417911bed8979949778d5
Instruction ID: 79355dc4bffd6cf1265348a2a2bfcb79cc83b055984265e36e24f2c9158d0841
Opcode Fuzzy Hash: 3840d449ec1ddc23fdaf9bae2caad7b453dc487ed87417911bed8979949778d5
Instruction Fuzzy Hash: E331C6A644E7C04FD34397749C296A17FB4AE13229B1A06DBC4D1CB4F3E668680AD726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021D9F4A, Relevance: 4.7, Strings: 3, Instructions: 954COMMON

Download Yara Rule

Strings

f6, xrefs: 021DA08F
%ec, xrefs: 021DA1F2
H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %ec$H$f6
API String ID: 0-816099147
Opcode ID: 01ecbfdff2fbca5e5a2bf8f442a3c742792fa22b1b804e844e2b6972d94ce6d1
Instruction ID: 6e41c750d0bdd8aa108bce7e1cb44f496e4ea37853182317a80f8ece39c13864
Opcode Fuzzy Hash: 01ecbfdff2fbca5e5a2bf8f442a3c742792fa22b1b804e844e2b6972d94ce6d1
Instruction Fuzzy Hash: B09202B2A44389DFDB749F28CC957DA7BB2FF55310F55812ADC899B250D3309A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021D8FDA, Relevance: 4.6, Strings: 3, Instructions: 871COMMON

Download Yara Rule

Strings

Yc, xrefs: 021D9072
H, xrefs: 021D64AF
{, xrefs: 021D9968

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H$Yc${
API String ID: 0-514028436
Opcode ID: 31cb1c7560c6dbedaa24b5edf2313bdac645e5656d775678b292254b1c8c43e9
Instruction ID: efd356759094e816f96a4d408ef93e1061529c596abd7d44812bf704a4291764
Opcode Fuzzy Hash: 31cb1c7560c6dbedaa24b5edf2313bdac645e5656d775678b292254b1c8c43e9
Instruction Fuzzy Hash: 1682EDB6644389DFDB749F28DC857DA7BB2FF55310F56812AEC899B210D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021D6066, Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

6fX, xrefs: 021D60D8
H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6fX$H
API String ID: 0-632209851
Opcode ID: 54fcbfae9695d61c3b887c7d67b1c2c68f0594201a299e45042cb51ea37bb64e
Instruction ID: 8454a314633a7a9f1b3460ef0aea600b29899681b69f581ebd043271ff43ebde
Opcode Fuzzy Hash: 54fcbfae9695d61c3b887c7d67b1c2c68f0594201a299e45042cb51ea37bb64e
Instruction Fuzzy Hash: 33B1DC75644288CFCF759E74DDA47DA3BB2FF5A700F594069DC88AB210D3319A86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021D9F6A, Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

f6, xrefs: 021DA08F
%ec, xrefs: 021DA1F2

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %ec$f6
API String ID: 0-120985187
Opcode ID: 4938eeedc6c61d4f81b1c5b14c9d80c51263edb5c3a738da88c73a77ecbee866
Instruction ID: 5b704dc2f59e22462723ea451fc5b9b73cabf727058c77796e712c651b2c7816
Opcode Fuzzy Hash: 4938eeedc6c61d4f81b1c5b14c9d80c51263edb5c3a738da88c73a77ecbee866
Instruction Fuzzy Hash: AE616872944299DFCB718E388A653E63BB3BF5B310F5A415BCC88EB654D330AB458742

Uniqueness

Uniqueness Score: -1.00%

Function 021DA013, Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

f6, xrefs: 021DA08F
%ec, xrefs: 021DA1F2

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %ec$f6
API String ID: 0-120985187
Opcode ID: e6bb32729251126dc9db83580e21dee9d84409a383705fb042c1c4e0f47d6294
Instruction ID: 329b6bf4ac19de46e09baee4076158eedaa4e90b1bed06ac6166770b7d68aa96
Opcode Fuzzy Hash: e6bb32729251126dc9db83580e21dee9d84409a383705fb042c1c4e0f47d6294
Instruction Fuzzy Hash: C5516672948289DFCB718E388A653E63BF3BF4A310F1A415ACC88DB604D331A7458742

Uniqueness

Uniqueness Score: -1.00%

Function 021DA26F, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

f6, xrefs: 021DA08F
%ec, xrefs: 021DA1F2

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %ec$f6
API String ID: 0-120985187
Opcode ID: b6e5005a4bad07914a0deebad2286dfd0466fbf9bbeb66edb8cef6e43b062a6d
Instruction ID: 61ddb06b619e2efd9c20dcf5d23d11e86dc36dc1950018760eea0a04bef3847c
Opcode Fuzzy Hash: b6e5005a4bad07914a0deebad2286dfd0466fbf9bbeb66edb8cef6e43b062a6d
Instruction Fuzzy Hash: 0F516672948289DFCB718E3889653E63BF3BF4B310F5A415ACC88DB604D331AB458742

Uniqueness

Uniqueness Score: -1.00%

Function 021DA11F, Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

f6, xrefs: 021DA08F
%ec, xrefs: 021DA1F2

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %ec$f6
API String ID: 0-120985187
Opcode ID: a7dce4a7689cc25ab86c63821ad0fd1ed6118b437412a30e52f7c346e6135212
Instruction ID: f61ca95d114251073faa83ea202f18212448e0e83976f336227e888837cb64fb
Opcode Fuzzy Hash: a7dce4a7689cc25ab86c63821ad0fd1ed6118b437412a30e52f7c346e6135212
Instruction Fuzzy Hash: 66515672948289DFCB758E388A653E63BF3BF4A310F1A415BCC88DB614D331AB458742

Uniqueness

Uniqueness Score: -1.00%

Function 021D8400, Relevance: 1.9, Strings: 1, Instructions: 692COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: H
API String ID: 2167126740-2852464175
Opcode ID: c31b46736f85026e25d014dab0603f1f77cd89e3661a99b1c529058419da90fa
Instruction ID: de5b21dff4151e3b2a10603a5b20c89df06ee184ac775b62929de970be51b5cd
Opcode Fuzzy Hash: c31b46736f85026e25d014dab0603f1f77cd89e3661a99b1c529058419da90fa
Instruction Fuzzy Hash: ED52DCB2A44349DFDB749F29C9857DABBB2FF54310F568529DC899B210D3309A81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 021D5557, Relevance: 1.9, Strings: 1, Instructions: 679COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: caba29269570ced2f5db972acbe52d50fab4ed18e77506de176a26a4aa78bfba
Instruction ID: 76bfb53b9fa1e023aa10c31e52132ab031746da6e1109c4bd09785b1a44a6c35
Opcode Fuzzy Hash: caba29269570ced2f5db972acbe52d50fab4ed18e77506de176a26a4aa78bfba
Instruction Fuzzy Hash: 4B52DAB2644389DFDB749F38C9957DABBB2FF55300F568129DC899B210D3309A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021D566A, Relevance: 1.9, Strings: 1, Instructions: 632COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 36b4eb5579e18a1c6a793b0dba62bee647f532fc9b478f5f192381a0f8dadd96
Instruction ID: 18d5f02cfa9f1133749df5240a5cc7f8efd083f87172cd1ec1a6f5d4d17814a2
Opcode Fuzzy Hash: 36b4eb5579e18a1c6a793b0dba62bee647f532fc9b478f5f192381a0f8dadd96
Instruction Fuzzy Hash: 7842CAB2644389DFDB749F38CD95BDABBB2FF55310F568129D8899B210D3309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021D57B4, Relevance: 1.8, Strings: 1, Instructions: 568COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 733950d61195de1271f8155f3684dccd99f0a0c177e9ff62028c3c55a568f0aa
Instruction ID: f5f898b406d800f6a4b10409159fcc4d73838cab8a327b6b41b5e0946fdddf1b
Opcode Fuzzy Hash: 733950d61195de1271f8155f3684dccd99f0a0c177e9ff62028c3c55a568f0aa
Instruction Fuzzy Hash: 8B32CCB2644389DFDB749F28DD857DABBB2FF54310F558129EC899B210D3309A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 021D58A1, Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 77dea3861173d3f81a21f06e93c9d307f10334ded2e96e79e60d76f0a25f8747
Instruction ID: 951a5f8f47d8e8dd4c1f1c294b09442c826650b75daa051cdd93b8d0926501bc
Opcode Fuzzy Hash: 77dea3861173d3f81a21f06e93c9d307f10334ded2e96e79e60d76f0a25f8747
Instruction Fuzzy Hash: 3932EBB2644389DFCB749F38C9957DABBB2FF55300F568129DC899B210D3309A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021D59DD, Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1ab2adb9537bd5f83052f943e4e16b09c463c0133f2dabb041f1bf29f32f841d
Instruction ID: b5c95c0885cb6ad5888b57a32bd77dd2323f4a5bc5afa6e194084adc09a8c33f
Opcode Fuzzy Hash: 1ab2adb9537bd5f83052f943e4e16b09c463c0133f2dabb041f1bf29f32f841d
Instruction Fuzzy Hash: 1522FBB2644388DFCB749F34D995BEA7BB2FF55300F564529DC899B210D3309A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021DAA32, Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

vF4, xrefs: 021DB504

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vF4
API String ID: 0-2345348757
Opcode ID: 3e1642e9fe001ced0c96167365aebcc5af88793d75334351b52c84726409bb21
Instruction ID: dde4e3eea29f070e0391ef506690c27194a8c3b4f74ce32141868294d0e6f978
Opcode Fuzzy Hash: 3e1642e9fe001ced0c96167365aebcc5af88793d75334351b52c84726409bb21
Instruction Fuzzy Hash: 3622E6715483C5CFDB35CF38C8987DA7BA2AF52314F49829ACC9A8F296D3749641C712

Uniqueness

Uniqueness Score: -1.00%

Function 021D5B2B, Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 108791601a6b62d0a3936abe0b190f0538d10cf45fadce80e9d0b4d3c726090a
Instruction ID: 118d41082df34a28b1c4fad876639ddda566f9aa088a5efb7714c3bbd2aef49c
Opcode Fuzzy Hash: 108791601a6b62d0a3936abe0b190f0538d10cf45fadce80e9d0b4d3c726090a
Instruction Fuzzy Hash: 7612EC76644288DFCF749E38DD95BEA7BB2FF59300F56402ADC899B210D3309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021D5AE0, Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: aa1058ad073274352afae12b386445c9c066329b24754d25e70d76478cbaea69
Instruction ID: 2a8aaefd46a7b7743144036031e97f25ad522df40ef55b4c84a905ae457aa346
Opcode Fuzzy Hash: aa1058ad073274352afae12b386445c9c066329b24754d25e70d76478cbaea69
Instruction Fuzzy Hash: 4302EBB6644288DFDB749E38DC85BDA7BB2FF55300F56402AEC899B210D3309A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021D5C51, Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 87566dc84a9ba2d14583ab7105110ef3b72ef8fdb12f408af4609e19fdc230e1
Instruction ID: 620c941bda0bf258f54c08b7deb6b437f6daf0950f94f3c73deab0e221c656b5
Opcode Fuzzy Hash: 87566dc84a9ba2d14583ab7105110ef3b72ef8fdb12f408af4609e19fdc230e1
Instruction Fuzzy Hash: E5F11E76644288DFCF759E34DD95BDA7BB2FF56300F5A402ADC899B210D3309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021D5D9D, Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 87c3f26aaebe6b89b77a31495647f816bf7889e61fd4dc49586395e3b2c5aff7
Instruction ID: e1162643a5cf72258fd692813a0bba015ada3a563c11c823a3414062681117eb
Opcode Fuzzy Hash: 87c3f26aaebe6b89b77a31495647f816bf7889e61fd4dc49586395e3b2c5aff7
Instruction Fuzzy Hash: 7DE1FC76644288DFCF759E34DD95BDA3BB2FF5A700F5A406ADC889B220D3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021D5F40, Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1526aa291f8e356c5f27739029b035a2e792a7b0e28c6b98e74ec1d360b8c6b2
Instruction ID: e2c5639ff0fb9122e2ddca8e0ca475d77ac4903d1c2e8e6647454cebace59b47
Opcode Fuzzy Hash: 1526aa291f8e356c5f27739029b035a2e792a7b0e28c6b98e74ec1d360b8c6b2
Instruction Fuzzy Hash: 96D1FA75684288DFCF759E34DD95BDA3BB2FF1A700F55406ADC88AB220D3709A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021D5F15, Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 0149941c9898a33473fe7ace8765a52fd0dc563576a2b52c085e75b778c5d93a
Instruction ID: f54c477cd98e1b1e629b21e49b3f472b84b04e09add4b58f77a60ec02a3ef6ab
Opcode Fuzzy Hash: 0149941c9898a33473fe7ace8765a52fd0dc563576a2b52c085e75b778c5d93a
Instruction Fuzzy Hash: 49C1EB76684288DFCF788F34DC95BDA3BA2FF55300F55412AEC899B210D3709A85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021D7B4E, Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

{, xrefs: 021D9968

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: 39e458431cef32dc7427709db85bdf01f7072093f29c039392c47952f35f033c
Instruction ID: 38aae74c8aca3e35f107aca204c015b27d605c9d963602a64a36fbf7a70132f7
Opcode Fuzzy Hash: 39e458431cef32dc7427709db85bdf01f7072093f29c039392c47952f35f033c
Instruction Fuzzy Hash: CAC1CB75684289CFDF789F69CC44BEE77A2AF45354F41452AEC4EAB210D3309A81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 021D61E9, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

H, xrefs: 021D64AF

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 6a35e2aaa7935f1c87570186306f08ff32d09ae7b4be87df70ca0b52732d4a12
Instruction ID: 2b5efff60564dc14a4b7bb51097fdf27447f963d0001a42e2b5c1aab4d75e04a
Opcode Fuzzy Hash: 6a35e2aaa7935f1c87570186306f08ff32d09ae7b4be87df70ca0b52732d4a12
Instruction Fuzzy Hash: FF81ED71640289DFCF759E38DD94BDA3B72FF5A300F558069DC889B224D7319A89CB40

Uniqueness

Uniqueness Score: -1.00%

Function 021DB386, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

vF4, xrefs: 021DB504

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vF4
API String ID: 0-2345348757
Opcode ID: 188019488205feb3e44a61fd2a01fbc1c90ffad5a94d5723ff18ee577a7ecd6a
Instruction ID: 68b5a3913277e33b2f6c4c08008ab952bad6e3b7af92744a3db6939b6380336c
Opcode Fuzzy Hash: 188019488205feb3e44a61fd2a01fbc1c90ffad5a94d5723ff18ee577a7ecd6a
Instruction Fuzzy Hash: 314123300487C5CECB62AE748A697E73F72AF5B308F09C499CCD55A45AE732930AC706

Uniqueness

Uniqueness Score: -1.00%

Function 021DAABB, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996c7830db34415483c266c08314b2d996187894173fbe4e6f18369c07ad9b42
Instruction ID: 32e99cb703b7fab34eb2baf095a80463830cb4bf68af743f70eb0474c8dc5991
Opcode Fuzzy Hash: 996c7830db34415483c266c08314b2d996187894173fbe4e6f18369c07ad9b42
Instruction Fuzzy Hash: B4C194715487C58FDB35CF38C898BD6BBE1AF56320F09829AC8A98F2E6D3758541C712

Uniqueness

Uniqueness Score: -1.00%

Function 021DAB61, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d296ee7de50b0c61a2badf2ef17a347a87732392298fc4f078d2adff7339b5ae
Instruction ID: e1552ecb1430fe45f2cf18504af5b49429d1396535be187dd49936f3d379a000
Opcode Fuzzy Hash: d296ee7de50b0c61a2badf2ef17a347a87732392298fc4f078d2adff7339b5ae
Instruction Fuzzy Hash: C5B1C5214487C58EDB268F3889A87D67FA2AF13224F0D82DAC8E94F1E7D3754605C712

Uniqueness

Uniqueness Score: -1.00%

Function 021DAC2D, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9761b48a9d3d19b297927794dd86ab67dd8d4ddd9adf6a21de1327f26de6e2
Instruction ID: 1b93aad86b4a7715cf90ab3c87d7c808aa5bf98b3ee05ffd3382f3731e93a5af
Opcode Fuzzy Hash: 4e9761b48a9d3d19b297927794dd86ab67dd8d4ddd9adf6a21de1327f26de6e2
Instruction Fuzzy Hash: 6A91F6715487C58FDF35CF3889A87E97FA2AF13224F0982DAC8A95F296D3718241C712

Uniqueness

Uniqueness Score: -1.00%

Function 021D99F0, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e41de83deba3450a497b97e287e3ab336fc3af6a4ff96572c068e26f83cf72c
Instruction ID: 17921e8eaa68a1db92727bec2ba120805f5131264bb05134b375aa1aa4df227c
Opcode Fuzzy Hash: 2e41de83deba3450a497b97e287e3ab336fc3af6a4ff96572c068e26f83cf72c
Instruction Fuzzy Hash: 81716576948399CFCB25DF28C8906D97BF1FF0A320F55489AD9899B312D331E902CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021D7BB3, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b846b38c08cac3d43c87ce5715ac4b6c443431d0ea79e2c9dace35e695ccf34a
Instruction ID: cec9901a51637f734941d5c1c1636e73b3b5757dec40df7ea5c3107ebc1d7de5
Opcode Fuzzy Hash: b846b38c08cac3d43c87ce5715ac4b6c443431d0ea79e2c9dace35e695ccf34a
Instruction Fuzzy Hash: 69810E7158828ACFDB749F34CD15BEA7BB2BF06714F46491DCC89AB620D3319A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021DAD09, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc8286755911ee05cceba7868dc53ee18e505dce2dd55f1a080da75cdf772dd
Instruction ID: 86de430d04647bc5ba9b1dec4e9270160096f0f89fef7569e4a9ab97055e7aba
Opcode Fuzzy Hash: 4cc8286755911ee05cceba7868dc53ee18e505dce2dd55f1a080da75cdf772dd
Instruction Fuzzy Hash: 767116314487D5CECF36DF3489A47F97FA2AF57214F4981EAC8995E29AD3324202C712

Uniqueness

Uniqueness Score: -1.00%

Function 021D7CC5, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e35866020759a1de1230630db5dd3834f531bb9fc254354b8c8f95fadf1e1a
Instruction ID: 8643faaf93fbf69bfac1133d820b4780b42c648961e25e9cab9149beac27ed82
Opcode Fuzzy Hash: 16e35866020759a1de1230630db5dd3834f531bb9fc254354b8c8f95fadf1e1a
Instruction Fuzzy Hash: 3C611E7108428ACFDF755F308E14BF93BB2FF0A714F864559CC99AB661E3318A468B06

Uniqueness

Uniqueness Score: -1.00%

Function 021D09C5, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416a40da7c226893afadd3f1e6dbc703ff03f778f4731d74df765b844fa70592
Instruction ID: d9d58e106cfd0f2265b645448ef7af2cb092feb114bbf83b0eb0859b2a2a8bc8
Opcode Fuzzy Hash: 416a40da7c226893afadd3f1e6dbc703ff03f778f4731d74df765b844fa70592
Instruction Fuzzy Hash: 325188B6588749DFD728CF28CC946CAB7A2FF4A360F15496AD659CF752D7308602CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00401440, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 021D54EB, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bde0a9fb84dafc9c7a5f212901466d27e35e73b4b2c42a5c812c7c3cd1d97d
Instruction ID: 97494e43cbb47747aee327183c887ff1297ac1cf13bd777ec40be8864b35f278
Opcode Fuzzy Hash: 40bde0a9fb84dafc9c7a5f212901466d27e35e73b4b2c42a5c812c7c3cd1d97d
Instruction Fuzzy Hash: 4B51FBB1A48344DFDB648F29C845BDABBE2BF88314F568209DC9997664D3344A818F82

Uniqueness

Uniqueness Score: -1.00%

Function 021D516C, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2276c79f5a4d8e28d1d2e3350b61b23f81ea0c22a3b6c8e883d17ea26af4525b
Instruction ID: c6c5cdebc605579150c72b13e74e39e143778536d7ab9d11c34784f5e035bde3
Opcode Fuzzy Hash: 2276c79f5a4d8e28d1d2e3350b61b23f81ea0c22a3b6c8e883d17ea26af4525b
Instruction Fuzzy Hash: B1512372680749EFDB70CE29C9D53D733E3AF58319F88462A895D9BA44D330AA41CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00404D2C, Relevance: .1, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00404D2C() {
				signed int _t95;
				signed int* _t101;
				signed int _t104;
				signed int* _t105;
				signed int* _t109;
				signed char _t112;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				signed int _t119;
				signed char _t121;
				signed char _t123;
				signed char _t124;
				void* _t125;
				signed char _t129;
				signed int _t130;
				signed int _t131;
				void* _t132;
				signed int* _t134;
				signed int _t139;
				signed int _t141;
				void* _t145;
				signed int* _t146;
				signed int* _t147;
				signed char _t148;
				signed int* _t152;

				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t115 + _t145) =  *(_t115 + _t145) | _t115;
				 *(_t125 - 0x37884566) =  *(_t125 - 0x37884566) | _t115;
				asm("cmpsd");
				 *0x9409cefb =  *0x9409cefb | _t112;
				_pop(_t113);
				_t146 = _t145 - 1;
				 *[fs:ecx] =  *[fs:ecx] - 0xffffffbb;
				asm("scasb");
				_t134 = _t132 + 2;
				_t95 = 0x3347519d;
				_t119 = (0x00000008 ^  *0xFFFFFFFFB0009010) - 1;
				asm("adc [esi+0x33], eax");
				do {
					asm("loopne 0xffffffdc");
					 *_t113 =  *_t113 ^ 0x0000007c;
					 *0x940a78c3 =  *0x940a78c3 | _t113;
					_t134 =  &(_t134[0]);
					_push(cs);
					asm("rcr dh, 0xa3");
					_t95 =  *((intOrPtr*)(_t130 + 0xb82fa1f)) - 1;
					asm("sbb [ebp-0xd], al");
					asm("adc al, 0xeb");
					_push(es);
					_push(ds);
					asm("insb");
					asm("stosd");
				} while (_t95 >= 0);
				 *_t119 =  *_t119 ^ 0x81e958cf;
				_t131 = _t130 ^  *(_t146 - 0x7f);
				_t129 = 0x14;
				_t101 = _t146;
				_t147 = _t134;
				_t152 = _t101;
				_pop(_t104);
				asm("enter 0xc3db, 0xa0");
				_t139 = (_t95 | 0xcd940831) + 4;
				_t121 = _t119 ^  *_t101 ^ _t131;
				asm("adc [edx+esi+0x33469408], esp");
				do {
					asm("movsb");
					_t105 = _t152;
					_t141 = _t139 + 2;
					_t114 = _t113 & _t141;
					asm("cmc");
					 *( *(_t105 + 0x15 + _t131 * 8) * 0xb55425dd) =  *( *(_t105 + 0x15 + _t131 * 8) * 0xb55425dd) & _t114;
					_t113 =  *((intOrPtr*)(_t141 + 0x25));
					_t123 = _t129;
					_t129 = _t121 ^  *_t104;
					_t109 = _t147;
					_t148 = _t114;
					_t139 = _t141 + 0x00000001 ^  *(_t148 + 0x3b);
					_push(_t148);
					_t124 = _t123 + 1;
					 *_t124 = _t131;
					asm("movsb");
					_t121 = _t124 ^  *_t109;
					_t104 = 0x95ea86c7 ^  *(_t105 - 0x3bcbec68);
					_t152 = _t109;
					asm("fisubr dword [ebp-0x79753659]");
					asm("sbb [esi+0x7dbef749], ebx");
					asm("sbb [ecx], dl");
					_t147 = 0xc6cf7c7c;
					asm("std");
				} while (_t121 >= 0);
				goto ( *((intOrPtr*)(_t129 + 0x3d90dd68)));
			}

0x00404d34
0x00404d37
0x00404d3a
0x00404d3d
0x00404d40
0x00404d43
0x00404d46
0x00404d49
0x00404d4c
0x00404d4f
0x00404d52
0x00404d55
0x00404d58
0x00404d5b
0x00404d5e
0x00404d61
0x00404d64
0x00404d67
0x00404d6a
0x00404d6d
0x00404d70
0x00404d73
0x00404d76
0x00404d79
0x00404d7c
0x00404d7f
0x00404d82
0x00404d85
0x00404d88
0x00404d8b
0x00404d8e
0x00404d99
0x00404da1
0x00404dad
0x00404dae
0x00404db4
0x00404dbb
0x00404dc3
0x00404dc6
0x00404dc7
0x00404dca
0x00404dcd
0x00404dcd
0x00404dcf
0x00404dd1
0x00404dd7
0x00404ded
0x00404dee
0x00404df1
0x00404df2
0x00404df5
0x00404df7
0x00404df8
0x00404df9
0x00404dfa
0x00404dfa
0x00404dfd
0x00404e08
0x00404e0c
0x00404e0e
0x00404e0e
0x00404e12
0x00404e1c
0x00404e1f
0x00404e23
0x00404e24
0x00404e26
0x00404e27
0x00404e27
0x00404e2a
0x00404e33
0x00404e3a
0x00404e3c
0x00404e45
0x00404e4a
0x00404e4c
0x00404e4c
0x00404e4e
0x00404e4e
0x00404e50
0x00404e53
0x00404e54
0x00404e55
0x00404e57
0x00404e58
0x00404e5a
0x00404e5a
0x00404e5b
0x00404e61
0x00404e67
0x00404e69
0x00404e6e
0x00404e6e
0x00404e7c

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870d35c48bee2099da5c69f9cc0cf0982c60936687ed066cfcabcd21101ec3fc
Instruction ID: e33f2aefceeb9f582bc5411938994d836cdb629a568c729493db18bc5475b075
Opcode Fuzzy Hash: 870d35c48bee2099da5c69f9cc0cf0982c60936687ed066cfcabcd21101ec3fc
Instruction Fuzzy Hash: E43107B25095AA9FD7229E38C851397BFA0EB47714354419EC8928F5A3C765A503CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 021DAE44, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fc7714e8fd5959b064a06aec57026a15fe790d0bdff71ceb78d36dc58767aa
Instruction ID: 92f6e1f4e024ec1042cd29019436466982ae5bcaa5530007252e98436b980dcf
Opcode Fuzzy Hash: b0fc7714e8fd5959b064a06aec57026a15fe790d0bdff71ceb78d36dc58767aa
Instruction Fuzzy Hash: 2651C671548785CFDF39CF3488E87E97BA2AF65310F4941AEC85A8F285D3754241CB21

Uniqueness

Uniqueness Score: -1.00%

Function 021D7DF4, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed90a0df4eff8bbb0de2c687946a5475dcc8e843fc418d82ff1d28c5f563b9e8
Instruction ID: 6186cf976903226fc6160c5136b93aed62da4b0822e20e648a6557e1b1cec31c
Opcode Fuzzy Hash: ed90a0df4eff8bbb0de2c687946a5475dcc8e843fc418d82ff1d28c5f563b9e8
Instruction Fuzzy Hash: A441D3701842C6CFDB75AF308A21BF93F71FF0A714F854559CC995A556E3325646CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021D5207, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4badee6f1e5d61707962d065b756c15b09d44b354dce9e134712667fd56dd30
Instruction ID: 64ef2ccf92bebd0e2cb3dac311949ec910834bf2a4c796fd34849be8f5daf1af
Opcode Fuzzy Hash: d4badee6f1e5d61707962d065b756c15b09d44b354dce9e134712667fd56dd30
Instruction Fuzzy Hash: 85413631184784DFDB70CE348AA53D33BF3BF4E218F88455989989AA59E331AA02C706

Uniqueness

Uniqueness Score: -1.00%

Function 021DB138, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e46f3d8dc3a72e7b2518c37e40aedc69037bddf2931a0a5dbb79a7036b233
Instruction ID: 2e1b612872a7a6a5f40551cac83b9ad7f89ad4436927faa53e40200d3c9d1535
Opcode Fuzzy Hash: 701e46f3d8dc3a72e7b2518c37e40aedc69037bddf2931a0a5dbb79a7036b233
Instruction Fuzzy Hash: BC415E319486C5CFCF21AE7489B87ED7F73BB07214F95859AC8D68A685D3309386C706

Uniqueness

Uniqueness Score: -1.00%

Function 021D742B, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dffe39c9ebe36e8f4b3953e7e4be1452e1e2b9e1e05f58543a431a51e690c3
Instruction ID: 74f0035a4d6b3fdd39c40c13dccef8d74c88f2a733b35d038930334dcabd91f3
Opcode Fuzzy Hash: d7dffe39c9ebe36e8f4b3953e7e4be1452e1e2b9e1e05f58543a431a51e690c3
Instruction Fuzzy Hash: 59212032208301DFDB189E75C8416AEFBE6AF91360F570A1ED8C68BA20C7345582CB07

Uniqueness

Uniqueness Score: -1.00%

Function 021D9DE9, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54693e5de87dee3fdabc965ceaff2dbe9ab91bbfe8c1cf7238619c7fceb2019f
Instruction ID: 82f41a6125515f12132d89d6c914a151d168e73ff93ee094cbb4ebdd9f50ec9e
Opcode Fuzzy Hash: 54693e5de87dee3fdabc965ceaff2dbe9ab91bbfe8c1cf7238619c7fceb2019f
Instruction Fuzzy Hash: 7721BBB5608385CFCB28CF28C9C8A9D73A2BB48710F52416AE8098F751EB31AA40CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0040167C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 021D4383, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f715496810169980274df32888969d18d1d1089afaa68abbb5287a29da3b0a6e
Instruction ID: df4802bc55e8fb9a7d21622fe0b1c045a5d5981f23f838d5f419051442961193
Opcode Fuzzy Hash: f715496810169980274df32888969d18d1d1089afaa68abbb5287a29da3b0a6e
Instruction Fuzzy Hash: D2F02839192869EFC316DB28C5A9788B3B5FF45310F0989B8D6D687A12CB309413CEC1

Uniqueness

Uniqueness Score: -1.00%

Function 021D97FE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884422d8ae8e791d8828fdd63fb0a67e36bdcbf0b86fb253be6d04939500002d
Instruction ID: 442200cba19d5cccc26975d59551f5f3196a638b4bcd887aaaf081aa09ab01bb
Opcode Fuzzy Hash: 884422d8ae8e791d8828fdd63fb0a67e36bdcbf0b86fb253be6d04939500002d
Instruction Fuzzy Hash: AEF0E6300589D58DCA436AB45739BF13F33B75F91479A88C585E41995BE502D74B8205

Uniqueness

Uniqueness Score: -1.00%

Function 0040162F, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 021D4794, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb31ce445e767ec7ab8e4f51fabd9ba33dbb36842b9b6260588a1ee75b72319d
Instruction ID: 73ce62fefd0c06020a3539e0e499c8a6beb67df392b13bcbdf5ee895308c813e
Opcode Fuzzy Hash: bb31ce445e767ec7ab8e4f51fabd9ba33dbb36842b9b6260588a1ee75b72319d
Instruction Fuzzy Hash: 54E0863D1A586A8BC352CA08C999B98B3B5F748732B09C978D5C58B753C734D407CF80

Uniqueness

Uniqueness Score: -1.00%

Function 021D98B3, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5062b499c32aa0554fec1072c425c4a84ff5f6e641e18049a2b7f6b665542cf6
Instruction ID: 4520222ef57d6d4b7ddadd1039a8b9ab366761b3268e42725815f8a42f0cc339
Opcode Fuzzy Hash: 5062b499c32aa0554fec1072c425c4a84ff5f6e641e18049a2b7f6b665542cf6
Instruction Fuzzy Hash: FAD0A730351A958FCB12CE5D8084B81B791FF15920B9682E8E8008B5A6E315DC428742

Uniqueness

Uniqueness Score: -1.00%

Function 021D97FC, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c35c022f87c74f8d7e8467e4c2afb0493f57f78abb8347f193cd2786f53b32
Instruction ID: 68ce301a3c237086fa5e74a5d0edb9f01fec0e52c1123e11e1f0f3ca7fec60a6
Opcode Fuzzy Hash: f0c35c022f87c74f8d7e8467e4c2afb0493f57f78abb8347f193cd2786f53b32
Instruction Fuzzy Hash: 91C09230390640CFCE96CF9EC2D4F81B3A8BF28A00FC344A8E8128BA55C364E849CE04

Uniqueness

Uniqueness Score: -1.00%

Function 021D726A, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 021D6DDC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 004134F0, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 00413542
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413553
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410DA8,0000001C), ref: 00413570
__vbaFreeObj.MSVBVM60 ref: 00413588
__vbaNew2.MSVBVM60(00410D78,00415590), ref: 004135A9
__vbaHresultCheckObj.MSVBVM60(00000000,0223004C,00410D68,00000014), ref: 004135CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D88,000000D0), ref: 004135F8
__vbaStrMove.MSVBVM60 ref: 0041360D
__vbaFreeObj.MSVBVM60 ref: 00413612
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 00413622
__vbaStrVarMove.MSVBVM60(?), ref: 0041362C
__vbaStrMove.MSVBVM60 ref: 00413637
__vbaFreeVar.MSVBVM60 ref: 0041363C
#568.MSVBVM60(00000063), ref: 00413644
__vbaNew2.MSVBVM60(00410F60,0n), ref: 0041365D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413676
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410DB8,00000178), ref: 004136F7
__vbaFreeObj.MSVBVM60 ref: 00413700
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413719
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413738
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000000F8), ref: 0041375B
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413774
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041378D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001B4), ref: 00413828
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413838
__vbaFreeStr.MSVBVM60(00413880), ref: 00413878
__vbaFreeStr.MSVBVM60 ref: 0041387D

Strings

0n, xrefs: 0041364A, 00413653, 00413663, 00413706, 0041370F, 0041371F, 00413761, 0041376A, 0041377A

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#539#568#685List
String ID: 0n
API String ID: 342513763-3699129202
Opcode ID: 005292e21a0ce41c29a5bb3cb97197b24b793ff3069bbfee0da40d7d0bf9945b
Instruction ID: 957cf409eef2b5308f5b95b73d67bc481dc35a9c2e97e3c76976a0eac120ec5c
Opcode Fuzzy Hash: 005292e21a0ce41c29a5bb3cb97197b24b793ff3069bbfee0da40d7d0bf9945b
Instruction Fuzzy Hash: C3B15D70A00204EFCB10DFA9D989ADDBBF9FF48701F14816AE509E72A1D774A981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413180, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00410F60,0n), ref: 004131D3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004131F2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001B0), ref: 00413231
__vbaFreeObj.MSVBVM60 ref: 0041323A
__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413253
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041326C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,00000098), ref: 0041328F
__vbaNew2.MSVBVM60(00410F60,0n), ref: 004132A8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004132C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001B4), ref: 00413350
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413360
__vbaNew2.MSVBVM60(00410F60,0n), ref: 0041337C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413395
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001A8), ref: 004133B8
__vbaFreeObj.MSVBVM60 ref: 004133C1

Strings

0n, xrefs: 004131B7, 004131C9, 004131D9, 00413240, 00413249, 00413259, 00413295, 0041329E, 004132AE, 00413366, 00413372, 00413382

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID: 0n
API String ID: 191279167-3699129202
Opcode ID: 0189e076c9d5efc262ce43fbb6262319fadebe0c9ff8324ecd6c323a47128e77
Instruction ID: 8e33eca083ede9e9d7927b3d1082c978fd96161aa7538c3649da3d66af5b129e
Opcode Fuzzy Hash: 0189e076c9d5efc262ce43fbb6262319fadebe0c9ff8324ecd6c323a47128e77
Instruction Fuzzy Hash: 62711A74A10204EFCB10DFA8D989ADABBF8FF4C701F10856AE949E7351D77498418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412F60, Relevance: 22.7, APIs: 15, Instructions: 154COMMON

Download Yara Rule

APIs

#714.MSVBVM60(?,?,00000000), ref: 00412FB8
__vbaVarTstNe.MSVBVM60(?,?), ref: 00412FD4
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 00412FE7
__vbaNew2.MSVBVM60(00410D78,00415590), ref: 0041300B
__vbaHresultCheckObj.MSVBVM60(00000000,0223004C,00410D68,00000014), ref: 00413036
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D88,000000C0), ref: 00413064
__vbaFreeObj.MSVBVM60 ref: 0041306F
__vbaNew2.MSVBVM60(00410D78,00415590), ref: 00413084
__vbaHresultCheckObj.MSVBVM60(00000000,0223004C,00410D68,00000014), ref: 004130A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D88,000000B8), ref: 004130CF
__vbaFreeObj.MSVBVM60 ref: 004130D4
__vbaNew2.MSVBVM60(00410D78,00415590), ref: 004130E9
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004130FF
__vbaHresultCheckObj.MSVBVM60(00000000,0223004C,00410D68,00000010), ref: 00413119
__vbaFreeObj.MSVBVM60 ref: 0041311E

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#714AddrefList
String ID:
API String ID: 169271594-0
Opcode ID: b3b80b92ec15d8333eb9b3c3246bade008a2082bf285649861c3ab5ef5f36ef1
Instruction ID: 4a98f85b5f2451cffa3c5305a820f52c5b030b6f886d997e5b8dc69c5189b2a8
Opcode Fuzzy Hash: b3b80b92ec15d8333eb9b3c3246bade008a2082bf285649861c3ab5ef5f36ef1
Instruction Fuzzy Hash: 47519F70940208ABDB10DFA5DD85BDEBBB8FF08701F20452AF505B32A5D7786A84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00413410, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00410F60,0n), ref: 00413453
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041346C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410D98,000001B0), ref: 004134AF
__vbaFreeObj.MSVBVM60 ref: 004134B8

Strings

0n, xrefs: 00413439, 00413449, 00413459

Memory Dump Source

Source File: 00000000.00000002.1202090282.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1202082395.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1202104393.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1202110116.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: 0n
API String ID: 1645334062-3699129202
Opcode ID: 9b0b8f43b972313a3dcf03e168d4af77cfb9f6113aba227b4e60536bc9fa8f8b
Instruction ID: 3d4c43bdfab32484a5b8e1ad1c15971ec860270725315644385596aebc0ccda6
Opcode Fuzzy Hash: 9b0b8f43b972313a3dcf03e168d4af77cfb9f6113aba227b4e60536bc9fa8f8b
Instruction Fuzzy Hash: 80116070A00305EBC711DFA8CA49BDABBB8FB4C701F108529F545E7790D778A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: FACTURA.exe PID: 6816 Parent PID: 5280

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FACTURA.exe PID: 6816 Parent PID: 5280 FACTURA.exeCOMMON

Executed Functions

Function 021DB9D6, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Function 021DBA65, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 202COMMON

Function 021DBA08, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Function 00404D2C, Relevance: .1, Instructions: 130
COMMONCrypto