Play interactive tour

Edit tour

Windows Analysis Report Statement from QNB.exe

Overview

General Information

Sample Name:	Statement from QNB.exe
Analysis ID:	527846
MD5:	9c8b626668e14aeb4355ea39d1520e33
SHA1:	554069b1fb3a80a02840158d31c6c2826812cb40
SHA256:	d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

Statement from QNB.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\Statement from QNB.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}

Source: Statement from QNB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1y{\

Source: Statement from QNB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Statement from QNB.exe

Code function: 0_2_021FDA66 NtAllocateVirtualMemory,

0_2_021FDA66

Source: Statement from QNB.exe, 00000000.00000000.341071584.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Source: Statement from QNB.exe	Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe

Source: C:\Users\user\Desktop\Statement from QNB.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_00401771	0_2_00401771
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_00401724	0_2_00401724
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_00401535	0_2_00401535
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021FDA66	0_2_021FDA66
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_0220697A	0_2_0220697A
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021F3E05	0_2_021F3E05
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_02202A7B	0_2_02202A7B
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_022030BF	0_2_022030BF
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021F10DE	0_2_021F10DE
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_02204D65	0_2_02204D65
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021FA561	0_2_021FA561
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021FD382	0_2_021FD382
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021FE1B9	0_2_021FE1B9

Source: C:\Users\user\Desktop\Statement from QNB.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9449C0319C5371E6.TMP

Jump to behavior

Source: Statement from QNB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Statement from QNB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Statement from QNB.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_0040BE02 push cs; ret	0_2_0040BE0F
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_00401194 push esi; iretd	0_2_00401195
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_004063A0 push edi; iretd	0_2_004063A1
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021F3C8F pushfd ; retf	0_2_021F3C96
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021F21DE push 81EB8925h; ret	0_2_021F21E3

Source: C:\Users\user\Desktop\Statement from QNB.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Statement from QNB.exe

RDTSC instruction interceptor: First address: 0000000002203784 second address: 0000000002203784 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FE5F6E88h 0x00000007 xor eax, 68D71742h 0x0000000c xor eax, 6F594955h 0x00000011 sub eax, F9D1309Eh 0x00000016 cpuid 0x00000018 test cl, cl 0x0000001a popad 0x0000001b call 00007F40CCEAB6A1h 0x00000020 lfence 0x00000023 mov edx, 7A5E759Dh 0x00000028 sub edx, 232409FCh 0x0000002e sub edx, F258D238h 0x00000034 xor edx, 1B1F997Dh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F40CCEAB761h 0x00000044 cmp edi, A03E8551h 0x0000004a cmp al, dl 0x0000004c cmp cl, 00000060h 0x0000004f cmp ebx, edx 0x00000051 ret 0x00000052 test ecx, AB9039E8h 0x00000058 sub edx, esi 0x0000005a ret 0x0000005b add edi, edx 0x0000005d dec dword ptr [ebp+000000F8h] 0x00000063 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006a jne 00007F40CCEAB67Ch 0x0000006c call 00007F40CCEAB7B2h 0x00000071 call 00007F40CCEAB6C4h 0x00000076 lfence 0x00000079 mov edx, 7A5E759Dh 0x0000007e sub edx, 232409FCh 0x00000084 sub edx, F258D238h 0x0000008a xor edx, 1B1F997Dh 0x00000090 mov edx, dword ptr [edx] 0x00000092 lfence 0x00000095 jmp 00007F40CCEAB761h 0x0000009a cmp edi, A03E8551h 0x000000a0 cmp al, dl 0x000000a2 cmp cl, 00000060h 0x000000a5 cmp ebx, edx 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Statement from QNB.exe

Code function: 0_2_0220377C rdtsc

0_2_0220377C

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Statement from QNB.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_021FD0BD mov eax, dword ptr fs:[00000030h]	0_2_021FD0BD
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_02202CF6 mov eax, dword ptr fs:[00000030h]	0_2_02202CF6
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_022020CD mov eax, dword ptr fs:[00000030h]	0_2_022020CD
Source: C:\Users\user\Desktop\Statement from QNB.exe	Code function: 0_2_02204D65 mov eax, dword ptr fs:[00000030h]	0_2_02204D65

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Statement from QNB.exe

Code function: 0_2_0220377C rdtsc

0_2_0220377C

Source: C:\Users\user\Desktop\Statement from QNB.exe

Code function: 0_2_0220697A RtlAddVectoredExceptionHandler,

0_2_0220697A

Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Statement from QNB.exe	7%	ReversingLabs	Win32.Worm.Wbvb

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527846
Start date:	24.11.2021
Start time:	14:05:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Statement from QNB.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.7% (good quality ratio 21.7%) Quality average: 42% Quality standard deviation: 31.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF9449C0319C5371E6.TMP Download File
Process:	C:\Users\user\Desktop\Statement from QNB.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.9277305547216628
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vncU7pCr8P:VSKUpACLFcUVCrG
MD5:	19809EDD1FF00A1D7C105BC58A97CD02
SHA1:	26FB6D339CF2A7474DE6F785166163FA9B2ADBB1
SHA-256:	4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C
SHA-512:	434722936006B56B042FB5C72CAB98D8B7615A5A0E48EE6746DD6839BE029029E3BCECF7EFA49DDC8A9DB016FA472FB9EE1CE75126C13E06D66EAA12166A38F7
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.787310245899602
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Statement from QNB.exe
File size:	135168
MD5:	9c8b626668e14aeb4355ea39d1520e33
SHA1:	554069b1fb3a80a02840158d31c6c2826812cb40
SHA256:	d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
SHA512:	7a6d99ab3be3a6f43eeabacc4eb70ccd7d88f0dded718edc3fbabb9522e4b3b82009a0edf95a6b4909af90fe9e682866e6459a43a709831cc93732a8e3ff69db
SSDEEP:	1536:tGDSlb6oBiIOhMk98Riy6NaXuknILxq+o7g8r8A0HiD:tGAtO198yNa/SoXIA4i
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....f.O.....................0....................@........

File Icon


Icon Hash:	981dca909cee36b0

Static PE Info

General
Entrypoint:	0x4013b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4FBF669F [Fri May 25 11:01:51 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d77040f4614bccfda7b8aa2e04863738

Entrypoint Preview

Instruction
push 00401FD0h
call 00007F40CCA73105h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007F40CCA730B8h
call far 894Ah : 61125376h
cwde
cli
dec esi
xor byte ptr [ebx+ecx*2], 0000005Ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
push eax
push ebp
dec esp
inc edi
inc ecx
inc esp
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 8B0CAF8Dh
out A4h, al
fiadd word ptr [edi-5Eh]
xchg eax, esp
xor edx, ebp
mov dl, cl
jc 00007F40CCA73116h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1de14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xf58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x11c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d31c	0x1e000	False	0.349731445312	data	4.97110902784	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x141c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0xf58	0x1000	False	0.339111328125	data	3.26223123132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x21e1a	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
CUSTOM	0x21cdc	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x21434	0x8a8	data
RT_GROUP_ICON	0x21420	0x14	data
RT_VERSION	0x21170	0x2b0	data	Turkmen	Turkmenistan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0442 0x04b0
LegalCopyright	Lips
InternalName	Esothyropexy4
FileVersion	1.00
CompanyName	Lips
LegalTrademarks	Lips
ProductName	Lips
ProductVersion	1.00
FileDescription	Lips
OriginalFilename	Esothyropexy4.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Turkmen	Turkmenistan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Statement from QNB.exe PID: 6836 Parent PID: 5704

General

Start time:	14:06:10
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Statement from QNB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement from QNB.exe"
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	9C8B626668E14AEB4355EA39D1520E33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Statement from QNB.exe PID: 6836 Parent PID: 5704 Statement from QNB.exeCOMMON

Executed Functions

Function 021FDA66, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 484memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-000000021172D3F9,?,E3DA1026), ref: 021FDE47

Strings

q!d, xrefs: 021FB9B6
)Hg, xrefs: 021FBE98

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: )Hg$q!d
API String ID: 2167126740-3470481063
Opcode ID: 303cdd50e10ab6a21bfc457addbbaff45327540a73ebf046717a75add9e66176
Instruction ID: 91b2d281c9d79f06625159aab75914ddd97580859482b4b622ec32923d614271
Opcode Fuzzy Hash: 303cdd50e10ab6a21bfc457addbbaff45327540a73ebf046717a75add9e66176
Instruction Fuzzy Hash: 2AE1B77129825EDFCB71EE289CC16EABB94DB1A231F64836ADC359B5D6C332C509C740

Uniqueness

Uniqueness Score: -1.00%

Function 0220697A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

>Y"?, xrefs: 022074DF

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >Y"?
API String ID: 0-1124675244
Opcode ID: 395a6911d0ea71d7ec9e72ec80849f1d95dbdcda3624c9290b0bc74b5fcc5937
Instruction ID: 6c2210707d9303b065cb70963d59d094f065134cbc1b158ea8aff31e465eb830
Opcode Fuzzy Hash: 395a6911d0ea71d7ec9e72ec80849f1d95dbdcda3624c9290b0bc74b5fcc5937
Instruction Fuzzy Hash: 5D816972620349CFDB34DE78CDD47E9B7B2AF94350F15822ACC0A9B699C734A640CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0041C634, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041C634(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				short _v76;
				char _v136;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				signed int _v180;
				signed int _v188;
				signed int _v196;
				char _v204;
				signed int _v212;
				char _v220;
				signed int _v228;
				char _v236;
				signed int _v244;
				signed int _v252;
				void* _v304;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				signed int _v332;
				signed int _v336;
				void* _v340;
				signed int _v344;
				char _v404;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t466;
				char* _t469;
				signed int _t471;
				signed int _t475;
				signed int _t486;
				char* _t488;
				signed int _t489;
				signed int _t496;
				signed int* _t500;
				char* _t503;
				char* _t504;
				short _t511;
				char* _t513;
				signed int* _t520;
				char* _t526;
				signed int _t544;
				signed int _t549;
				signed int _t556;
				void* _t558;
				char* _t559;
				signed int _t562;
				signed int _t570;
				signed int _t575;
				signed int _t583;
				signed int _t588;
				signed int _t595;
				signed int _t600;
				signed int _t607;
				signed int _t612;
				signed int _t622;
				signed int _t627;
				signed int _t633;
				signed int _t638;
				void* _t697;
				void* _t699;
				intOrPtr _t700;

				_t700 = _t699 - 0x18;
				 *[fs:0x0] = _t700;
				L00401210();
				_v28 = _t700;
				_v24 = 0x401120;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				_t466 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t697);
				_v8 = 1;
				_v8 = 2;
				_push(2);
				_push(0x403078);
				_push(0x403084);
				L0040138A();
				L00401390();
				_push(_t466);
				_push(0x403084);
				_push(0);
				L00401396();
				_v332 =  ~(0 | _t466 != 0x00000003);
				L00401384();
				if(_v332 != 0) {
					_v8 = 3;
					_push(0xffffffff);
					L0040137E();
					_v8 = 4;
					_push(0xffffffff);
					L0040137E();
					_v8 = 5;
					if( *0x41f5f0 != 0) {
						_v440 = 0x41f5f0;
					} else {
						_push(0x41f5f0);
						_push(0x4030a8);
						L00401378();
						_v440 = 0x41f5f0;
					}
					_v332 =  *_v440;
					_t633 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
					asm("fclex");
					_v336 = _t633;
					if(_v336 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x403098);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v444 = _t633;
					}
					_v340 = _v168;
					_v244 = _v244 & 0x00000000;
					_v252 = 2;
					L00401210();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t638 =  *((intOrPtr*)( *_v340 + 0x2c))(_v340, 0x10);
					asm("fclex");
					_v344 = _t638;
					if(_v344 >= 0) {
						_v448 = _v448 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x4030b8);
						_push(_v340);
						_push(_v344);
						L00401372();
						_v448 = _t638;
					}
					L0040136C();
				}
				_v8 = 7;
				_v180 = 0x4b;
				_v188 = 2;
				_push( &_v188);
				_t469 =  &_v204;
				_push(_t469);
				L00401360();
				_push(0x4030cc);
				_push(0x4030d4);
				L0040138A();
				_v212 = _t469;
				_v220 = 0x8008;
				_push( &_v204);
				_t471 =  &_v220;
				_push(_t471);
				L00401366();
				_v332 = _t471;
				_push( &_v220);
				_push( &_v204);
				_push( &_v188);
				_push(3);
				L0040135A();
				_t475 = _v332;
				if(_t475 != 0) {
					_v8 = 8;
					L00401354();
					_v8 = 9;
					L0040134E();
					L00401390();
					_v8 = 0xa;
					L00401342();
					_t489 =  &_v168;
					L00401348();
					_v332 = _t489;
					_v228 = 0x80020004;
					_v236 = 0xa;
					_v212 = 0x80020004;
					_v220 = 0xa;
					_v196 = 0x80020004;
					_v204 = 0xa;
					_v180 = 0x80020004;
					_v188 = 0xa;
					_t496 =  *((intOrPtr*)( *_v332 + 0x44))(_v332, 0x291f,  &_v188,  &_v204,  &_v220,  &_v236, _t489, _t475);
					asm("fclex");
					_v336 = _t496;
					if(_v336 >= 0) {
						_v452 = _v452 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x4030d8);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v452 = _t496;
					}
					L0040136C();
					_push( &_v236);
					_push( &_v220);
					_push( &_v204);
					_t500 =  &_v188;
					_push(_t500);
					_push(4);
					L0040135A();
					_v8 = 0xb;
					_v308 = 0x6317b;
					L00401336();
					_push(_t500);
					_push( &_v160);
					L0040133C();
					_push( &_v308);
					_push(0x297142);
					_push(L"ANDREWARTHA");
					_t503 =  &_v164;
					_push(_t503);
					L0040133C();
					_push(_t503);
					_t504 =  &_v160;
					_push(_t504);
					E00402F1C();
					_v312 = _t504;
					L00401330();
					_v332 =  ~(0 | _v312 == 0x001b827e);
					_push( &_v164);
					_push( &_v160);
					_push( &_v156);
					_push(3);
					L0040132A();
					_t511 = _v332;
					if(_t511 != 0) {
						_v8 = 0xc;
						_push(0x40312c);
						_push("4:4");
						L0040138A();
						L00401390();
						_push(_t511);
						_push( &_v188);
						L0040131E();
						_push( &_v188);
						L00401324();
						L00401390();
						L00401384();
						L00401318();
						_v8 = 0xd;
						_v180 = 1;
						_v188 = 2;
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xffffffff);
						_push( &_v188);
						L00401312();
						L00401390();
						L00401318();
						_v8 = 0xe;
						_v8 = 0xf;
						if( *0x41f5f0 != 0) {
							_v456 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v456 = 0x41f5f0;
						}
						_v332 =  *_v456;
						_t622 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t622;
						if(_v336 >= 0) {
							_v460 = _v460 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v460 = _t622;
						}
						_v340 = _v168;
						_t627 =  *((intOrPtr*)( *_v340 + 0x64))(_v340, 1,  &_v304);
						asm("fclex");
						_v344 = _t627;
						if(_v344 >= 0) {
							_v464 = _v464 & 0x00000000;
						} else {
							_push(0x64);
							_push(0x403140);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v464 = _t627;
						}
						_t511 = _v304;
						_v56 = _t511;
						L0040136C();
					}
					_v8 = 0x11;
					L00401336();
					_push(_t511);
					_push( &_v160);
					L0040133C();
					_t513 =  &_v160;
					_push(_t513);
					_push(0x83bcf2);
					_push(0x2ea394);
					_push(0x59ae9b);
					_push(0x4f0673);
					E00402F70();
					_v308 = _t513;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x0066f1e8);
					_push( &_v160);
					_push( &_v156);
					_push(2);
					L0040132A();
					if(_v332 != 0) {
						_v8 = 0x12;
						if( *0x41f5f0 != 0) {
							_v468 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v468 = 0x41f5f0;
						}
						_v332 =  *_v468;
						_t595 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t595;
						if(_v336 >= 0) {
							_v472 = _v472 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v472 = _t595;
						}
						_v340 = _v168;
						_t600 =  *((intOrPtr*)( *_v340 + 0x60))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t600;
						if(_v344 >= 0) {
							_v476 = _v476 & 0x00000000;
						} else {
							_push(0x60);
							_push(0x403168);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v476 = _t600;
						}
						_v428 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x13;
						if( *0x41f5f0 != 0) {
							_v480 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v480 = 0x41f5f0;
						}
						_v332 =  *_v480;
						_t607 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t607;
						if(_v336 >= 0) {
							_v484 = _v484 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v484 = _t607;
						}
						_v340 = _v168;
						_t612 =  *((intOrPtr*)( *_v340 + 0x140))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t612;
						if(_v344 >= 0) {
							_v488 = _v488 & 0x00000000;
						} else {
							_push(0x140);
							_push(0x403168);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v488 = _t612;
						}
						_v76 = _v304;
						L0040136C();
						_v8 = 0x14;
						L0040130C();
					}
					_v8 = 0x16;
					_push(L"Contangoes3");
					_t520 =  &_v156;
					_push(_t520);
					L0040133C();
					_push(_t520);
					E00402FCC();
					_v308 = _t520;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x003c82f5);
					L00401384();
					if(_v332 != 0) {
						_v8 = 0x17;
						if( *0x41f5f0 != 0) {
							_v492 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v492 = 0x41f5f0;
						}
						_v332 =  *_v492;
						_t570 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t570;
						if(_v336 >= 0) {
							_v496 = _v496 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v496 = _t570;
						}
						_v340 = _v168;
						_t575 =  *((intOrPtr*)( *_v340 + 0x130))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t575;
						if(_v344 >= 0) {
							_v500 = _v500 & 0x00000000;
						} else {
							_push(0x130);
							_push(0x403168);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v500 = _t575;
						}
						_v432 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x18;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						L00401306();
						L00401390();
						L00401318();
						_v8 = 0x19;
						_v8 = 0x1a;
						if( *0x41f5f0 != 0) {
							_v504 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v504 = 0x41f5f0;
						}
						_v332 =  *_v504;
						_t583 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t583;
						if(_v336 >= 0) {
							_v508 = _v508 & 0x00000000;
						} else {
							_push(0x4c);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v508 = _t583;
						}
						_v340 = _v168;
						_t588 =  *((intOrPtr*)( *_v340 + 0x24))(_v340, L"iliau", L"Lstes8",  &_v156);
						asm("fclex");
						_v344 = _t588;
						if(_v344 >= 0) {
							_v512 = _v512 & 0x00000000;
						} else {
							_push(0x24);
							_push(0x4030b8);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v512 = _t588;
						}
						_v436 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
					}
					_v8 = 0x1c;
					_push( &_v136);
					_t526 =  &_v404;
					_push(_t526);
					_push(0x402e6c);
					L00401300();
					_push(_t526);
					E00403044();
					_v308 = _t526;
					L00401330();
					_push( &_v404);
					_push( &_v136);
					_push(0x402e6c);
					L004012FA();
					_v332 =  ~(0 | _v308 == 0x0028d15d);
					_push( &_v404);
					_push(0x402e6c);
					L004012F4();
					if(_v332 != 0) {
						_v8 = 0x1d;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						_push( &_v204);
						L004012EE();
						_push( &_v204);
						L00401324();
						L00401390();
						_push( &_v204);
						_push( &_v188);
						_push(2);
						L0040135A();
						_v8 = 0x1e;
						if( *0x41f5f0 != 0) {
							_v516 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v516 = 0x41f5f0;
						}
						_v332 =  *_v516;
						_t544 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t544;
						if(_v336 >= 0) {
							_v520 = _v520 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v520 = _t544;
						}
						_v340 = _v168;
						_t549 =  *((intOrPtr*)( *_v340 + 0x78))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t549;
						if(_v344 >= 0) {
							_v524 = _v524 & 0x00000000;
						} else {
							_push(0x78);
							_push(0x403168);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v524 = _t549;
						}
						_v40 = _v304;
						L0040136C();
						_v8 = 0x1f;
						_v8 = 0x20;
						if( *0x41f5f0 != 0) {
							_v528 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030a8);
							L00401378();
							_v528 = 0x41f5f0;
						}
						_v332 =  *_v528;
						_t556 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t556;
						if(_v336 >= 0) {
							_v532 = _v532 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x403098);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v532 = _t556;
						}
						_v340 = _v168;
						_v244 = 1;
						_v252 = 2;
						_t558 = 0x10;
						L00401210();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L004012E8();
						_t559 =  &_v172;
						L00401348();
						_t562 =  *((intOrPtr*)( *_v340 + 0x58))(_v340, _t559, _t559, _t558, _v140, 0x4031b8);
						asm("fclex");
						_v344 = _t562;
						if(_v344 >= 0) {
							_v536 = _v536 & 0x00000000;
						} else {
							_push(0x58);
							_push(0x403140);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v536 = _t562;
						}
						_push( &_v168);
						_push( &_v172);
						_push(2);
						L004012E2();
					}
				}
				_v8 = 0x23;
				_v320 = 0x1ee95e40;
				_v316 = 0x5b03;
				 *((intOrPtr*)( *_a4 + 0x700))(_a4, L"stretchier",  &_v320, 0x2277,  &_v328);
				_v152 = _v328;
				_v148 = _v324;
				_v8 = 0x24;
				_t486 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v188);
				_v332 = _t486;
				if(_v332 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402da4);
					_push(_a4);
					_push(_v332);
					L00401372();
					_v540 = _t486;
				}
				L00401318();
				_v20 = 0;
				_push(0x41d6a0);
				_push( &_v404);
				_push(0x402e6c);
				L004012F4();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				_t488 =  &_v136;
				_push(_t488);
				_push(0x402e6c);
				L004012DC();
				L0040136C();
				L00401384();
				return _t488;
			}

0x0041c637
0x0041c646
0x0041c652
0x0041c65a
0x0041c65d
0x0041c66a
0x0041c673
0x0041c676
0x0041c685
0x0041c688
0x0041c68f
0x0041c696
0x0041c698
0x0041c69d
0x0041c6a2
0x0041c6af
0x0041c6b4
0x0041c6b5
0x0041c6ba
0x0041c6bc
0x0041c6cb
0x0041c6d8
0x0041c6e6
0x0041c6ec
0x0041c6f3
0x0041c6f5
0x0041c6fa
0x0041c701
0x0041c703
0x0041c708
0x0041c716
0x0041c733
0x0041c718
0x0041c718
0x0041c71d
0x0041c722
0x0041c727
0x0041c727
0x0041c745
0x0041c760
0x0041c763
0x0041c765
0x0041c772
0x0041c794
0x0041c774
0x0041c774
0x0041c776
0x0041c77b
0x0041c781
0x0041c787
0x0041c78c
0x0041c78c
0x0041c7a1
0x0041c7a7
0x0041c7ae
0x0041c7bb
0x0041c7c8
0x0041c7c9
0x0041c7ca
0x0041c7cb
0x0041c7da
0x0041c7dd
0x0041c7df
0x0041c7ec
0x0041c80e
0x0041c7ee
0x0041c7ee
0x0041c7f0
0x0041c7f5
0x0041c7fb
0x0041c801
0x0041c806
0x0041c806
0x0041c81b
0x0041c81b
0x0041c820
0x0041c827
0x0041c831
0x0041c841
0x0041c842
0x0041c848
0x0041c849
0x0041c84e
0x0041c853
0x0041c858
0x0041c85d
0x0041c863
0x0041c873
0x0041c874
0x0041c87a
0x0041c87b
0x0041c880
0x0041c88d
0x0041c894
0x0041c89b
0x0041c89c
0x0041c89e
0x0041c8a6
0x0041c8af
0x0041c8b5
0x0041c8bc
0x0041c8c1
0x0041c8c8
0x0041c8d2
0x0041c8d7
0x0041c8de
0x0041c8e4
0x0041c8eb
0x0041c8f0
0x0041c8f6
0x0041c900
0x0041c90a
0x0041c914
0x0041c91e
0x0041c928
0x0041c932
0x0041c93c
0x0041c975
0x0041c978
0x0041c97a
0x0041c987
0x0041c9a9
0x0041c989
0x0041c989
0x0041c98b
0x0041c990
0x0041c996
0x0041c99c
0x0041c9a1
0x0041c9a1
0x0041c9b6
0x0041c9c1
0x0041c9c8
0x0041c9cf
0x0041c9d0
0x0041c9d6
0x0041c9d7
0x0041c9d9
0x0041c9e1
0x0041c9e8
0x0041c9fd
0x0041ca02
0x0041ca09
0x0041ca0a
0x0041ca15
0x0041ca16
0x0041ca1b
0x0041ca20
0x0041ca26
0x0041ca27
0x0041ca2c
0x0041ca2d
0x0041ca33
0x0041ca34
0x0041ca39
0x0041ca3f
0x0041ca55
0x0041ca62
0x0041ca69
0x0041ca70
0x0041ca71
0x0041ca73
0x0041ca7b
0x0041ca84
0x0041ca8a
0x0041ca91
0x0041ca96
0x0041ca9b
0x0041caa8
0x0041caad
0x0041cab4
0x0041cab5
0x0041cac0
0x0041cac1
0x0041cace
0x0041cad9
0x0041cae4
0x0041cae9
0x0041caf0
0x0041cafa
0x0041cb04
0x0041cb06
0x0041cb08
0x0041cb0a
0x0041cb12
0x0041cb13
0x0041cb1d
0x0041cb28
0x0041cb2d
0x0041cb34
0x0041cb42
0x0041cb5f
0x0041cb44
0x0041cb44
0x0041cb49
0x0041cb4e
0x0041cb53
0x0041cb53
0x0041cb71
0x0041cb8c
0x0041cb8f
0x0041cb91
0x0041cb9e
0x0041cbc0
0x0041cba0
0x0041cba0
0x0041cba2
0x0041cba7
0x0041cbad
0x0041cbb3
0x0041cbb8
0x0041cbb8
0x0041cbcd
0x0041cbea
0x0041cbed
0x0041cbef
0x0041cbfc
0x0041cc1e
0x0041cbfe
0x0041cbfe
0x0041cc00
0x0041cc05
0x0041cc0b
0x0041cc11
0x0041cc16
0x0041cc16
0x0041cc25
0x0041cc2c
0x0041cc36
0x0041cc36
0x0041cc3b
0x0041cc4d
0x0041cc52
0x0041cc59
0x0041cc5a
0x0041cc5f
0x0041cc65
0x0041cc66
0x0041cc6b
0x0041cc70
0x0041cc75
0x0041cc7a
0x0041cc7f
0x0041cc85
0x0041cc9b
0x0041cca8
0x0041ccaf
0x0041ccb0
0x0041ccb2
0x0041ccc3
0x0041ccc9
0x0041ccd7
0x0041ccf4
0x0041ccd9
0x0041ccd9
0x0041ccde
0x0041cce3
0x0041cce8
0x0041cce8
0x0041cd06
0x0041cd21
0x0041cd24
0x0041cd26
0x0041cd33
0x0041cd55
0x0041cd35
0x0041cd35
0x0041cd37
0x0041cd3c
0x0041cd42
0x0041cd48
0x0041cd4d
0x0041cd4d
0x0041cd62
0x0041cd7d
0x0041cd80
0x0041cd82
0x0041cd8f
0x0041cdb1
0x0041cd91
0x0041cd91
0x0041cd93
0x0041cd98
0x0041cd9e
0x0041cda4
0x0041cda9
0x0041cda9
0x0041cdbe
0x0041cdc4
0x0041cdd4
0x0041cddf
0x0041cde4
0x0041cdf2
0x0041ce0f
0x0041cdf4
0x0041cdf4
0x0041cdf9
0x0041cdfe
0x0041ce03
0x0041ce03
0x0041ce21
0x0041ce3c
0x0041ce3f
0x0041ce41
0x0041ce4e
0x0041ce70
0x0041ce50
0x0041ce50
0x0041ce52
0x0041ce57
0x0041ce5d
0x0041ce63
0x0041ce68
0x0041ce68
0x0041ce7d
0x0041ce98
0x0041ce9e
0x0041cea0
0x0041cead
0x0041ced2
0x0041ceaf
0x0041ceaf
0x0041ceb4
0x0041ceb9
0x0041cebf
0x0041cec5
0x0041ceca
0x0041ceca
0x0041cee0
0x0041ceea
0x0041ceef
0x0041cef6
0x0041cef6
0x0041cefb
0x0041cf02
0x0041cf07
0x0041cf0d
0x0041cf0e
0x0041cf13
0x0041cf14
0x0041cf19
0x0041cf1f
0x0041cf35
0x0041cf42
0x0041cf50
0x0041cf56
0x0041cf64
0x0041cf81
0x0041cf66
0x0041cf66
0x0041cf6b
0x0041cf70
0x0041cf75
0x0041cf75
0x0041cf93
0x0041cfae
0x0041cfb1
0x0041cfb3
0x0041cfc0
0x0041cfe2
0x0041cfc2
0x0041cfc2
0x0041cfc4
0x0041cfc9
0x0041cfcf
0x0041cfd5
0x0041cfda
0x0041cfda
0x0041cfef
0x0041d00a
0x0041d010
0x0041d012
0x0041d01f
0x0041d044
0x0041d021
0x0041d021
0x0041d026
0x0041d02b
0x0041d031
0x0041d037
0x0041d03c
0x0041d03c
0x0041d051
0x0041d057
0x0041d067
0x0041d072
0x0041d077
0x0041d07e
0x0041d088
0x0041d098
0x0041d099
0x0041d0a3
0x0041d0ae
0x0041d0b3
0x0041d0ba
0x0041d0c8
0x0041d0e5
0x0041d0ca
0x0041d0ca
0x0041d0cf
0x0041d0d4
0x0041d0d9
0x0041d0d9
0x0041d0f7
0x0041d112
0x0041d115
0x0041d117
0x0041d124
0x0041d146
0x0041d126
0x0041d126
0x0041d128
0x0041d12d
0x0041d133
0x0041d139
0x0041d13e
0x0041d13e
0x0041d153
0x0041d178
0x0041d17b
0x0041d17d
0x0041d18a
0x0041d1ac
0x0041d18c
0x0041d18c
0x0041d18e
0x0041d193
0x0041d199
0x0041d19f
0x0041d1a4
0x0041d1a4
0x0041d1b9
0x0041d1bf
0x0041d1cf
0x0041d1da
0x0041d1da
0x0041d1df
0x0041d1ec
0x0041d1ed
0x0041d1f3
0x0041d1f4
0x0041d1f9
0x0041d1fe
0x0041d1ff
0x0041d204
0x0041d20a
0x0041d215
0x0041d21c
0x0041d21d
0x0041d222
0x0041d238
0x0041d245
0x0041d246
0x0041d24b
0x0041d259
0x0041d25f
0x0041d266
0x0041d270
0x0041d280
0x0041d287
0x0041d288
0x0041d293
0x0041d294
0x0041d29e
0x0041d2a9
0x0041d2b0
0x0041d2b1
0x0041d2b3
0x0041d2bb
0x0041d2c9
0x0041d2e6
0x0041d2cb
0x0041d2cb
0x0041d2d0
0x0041d2d5
0x0041d2da
0x0041d2da
0x0041d2f8
0x0041d313
0x0041d316
0x0041d318
0x0041d325
0x0041d347
0x0041d327
0x0041d327
0x0041d329
0x0041d32e
0x0041d334
0x0041d33a
0x0041d33f
0x0041d33f
0x0041d354
0x0041d36f
0x0041d372
0x0041d374
0x0041d381
0x0041d3a3
0x0041d383
0x0041d383
0x0041d385
0x0041d38a
0x0041d390
0x0041d396
0x0041d39b
0x0041d39b
0x0041d3b1
0x0041d3bb
0x0041d3c0
0x0041d3c7
0x0041d3d5
0x0041d3f2
0x0041d3d7
0x0041d3d7
0x0041d3dc
0x0041d3e1
0x0041d3e6
0x0041d3e6
0x0041d404
0x0041d41f
0x0041d422
0x0041d424
0x0041d431
0x0041d453
0x0041d433
0x0041d433
0x0041d435
0x0041d43a
0x0041d440
0x0041d446
0x0041d44b
0x0041d44b
0x0041d460
0x0041d466
0x0041d470
0x0041d47c
0x0041d47d
0x0041d48a
0x0041d48b
0x0041d48c
0x0041d48d
0x0041d499
0x0041d49f
0x0041d4a6
0x0041d4ba
0x0041d4bd
0x0041d4bf
0x0041d4cc
0x0041d4ee
0x0041d4ce
0x0041d4ce
0x0041d4d0
0x0041d4d5
0x0041d4db
0x0041d4e1
0x0041d4e6
0x0041d4e6
0x0041d4fb
0x0041d502
0x0041d503
0x0041d505
0x0041d50a
0x0041d259
0x0041d50d
0x0041d514
0x0041d51e
0x0041d548
0x0041d554
0x0041d560
0x0041d566
0x0041d57c
0x0041d582
0x0041d58f
0x0041d5b1
0x0041d591
0x0041d591
0x0041d596
0x0041d59b
0x0041d59e
0x0041d5a4
0x0041d5a9
0x0041d5a9
0x0041d5be
0x0041d5c3
0x0041d5ca
0x0041d635
0x0041d636
0x0041d63b
0x0041d643
0x0041d64b
0x0041d653
0x0041d65b
0x0041d663
0x0041d66b
0x0041d673
0x0041d678
0x0041d67e
0x0041d67f
0x0041d684
0x0041d68f
0x0041d69a
0x0041d69f

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041C652
__vbaStrCat.MSVBVM60(00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C6A2
__vbaStrMove.MSVBVM60(00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C6AF
__vbaInStr.MSVBVM60(00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C6BC
__vbaFreeStr.MSVBVM60(00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C6D8
__vbaOnError.MSVBVM60(000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C6F5
__vbaOnError.MSVBVM60(000000FF,000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C703
__vbaNew2.MSVBVM60(004030A8,0041F5F0,000000FF,000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C722
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041C787
__vbaChkstk.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041C7BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030B8,0000002C), ref: 0041C801
__vbaFreeObj.MSVBVM60(00000000,?,004030B8,0000002C), ref: 0041C81B
#573.MSVBVM60(?,00000002), ref: 0041C849
__vbaStrCat.MSVBVM60(004030D4,004030CC,?,00000002), ref: 0041C858
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,004030D4,004030CC,?,00000002), ref: 0041C87B
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,004030D4,004030CC,?,00000002), ref: 0041C89E
#598.MSVBVM60(?,?,?,00401216), ref: 0041C8BC
#611.MSVBVM60(?,?,?,00401216), ref: 0041C8C8
__vbaStrMove.MSVBVM60(?,?,?,00401216), ref: 0041C8D2
#685.MSVBVM60(?,?,?,00401216), ref: 0041C8DE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401216), ref: 0041C8EB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030D8,00000044), ref: 0041C99C
__vbaFreeObj.MSVBVM60(00000000,?,004030D8,00000044), ref: 0041C9B6
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041C9D9
__vbaStrCopy.MSVBVM60 ref: 0041C9FD
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041CA0A
__vbaStrToAnsi.MSVBVM60(?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CA27
__vbaSetSystemError.MSVBVM60(?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CA3F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CA73
__vbaStrCat.MSVBVM60(4:4,0040312C,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CA9B
__vbaStrMove.MSVBVM60(4:4,0040312C,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CAA8
#541.MSVBVM60(?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041CAB5
__vbaStrVarMove.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041CAC1
__vbaStrMove.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041CACE
__vbaFreeStr.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041CAD9
__vbaFreeVar.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041CAE4
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CB13
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CB1D
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CB28
__vbaNew2.MSVBVM60(004030A8,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CB4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041CBB3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403140,00000064), ref: 0041CC11
__vbaFreeObj.MSVBVM60(00000000,?,00403140,00000064), ref: 0041CC36
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CC4D
__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CC5A
__vbaSetSystemError.MSVBVM60(004F0673,0059AE9B,002EA394,0083BCF2,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CC85
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041CCB2
__vbaNew2.MSVBVM60(004030A8,0041F5F0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CCE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041CD48
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000060), ref: 0041CDA4
__vbaStrMove.MSVBVM60(00000000,?,00403168,00000060), ref: 0041CDD4
__vbaFreeObj.MSVBVM60(00000000,?,00403168,00000060), ref: 0041CDDF
__vbaNew2.MSVBVM60(004030A8,0041F5F0), ref: 0041CDFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041CE63
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000140), ref: 0041CEC5
__vbaFreeObj.MSVBVM60(00000000,?,00403168,00000140), ref: 0041CEEA
__vbaEnd.MSVBVM60(00000000,?,00403168,00000140), ref: 0041CEF6
__vbaStrToAnsi.MSVBVM60(?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CF0E
__vbaSetSystemError.MSVBVM60(00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CF1F
__vbaFreeStr.MSVBVM60(00000000,00000000,Contangoes3), ref: 0041CF42
__vbaNew2.MSVBVM60(004030A8,0041F5F0), ref: 0041CF70
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041CFD5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000130), ref: 0041D037
__vbaStrMove.MSVBVM60(00000000,?,00403168,00000130), ref: 0041D067
__vbaFreeObj.MSVBVM60(00000000,?,00403168,00000130), ref: 0041D072
#536.MSVBVM60(00000002), ref: 0041D099
__vbaStrMove.MSVBVM60(00000002), ref: 0041D0A3
__vbaFreeVar.MSVBVM60(00000002), ref: 0041D0AE
__vbaNew2.MSVBVM60(004030A8,0041F5F0,00000002), ref: 0041D0D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041D139
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041D19F
__vbaStrMove.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041D1CF
__vbaFreeObj.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041D1DA
__vbaRecUniToAnsi.MSVBVM60(00402E6C,?,?), ref: 0041D1F9
__vbaSetSystemError.MSVBVM60(00000000,00402E6C,?,?), ref: 0041D20A
__vbaRecAnsiToUni.MSVBVM60(00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D222
__vbaRecDestructAnsi.MSVBVM60(00402E6C,?,00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D24B
#613.MSVBVM60(?,00000002,00402E6C,?,00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D288
__vbaStrVarMove.MSVBVM60(?,?,00000002,00402E6C,?,00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D294
__vbaStrMove.MSVBVM60(?,?,00000002,00402E6C,?,00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D29E
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00402E6C,?,00402E6C,?,?,00000000,00402E6C,?,?), ref: 0041D2B3
__vbaNew2.MSVBVM60(004030A8,0041F5F0,00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041D2D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041D33A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000078), ref: 0041D396
__vbaFreeObj.MSVBVM60(00000000,?,00403168,00000078), ref: 0041D3BB
__vbaNew2.MSVBVM60(004030A8,0041F5F0), ref: 0041D3E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041D446
__vbaChkstk.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041D47D
__vbaCastObj.MSVBVM60(?,004031B8), ref: 0041D499
__vbaObjSet.MSVBVM60(?,00000000,?,004031B8), ref: 0041D4A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403140,00000058), ref: 0041D4E1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D505
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA4,000006F8), ref: 0041D5A4
__vbaFreeVar.MSVBVM60(00000000,?,00402DA4,000006F8), ref: 0041D5BE
__vbaRecDestructAnsi.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D63B
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D643
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D64B
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D653
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D65B
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D663
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D66B
__vbaFreeStr.MSVBVM60(00402E6C,?,0041D6A0), ref: 0041D673
__vbaRecDestruct.MSVBVM60(00402E6C,?,00402E6C,?,0041D6A0), ref: 0041D684
__vbaFreeObj.MSVBVM60(00402E6C,?,00402E6C,?,0041D6A0), ref: 0041D68F
__vbaFreeStr.MSVBVM60(00402E6C,?,00402E6C,?,0041D6A0), ref: 0041D69A

Strings

stretchier, xrefs: 0041D53B
K, xrefs: 0041C827
Lstes8, xrefs: 0041D160
ANDREWARTHA, xrefs: 0041CA1B
Dorosoma5, xrefs: 0041CC42
$, xrefs: 0041D566
Contangoes3, xrefs: 0041CF02
thyroidization, xrefs: 0041C9F2
iliau, xrefs: 0041D165
4:4, xrefs: 0041CA96

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$AnsiNew2$ErrorList$System$ChkstkDestruct$Copy$#536#541#573#598#611#613#685#703Cast
String ID: $$4:4$ANDREWARTHA$Contangoes3$Dorosoma5$K$Lstes8$iliau$stretchier$thyroidization
API String ID: 1936441329-1455819464
Opcode ID: 06c46a5d765d79e45e0e0217a5762b33ac96eac676a9a8b8dd0365ab4fbd747d
Instruction ID: 58b7c90cdda32a6d3079ebd954192ab64e50e018f6d4a2c769da0ed824d22d55
Opcode Fuzzy Hash: 06c46a5d765d79e45e0e0217a5762b33ac96eac676a9a8b8dd0365ab4fbd747d
Instruction Fuzzy Hash: DA92E371940228AFDB61DF60CC49BDDB7B5AF09305F1040EAE50DBA2A1DB785BC88F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6BF, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041D6BF(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				char* _v88;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t74;
				signed int _t81;
				signed int _t88;
				signed int _t93;
				intOrPtr _t124;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(0x70);
				L00401210();
				_v12 = _t124;
				_v8 = 0x4011d8;
				L00401336();
				_v72 = 1;
				_v80 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v80); // executed
				L00401312(); // executed
				L00401390();
				L00401318();
				_v88 = L"PRESSIE";
				_v96 = 8;
				L004012CA();
				_t74 =  &_v80;
				_push(_t74);
				L004012D0();
				L00401390();
				_push(_t74);
				_push("Str");
				_push(0x4031ec);
				L0040138A();
				L00401390();
				_push(_t74);
				_push(0x4031f8);
				L0040138A();
				L00401390();
				_push(_t74);
				L004012D6();
				asm("sbb eax, eax");
				_v100 =  ~( ~( ~_t74));
				_push( &_v60);
				_push( &_v56);
				_push( &_v52);
				_push(3);
				L0040132A();
				L00401318();
				_t81 = _v100;
				if(_t81 != 0) {
					_v72 = 1;
					_v80 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L00401312();
					L00401390();
					L00401318();
					if( *0x41f5f0 != 0) {
						_v124 = 0x41f5f0;
					} else {
						_push(0x41f5f0);
						_push(0x4030a8);
						L00401378();
						_v124 = 0x41f5f0;
					}
					_v100 =  *_v124;
					_t88 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
					asm("fclex");
					_v104 = _t88;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403098);
						_push(_v100);
						_push(_v104);
						L00401372();
						_v128 = _t88;
					}
					_v108 = _v64;
					_t93 =  *((intOrPtr*)( *_v108 + 0x60))(_v108,  &_v52);
					asm("fclex");
					_v112 = _t93;
					if(_v112 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403168);
						_push(_v108);
						_push(_v112);
						L00401372();
						_v132 = _t93;
					}
					_t81 = _v52;
					_v120 = _t81;
					_v52 = _v52 & 0x00000000;
					L00401390();
					L0040136C();
					_push(0xe5);
					L004012C4();
					_v44 = _t81;
				}
				_v28 = 0x26222e40;
				_v24 = 0x5afd;
				_push(0x41d917);
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				return _t81;
			}

0x0041d6c4
0x0041d6cf
0x0041d6d0
0x0041d6d7
0x0041d6da
0x0041d6e2
0x0041d6e5
0x0041d6f2
0x0041d6f7
0x0041d6fe
0x0041d705
0x0041d707
0x0041d709
0x0041d70b
0x0041d710
0x0041d711
0x0041d71b
0x0041d723
0x0041d728
0x0041d72f
0x0041d73c
0x0041d741
0x0041d744
0x0041d745
0x0041d74f
0x0041d754
0x0041d755
0x0041d75a
0x0041d75f
0x0041d769
0x0041d76e
0x0041d76f
0x0041d774
0x0041d77e
0x0041d783
0x0041d784
0x0041d78b
0x0041d791
0x0041d798
0x0041d79c
0x0041d7a0
0x0041d7a1
0x0041d7a3
0x0041d7ae
0x0041d7b3
0x0041d7b9
0x0041d7bf
0x0041d7c6
0x0041d7cd
0x0041d7cf
0x0041d7d1
0x0041d7d3
0x0041d7d8
0x0041d7d9
0x0041d7e3
0x0041d7eb
0x0041d7f7
0x0041d811
0x0041d7f9
0x0041d7f9
0x0041d7fe
0x0041d803
0x0041d808
0x0041d808
0x0041d81d
0x0041d82c
0x0041d82f
0x0041d831
0x0041d838
0x0041d851
0x0041d83a
0x0041d83a
0x0041d83c
0x0041d841
0x0041d844
0x0041d847
0x0041d84c
0x0041d84c
0x0041d858
0x0041d867
0x0041d86a
0x0041d86c
0x0041d873
0x0041d88c
0x0041d875
0x0041d875
0x0041d877
0x0041d87c
0x0041d87f
0x0041d882
0x0041d887
0x0041d887
0x0041d890
0x0041d893
0x0041d896
0x0041d8a0
0x0041d8a8
0x0041d8ad
0x0041d8b2
0x0041d8b7
0x0041d8b7
0x0041d8ba
0x0041d8c1
0x0041d8c8
0x0041d8f9
0x0041d901
0x0041d909
0x0041d911
0x0041d916

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041D6DA
__vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041D6F2
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D711
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D71B
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D723
__vbaVarDup.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D73C
#591.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D745
__vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D74F
__vbaStrCat.MSVBVM60(004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D75F
__vbaStrMove.MSVBVM60(004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D769
__vbaStrCat.MSVBVM60(004031F8,00000000,004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D774
__vbaStrMove.MSVBVM60(004031F8,00000000,004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D77E
__vbaStrCmp.MSVBVM60(00000000,004031F8,00000000,004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D784
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,004031F8,00000000,004031EC,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D7A3
__vbaFreeVar.MSVBVM60 ref: 0041D7AE
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D7D9
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D7E3
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D7EB
__vbaNew2.MSVBVM60(004030A8,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D803
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D847
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000060,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D882
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8A0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8A8
#570.MSVBVM60(000000E5,?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8B2
__vbaFreeStr.MSVBVM60(0041D917,?,?,?,00401216), ref: 0041D8F9
__vbaFreeStr.MSVBVM60(0041D917,?,?,?,00401216), ref: 0041D901
__vbaFreeStr.MSVBVM60(0041D917,?,?,?,00401216), ref: 0041D909
__vbaFreeStr.MSVBVM60(0041D917,?,?,?,00401216), ref: 0041D911

Strings

Str, xrefs: 0041D755
@."&, xrefs: 0041D8BA
PRESSIE, xrefs: 0041D728

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#703CheckHresult$#570#591ChkstkCopyListNew2
String ID: @."&$PRESSIE$Str
API String ID: 4270550733-397218167
Opcode ID: 323f8385c5bd541559963ce3fb04651fe3f9c75b1170750b9f92fec495a6bac7
Instruction ID: ac755ba2acf17e9ff4ea00b6dbc6a4fde0d2c34e7b87736aeaf81ce23aa240cf
Opcode Fuzzy Hash: 323f8385c5bd541559963ce3fb04651fe3f9c75b1170750b9f92fec495a6bac7
Instruction Fuzzy Hash: 3361FA71D0020DABDF04EFA5C846ADEBBB9BF04314F20422AF425BB5E1DB785A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA6E, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041DA6E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401210();
				_v12 = _t76;
				_v8 = 0x4011f8;
				L004012AC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402d74);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004012AC();
				L004012A6();
				_v28 = E0041DBC4( &_v36);
				L0040136C();
				_v32 = E0041DBC4(_v28) + 0x2b0;
				E0041DCBD(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402d74);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v88 = _t62;
				}
				_push(0x41dbb1);
				L0040136C();
				return _t62;
			}

0x0041da6e
0x0041da7f
0x0041da89
0x0041da91
0x0041da94
0x0041daa2
0x0041dab3
0x0041dab6
0x0041dab8
0x0041dabf
0x0041dad8
0x0041dac1
0x0041dac1
0x0041dac3
0x0041dac8
0x0041dacb
0x0041dace
0x0041dad3
0x0041dad3
0x0041dadf
0x0041dae9
0x0041daf2
0x0041dafd
0x0041db03
0x0041db15
0x0041db1e
0x0041db23
0x0041db2a
0x0041db31
0x0041db38
0x0041db42
0x0041db4c
0x0041db4d
0x0041db4e
0x0041db4f
0x0041db53
0x0041db5d
0x0041db5e
0x0041db5f
0x0041db60
0x0041db69
0x0041db6f
0x0041db71
0x0041db78
0x0041db94
0x0041db7a
0x0041db7a
0x0041db7f
0x0041db84
0x0041db87
0x0041db8a
0x0041db8f
0x0041db8f
0x0041db98
0x0041dbab
0x0041dbb0

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041DA89
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401216), ref: 0041DAA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,00000058), ref: 0041DACE
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0041DAE9
#644.MSVBVM60(?,?,?), ref: 0041DAF2
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0041DB03
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041DB42
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041DB53
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,000002B0), ref: 0041DB8A
__vbaFreeObj.MSVBVM60(0041DBB1), ref: 0041DBAB

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: db3026a67357c8432eb3826c087588ba0628992192fb6560b8f30183e5d20366
Instruction ID: be029e28d27d6308d8f20e4f6303928863de62fc02472ecafc926870af66d1de
Opcode Fuzzy Hash: db3026a67357c8432eb3826c087588ba0628992192fb6560b8f30183e5d20366
Instruction Fuzzy Hash: 9541E6B1C40608AFDF01EFA1C846BDEBBB5FF05344F10442AF501BA1A1D7BDA9869B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D938, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041D938(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				signed int _v108;
				signed int _v120;
				signed int _t42;
				char* _t46;
				void* _t49;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401216, _t59);
				 *_a8 =  *_a8 & 0x00000000;
				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v108 = _t42;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402d74);
					_push(_a4);
					_push(_v108);
					L00401372();
					_v120 = _t42;
				}
				E0041DC2B();
				_v96 = 2;
				_v104 = 2;
				L004012BE();
				_v96 = 0x806d5a;
				_v104 = 3;
				L004012BE();
				_t46 =  &_v88;
				L004012B2();
				L004012B8();
				_t49 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
				_push(0x41da45);
				L00401318();
				L00401318();
				return _t49;
			}

0x0041d93b
0x0041d94a
0x0041d954
0x0041d95c
0x0041d95f
0x0041d966
0x0041d975
0x0041d97b
0x0041d986
0x0041d98c
0x0041d98e
0x0041d995
0x0041d9b1
0x0041d997
0x0041d997
0x0041d99c
0x0041d9a1
0x0041d9a4
0x0041d9a7
0x0041d9ac
0x0041d9ac
0x0041d9b5
0x0041d9ba
0x0041d9c1
0x0041d9ce
0x0041d9d3
0x0041d9da
0x0041d9e7
0x0041d9f4
0x0041d9f8
0x0041d9fe
0x0041da0c
0x0041da12
0x0041da37
0x0041da3f
0x0041da44

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041D954
__vbaHresultCheckObj.MSVBVM60(00000000,004011E8,00402D74,000002B4), ref: 0041D9A7
__vbaVarMove.MSVBVM60(00000000,004011E8,00402D74,000002B4), ref: 0041D9CE
__vbaVarMove.MSVBVM60(00000000,004011E8,00402D74,000002B4), ref: 0041D9E7
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D9F8
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D9FE
__vbaFreeVar.MSVBVM60(0041DA45), ref: 0041DA37
__vbaFreeVar.MSVBVM60(0041DA45), ref: 0041DA3F

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckChkstkHresultIdiv
String ID:
API String ID: 3577542843-0
Opcode ID: b7f5c357ca36e6d25ee7f65d5ce3839c90fcb6b6cb7fe6b21e593508e45db5d2
Instruction ID: 8d0e74c0eb43c6f6e8e0c49a9d8fa13cbe82c45ebdce5aede003ab6d4baaa3bb
Opcode Fuzzy Hash: b7f5c357ca36e6d25ee7f65d5ce3839c90fcb6b6cb7fe6b21e593508e45db5d2
Instruction Fuzzy Hash: B031B4B1900208AFDB00EFA5C989FDDBBB4AF04744F10456AF509BB1A1D779AA45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004013B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013B9

Strings

VB5!6&*, xrefs: 004013B4

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2db6bf30035ccf2bd57268446418847ed0ae491b1e7d2731402f50a9bf1e6c1d
Instruction ID: c82bd793577bf97f490cc4b2fc066edfcddd10ba761cb3162abbcc0b2933dcf0
Opcode Fuzzy Hash: 2db6bf30035ccf2bd57268446418847ed0ae491b1e7d2731402f50a9bf1e6c1d
Instruction Fuzzy Hash: F331CCA188E3C15FE70757B49D252953FB0AF43228B0A82EBC491DF1F7D66D084AD726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02204D65, Relevance: 5.0, Strings: 3, Instructions: 1223COMMON

Download Yara Rule

Strings

q!d, xrefs: 021FB9B6
R, xrefs: 02204F95
)Hg, xrefs: 021FBE98

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )Hg$R$q!d
API String ID: 0-1250440267
Opcode ID: b64ece400cf7b7d64807cfe97136952db4ae4f0abfe354421a9cfe8dcfe7c5d9
Instruction ID: b248cccdd1f19607281910dd33b8bf0266809f3078f206e19939462282d205d9
Opcode Fuzzy Hash: b64ece400cf7b7d64807cfe97136952db4ae4f0abfe354421a9cfe8dcfe7c5d9
Instruction Fuzzy Hash: 58B21171608389DFDB74DF38CC987DABBA2BF56310F45815ACC998B296D3708A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021F3E05, Relevance: 3.3, Strings: 2, Instructions: 827COMMON

Download Yara Rule

Strings

q!d, xrefs: 021FB9B6
)Hg, xrefs: 021FBE98

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )Hg$q!d
API String ID: 0-3470481063
Opcode ID: ec395227799e3319d63f2258f6494e20c8ff41d601cc94f8bd603d9572e15fad
Instruction ID: 56d73b44efcef8fba315fa6ba0c55f7d0588a0ae9ee6239bf1bc6db9524fd204
Opcode Fuzzy Hash: ec395227799e3319d63f2258f6494e20c8ff41d601cc94f8bd603d9572e15fad
Instruction Fuzzy Hash: 3D720E71648389DFCBB49F34CC857DABBA1FF15310F56422ADDA99B261C3308A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02202A7B, Relevance: 3.2, Strings: 2, Instructions: 714COMMON

Download Yara Rule

Strings

q!d, xrefs: 021FB9B6
)Hg, xrefs: 021FBE98

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )Hg$q!d
API String ID: 0-3470481063
Opcode ID: b0ed15c840d33172b946205035106aaafb13043755b19d46e394284613d1a56e
Instruction ID: 613190e985597df16f8777d0a423995a294c045002f2a4d5aa7ed89b25ff3807
Opcode Fuzzy Hash: b0ed15c840d33172b946205035106aaafb13043755b19d46e394284613d1a56e
Instruction Fuzzy Hash: E062CCB2608389DFDBB49F34CC857DABBA2FF59310F46411ADD999B250D3705A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021FE1B9, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

];~O, xrefs: 021FE981

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ];~O
API String ID: 0-1740769899
Opcode ID: 986384a851451be29b19952eea5dafa4a5bc0e0f0acb55558377bcd3dc40c682
Instruction ID: ab9954c61c017f10e485257842c4a4c6316d1234140a38a54c74db8994ff3ed3
Opcode Fuzzy Hash: 986384a851451be29b19952eea5dafa4a5bc0e0f0acb55558377bcd3dc40c682
Instruction Fuzzy Hash: 6BA1BD71544389DFDBB89E64CC90BEE7BA2FF15340F02452ADD9A9B264E7314681CF12

Uniqueness

Uniqueness Score: -1.00%

Function 021FA561, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

6<, xrefs: 021FAAD2

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6<
API String ID: 0-4005132889
Opcode ID: 8d1cda31f124fdd6b5e0410858ed347f8782b3729038df039665dcefbe316b72
Instruction ID: d65ddc8360e1dd2354c3534c254d86e2d083e7321da065c888b9760359f05d5d
Opcode Fuzzy Hash: 8d1cda31f124fdd6b5e0410858ed347f8782b3729038df039665dcefbe316b72
Instruction Fuzzy Hash: AC510331604745CFDBB4CE26DAE56EA76E2BF88700F55462FCE9E5B604C338AA01CB15

Uniqueness

Uniqueness Score: -1.00%

Function 022030BF, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

8Q, xrefs: 02203194

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8Q
API String ID: 0-1436772169
Opcode ID: 6e01908da38246fe02a1aa732c4be2d73c6560675b12008a7d360ca69493edae
Instruction ID: 287b6934329d48ba9b04144d1d0ffbfc6889389448c2d357f5385bc673eebecd
Opcode Fuzzy Hash: 6e01908da38246fe02a1aa732c4be2d73c6560675b12008a7d360ca69493edae
Instruction Fuzzy Hash: 11214572B10384DBEB38CE669DD47DA76A3AFD9310F55806F9C0E4B2AAC77046478A05

Uniqueness

Uniqueness Score: -1.00%

Function 021F10DE, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d159c00116b4570db599f8b8df427defd3295464081aa5d785285d006e03dd3f
Instruction ID: 0068cf34deee314967f171c90bebc2d0fc23211a15457c904bdbc8c01199b030
Opcode Fuzzy Hash: d159c00116b4570db599f8b8df427defd3295464081aa5d785285d006e03dd3f
Instruction Fuzzy Hash: FF617D712D825BDFC715EE758CC15AAFFE0EE5A220B2447ADC5A19B8E7C721840BC781

Uniqueness

Uniqueness Score: -1.00%

Function 00401535, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 00401771, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 021FD382, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01847e38541d212605e8026ea65f99b00070c1616b8e6ad131507d161d4388b9
Instruction ID: 2773363e7e59e3a5ae4a2b3d9f2bde8883f32470fdb0b71769b1d637bc1daf86
Opcode Fuzzy Hash: 01847e38541d212605e8026ea65f99b00070c1616b8e6ad131507d161d4388b9
Instruction Fuzzy Hash: D311C27114C305DFD7A8AE78C946AAEBBF1FF14744F42491E9AEA96520C7301681CF07

Uniqueness

Uniqueness Score: -1.00%

Function 02202CF6, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfdadc1d5f8e6130a9847ef6dcf353dfb158e8513e0f8c7f19a8788eeb98c79
Instruction ID: c2ffa31607683652f3e4d6506444d784d88ea8ca0ed0781e1921561633ac208d
Opcode Fuzzy Hash: fbfdadc1d5f8e6130a9847ef6dcf353dfb158e8513e0f8c7f19a8788eeb98c79
Instruction Fuzzy Hash: DB010075224288CFCB24CF68C8CCB9A73A0AB19200F05456AEC08CB36AD770EE44CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00401724, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0220377C, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c1317dcc9fd4b6bec7c78934aa9874b59481f114a69acd0372d82046c7b738
Instruction ID: 933d5ca21ab1ad9a05ada7be5d84b339616378358e8e990d80d718d64b152d0a
Opcode Fuzzy Hash: c9c1317dcc9fd4b6bec7c78934aa9874b59481f114a69acd0372d82046c7b738
Instruction Fuzzy Hash: F2C080831243A2455779547833543DB55D70F4255073086742D254675EDBC58E4445C2

Uniqueness

Uniqueness Score: -1.00%

Function 021FD0BD, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 022020CD, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa1e8760e4468cccab5301a68a3ccb3b13af2710bfea2abf0b86437d23c2669
Instruction ID: d443c0db12622c4a5dd1f0cd2b1cbac6f4c5155c753e1d18ff0899068fd1d2a4
Opcode Fuzzy Hash: 4aa1e8760e4468cccab5301a68a3ccb3b13af2710bfea2abf0b86437d23c2669
Instruction Fuzzy Hash: C5B002792516408FC696CE19C194F8073A4BB45A51BC15594E81197B15C268E9418950

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC2B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041DC2B() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L00401210();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x41f034; // 0x496f78
				_t17 =  *0x41f034; // 0x496f78
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x41f034);
				L004012A6();
				 *0x41f040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x41f044 = _v8;
				return _v8;
			}

0x0041dc2e
0x0041dc31
0x0041dc39
0x0041dc3f
0x0041dc43
0x0041dc49
0x0041dc4f
0x0041dc52
0x0041dc55
0x0041dc5b
0x0041dc60
0x0041dc65
0x0041dc6e
0x0041dc7a

APIs

__vbaChkstk.MSVBVM60(?,0041D9BA), ref: 0041DC31
#644.MSVBVM60(?,?,0041D9BA), ref: 0041DC5B

Strings

xoI, xrefs: 0041DC43, 0041DC49

Memory Dump Source

Source File: 00000000.00000002.865515020.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.865509742.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.865547329.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.865553346.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #644Chkstk__vba
String ID: xoI
API String ID: 3537395942-1220964006
Opcode ID: 1fdb90ed205820644e49d482dbba69813c73be8c9f8cc2bad7bb57aaf86839db
Instruction ID: a4d76139e0849925d4540305290d299c3be9090f96f16b4af28684474d20ff8c
Opcode Fuzzy Hash: 1fdb90ed205820644e49d482dbba69813c73be8c9f8cc2bad7bb57aaf86839db
Instruction Fuzzy Hash: 40F0A03D542241AAC720AB64AE126D47F78AB4D750F1040BAFA01EF2B3D3745943D75C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Statement from QNB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Statement from QNB.exe PID: 6836 Parent PID: 5704

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Statement from QNB.exe PID: 6836 Parent PID: 5704 Statement from QNB.exeCOMMON

Executed Functions

Function 021FDA66, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 484memorynativeCOMMON

Function 0220697A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON

Function 0041C634, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878COMMON

Function 0041C634, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878
COMMON

Function 0041D6BF, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 165
COMMON

Function 0041DA6E, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 0041D938, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Function 0041DC2B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON