Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
Analysis ID:	795583
MD5:	ecad138645d6e9bb23777c2871786211
SHA1:	7c194ebd4c5f629669a8b22cba2f448b859d7e4d
SHA256:	c4878022138a1fdbf5c1ba0fb8fe739810ec31b9e83fd334ba4c2f96e675610d
Tags:	exe
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Found large amount of non-executed APIs

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Classification

×

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe (PID: 3312 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe MD5: ECAD138645D6E9BB23777C2871786211)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe, 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYAZOKULU_2019.exe vs SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe	Binary or memory string: OriginalFilenameYAZOKULU_2019.exe vs SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Code function: 0_2_0040CA70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFC0D365B42DF662A8.TMP

Jump to behavior

Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: clean3.winEXE@1/1@0/0

Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe, 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: <q@*\AC:\Users\Tuncay\hesaplar_yazokulu\Project1.vbp
Source: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe	Binary or memory string: A*\AC:\Users\Tuncay\hesaplar_yazokulu\Project1.vbp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Code function: 0_2_00406A30 pushad ; retf 0040h

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

API coverage: 0.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe	10%	ReversingLabs	Win32.Trojan.Symmi

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	795583
Start date and time:	2023-02-01 01:36:17 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.1% (good quality ratio 62.7%) Quality average: 33.2% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFC0D365B42DF662A8.TMP

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.5168694484330218
Encrypted:	false
SSDEEP:	48:rUxxn2I2GsTQ3oS5edgYiTQnKsIkx0WOhRDC39aJT:ImI975sHnK7kRTMJT
MD5:	43B68DE5EDF8DFE164E4243459B13D7E
SHA1:	8B42FEB93406FD7E86FFCF7C4C095B9555B72C80
SHA-256:	9F6A958F818CB695A118C22CEE8447B3AA99CFA85F5529FB1459FE26E438189B
SHA-512:	C86524C75AFDD81F151EE8B1C7F037687F785967A561A4E2E994FB4D716BB686D5E2B5BFE8EF80AF4A2EC3788F3DBDFC1F8840FB6BF5A2E348C8628305F6F700
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.696418687753263
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
File size:	77824
MD5:	ecad138645d6e9bb23777c2871786211
SHA1:	7c194ebd4c5f629669a8b22cba2f448b859d7e4d
SHA256:	c4878022138a1fdbf5c1ba0fb8fe739810ec31b9e83fd334ba4c2f96e675610d
SHA512:	503ab6dcc50aba02793db4cb46ef9bb55119f6db25706eb7846c0c7962ecde83fad0b05346d9f8f99d129564f6205b95507f4faafd22dc9f9a6d8bd22df0ca90
SSDEEP:	768:xMWsiW/asd0ZA/YuOeaSuSRZOnh6MmW/asdDOeaSuSBkFNVHrQQnsWMLS92GddJp:xMWU/AA/YucSRYh6Mp/RcSWQ8sI7UG
TLSH:	56734B23DDA4B8A2EE468A721C40516845434D359915BE0BBF0D3F2CAEB66C3DDF532B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............6......5.....t5.....Rich.*..................PE..L..../.].....................0....................@........

File Icon


Icon Hash:	ecd4e4f4e4e4fc7c

Static PE Info

General

Entrypoint:	0x4012cc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5D1D2F85 [Wed Jul 3 22:43:17 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5770ff113a3e44536505c9eb45bc8281

Entrypoint Preview

Instruction
push 004068E8h
call 00007FB7ECBADAF3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, dl
nop
mov edx, 1116481Dh
dec edi
movsb
pushfd
lodsb
xor cl, byte ptr [edi]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x106b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0xca4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfaf4	0x10000	False	0.3323974609375	data	6.217406699604862	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11000	0x1184	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0xca4	0x1000	False	0.498779296875	data	4.802431331554205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x133fc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_GROUP_ICON	0x133e8	0x14	data
RT_VERSION	0x130f0	0x2f8	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, __vbaStrR8, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarDiv, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaR8Str, __vbaNew2, __vbaVarInt, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exePID: 3312, Parent PID: 3320

General

Target ID:	0
Start time:	01:37:17
Start date:	01/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exe
Imagebase:	0x400000
File size:	77824 bytes
MD5 hash:	ECAD138645D6E9BB23777C2871786211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Symmi.94861.7356.1827.exePID: 3312, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	25.2%
Total number of Nodes:	477
Total number of Limit Nodes:	1

Executed Functions

Function 004102A0 Relevance: 55.7, APIs: 37, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00401160,00407260,000006FC), ref: 00410301
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041031B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F4), ref: 0041033C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410345
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410359
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F4), ref: 0041037A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410383
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410397
__vbaStrI2.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004103A0
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004103AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 004103D0
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004103D9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004103E2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004103F6
__vbaStrI2.MSVBVM60(0000012C,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410402
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041040D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074F0,00000054), ref: 0041042C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410435
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041043E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410452
__vbaStrR8.MSVBVM60(392189BE,3FC1B899,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410463
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041046E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074F0,00000054), ref: 0041048D
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410496
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041049F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004104B3
__vbaStrI2.MSVBVM60(00000014,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004104BC
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004104C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 004104EC
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 004104FB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410500
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410514
__vbaStrI2.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0041051C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410527
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074E0,000000A4), ref: 00410547
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410550
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 00410555

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move
String ID:
API String ID: 1589273832-0
Opcode ID: a9a9f2d0cde0cea1997a3e5cbf9bf2c1d32576560a98d29440eee8d519e142a8
Instruction ID: 01fa24e23c7938e60703d02d94e922959e4058f226e3b6f1959942de30d8e2fe
Opcode Fuzzy Hash: a9a9f2d0cde0cea1997a3e5cbf9bf2c1d32576560a98d29440eee8d519e142a8
Instruction Fuzzy Hash: 3C914F70A00246AFDB109F65CD88EAEBBB8FF18705F104139F645E75A0DB785985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004012CC Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			_entry_(signed int __eax, signed int __ebx, signed int __ecx, void* __edx, void* __edi, signed int* __esi) {
				signed int _t11;
				signed int _t12;
				signed char _t13;
				signed char _t20;
				signed int* _t30;

				_t30 = __esi;
				_t17 = __ebx;
				_push(0x4068e8); // executed
				L004012C4(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t11 = __eax + 1;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				asm("movsb");
				asm("pushfd");
				asm("lodsb");
				_t20 = __ecx ^  *(__edi - 1);
				asm("invalid");
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				 *_t11 =  *_t11 + _t11;
				_push(_t11);
				if( *_t11 >= 0) {
					_push(0x65);
					asm("arpl [ecx+esi], si");
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					asm("int3");
					 *_t11 =  *_t11 ^ _t11;
					asm("rol byte [ecx-0x77], cl");
					asm("cld");
					_t11 = (_t11 ^  *__esi) + 0x00000001 - 0x00000001 &  *(__esi - 0x7f970722);
					_t17 = __ebx + __ebx ^  *(_t20 - 0x48ee309a);
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					 *_t11 =  *_t11 + _t11;
					ds = 0x55;
				}
				 *_t11 =  *_t11 | _t11;
				 *_t11 =  *_t11 + _t11;
				_t12 = _t11 + 0x726f4600;
				asm("insd");
				 *_t12 =  *_t12 ^ _t12;
				_t13 = _t12 | 0xc0c0c003;
				 *_t20 =  *_t20 + _t17;
				 *_t13 =  *_t13 + _t13;
				 *0x23012200 =  *0x23012200 + _t17;
				asm("invalid");
				 *_t13 =  *_t13 + _t13;
				asm("insb");
				if ( *_t13 == 0) goto L4;
				_t30[2] = _t30[2] + _t17;
				 *_t20 =  *_t20 + _t13;
				 *_t20 =  *_t20 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 & _t13;
				 *_t20 =  *_t20 + _t13;
				 *_t13 =  *_t13 + _t20;
				 *((intOrPtr*)(_t13 + 0x16000008)) =  *((intOrPtr*)(_t13 + 0x16000008)) + _t20;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t20;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 | _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				 *_t13 =  *_t13 + _t13;
				asm("o16 add bh, bh");
				goto 0xdd;
				return _t13;
			}

0x004012cc
0x004012cc
0x004012cc
0x004012d1
0x004012d6
0x004012d8
0x004012da
0x004012dc
0x004012de
0x004012e0
0x004012e1
0x004012e3
0x004012e5
0x004012f0
0x004012f1
0x004012f2
0x004012f3
0x004012f5
0x004012f8
0x004012fa
0x004012fc
0x004012fe
0x00401300
0x00401302
0x00401304
0x00401306
0x00401308
0x00401309
0x0040130b
0x0040130d
0x00401311
0x00401313
0x00401315
0x00401317
0x00401319
0x0040131d
0x0040131e
0x00401327
0x0040132b
0x0040132f
0x00401344
0x00401345
0x00401346
0x00401348
0x0040134e
0x0040134f
0x00401355
0x00401357
0x00401359
0x0040135b
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401365
0x00401367
0x00401369
0x0040136b
0x0040136d
0x0040136f
0x00401371
0x00401373
0x00401377
0x00401379
0x00401379
0x0040137a
0x0040137c
0x0040137e
0x00401383
0x00401384
0x00401386
0x0040138b
0x0040138d
0x00401390
0x00401396
0x00401398
0x0040139a
0x0040139b
0x0040139d
0x004013a3
0x004013a5
0x004013a7
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c2
0x004013c4
0x004013c6
0x004013c8
0x004013ca
0x004013cc
0x004013ce
0x004013d0
0x004013d2
0x004013d4
0x004013d6
0x004013d8
0x004013da
0x004013dc
0x004013de
0x004013e0
0x004013e2
0x004013e4
0x004013e9
0x004013f0

APIs

#100.MSVBVM60(004068E8), ref: 004012D1

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: aaa4a5cd0952de0969f6eea08c13a7b033a28e8169f4feff0301c58671faf835
Instruction ID: 2d17c5d3732dba9d6cc34c97304b9ac55b38fc5d251dc2073ca1345d9b488a27
Opcode Fuzzy Hash: aaa4a5cd0952de0969f6eea08c13a7b033a28e8169f4feff0301c58671faf835
Instruction Fuzzy Hash: 78D0488105E3C10EE303237608711866FB64D5315435B51D780C0EB4F3C05C0C6EC726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CA70 Relevance: 160.0, APIs: 106, Instructions: 1016
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CAF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CB1D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CB35
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CB5C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CB84
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CBA2
__vbaStrR8.MSVBVM60(51EB851F,40091EB8), ref: 0040CBB3
__vbaStrMove.MSVBVM60 ref: 0040CBBE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040CBE9
__vbaFreeStr.MSVBVM60 ref: 0040CBF6
__vbaFreeObj.MSVBVM60 ref: 0040CBFF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC13
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CC3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC4A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CC71
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC81
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040CCA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CCB8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CCDF
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040CD2D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CD4B
__vbaStrR8.MSVBVM60(C28F5C29,400428F5), ref: 0040CD5C
__vbaStrMove.MSVBVM60 ref: 0040CD67
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040CD92
__vbaFreeStr.MSVBVM60 ref: 0040CD9F
__vbaFreeObj.MSVBVM60 ref: 0040CDA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CDBC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CDE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CDF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CE1A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CE43
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CE61
__vbaStrR8.MSVBVM60(F5C28F5C,3FFB5C28), ref: 0040CE72
__vbaStrMove.MSVBVM60 ref: 0040CE7D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040CEB2
__vbaFreeStr.MSVBVM60 ref: 0040CEBF
__vbaFreeObj.MSVBVM60 ref: 0040CEC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CF03
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF13
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CF3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF4A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040CF71
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF81
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040CFA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CFB8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040CFDF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CFEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D016
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0040D087
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D0A5
__vbaStrR8.MSVBVM60(0A3D70A4,3FFCA3D7), ref: 0040D0B6
__vbaStrMove.MSVBVM60 ref: 0040D0C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D0F6
__vbaFreeStr.MSVBVM60 ref: 0040D103
__vbaFreeObj.MSVBVM60 ref: 0040D10C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D120
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D147
__vbaFreeObj.MSVBVM60 ref: 0040D15C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D177
__vbaStrR8.MSVBVM60(70A3D70A,400F0A3D), ref: 0040D188
__vbaStrMove.MSVBVM60 ref: 0040D193
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D1BE
__vbaFreeStr.MSVBVM60 ref: 0040D1CB
__vbaFreeObj.MSVBVM60 ref: 0040D1D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D1E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D20F
__vbaFreeObj.MSVBVM60 ref: 0040D224
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D23F
__vbaStrR8.MSVBVM60(147AE148,400147AE), ref: 0040D250
__vbaStrMove.MSVBVM60 ref: 0040D25B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D290
__vbaFreeStr.MSVBVM60 ref: 0040D29D
__vbaFreeObj.MSVBVM60 ref: 0040D2A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D2BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D2E1
__vbaFreeObj.MSVBVM60 ref: 0040D2F6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D311
__vbaStrR8.MSVBVM60(F5C28F5C,3FFF5C28), ref: 0040D322
__vbaStrMove.MSVBVM60 ref: 0040D32D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D358
__vbaFreeStr.MSVBVM60 ref: 0040D365
__vbaFreeObj.MSVBVM60 ref: 0040D36E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D382
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D3A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D3B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040D3E0
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D409
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D427
__vbaStrR8.MSVBVM60(EB851EB8,3FFEB851), ref: 0040D438
__vbaStrMove.MSVBVM60 ref: 0040D443
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D478
__vbaFreeStr.MSVBVM60 ref: 0040D485
__vbaFreeObj.MSVBVM60 ref: 0040D48E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D4A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074D0,000000F0), ref: 0040D4C9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D4D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040D500
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D529
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D547
__vbaStrR8.MSVBVM60(66666666,3FF66666), ref: 0040D558
__vbaStrMove.MSVBVM60 ref: 0040D563
__vbaHresultCheckObj.MSVBVM60(00000000,?,004074E0,000000A4), ref: 0040D588
__vbaFreeStr.MSVBVM60 ref: 0040D58D
__vbaFreeObj.MSVBVM60 ref: 0040D596
__vbaHresultCheckObj.MSVBVM60(00000000,004010E0,00407260,000006F8), ref: 0040D5B5

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Move$List
String ID:
API String ID: 2718955921-0
Opcode ID: 10535b1b9610a9968769cecacd8dd13529b5e627453465be5b680e553cfceeeb
Instruction ID: 3c5c02d7455250cd45a1fa1cbe2b702bfe16fb957843f0df2ac842a806c951f2
Opcode Fuzzy Hash: 10535b1b9610a9968769cecacd8dd13529b5e627453465be5b680e553cfceeeb
Instruction Fuzzy Hash: BA722D71E0020AAFDB14DFA5CD88EAEB7B8BF48304F108539E545E71A1DB74A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E240 Relevance: 54.3, APIs: 36, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E29F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E2C2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E2D6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E2EF
__vbaStrI2.MSVBVM60(0000012C,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E2FA
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E305
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074F0,00000054,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E31F
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E328
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E331
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E34B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040E36E
__vbaFreeObj.MSVBVM60 ref: 0040E383
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E39C
__vbaStrI2.MSVBVM60(000000FA), ref: 0040E3A7
__vbaStrMove.MSVBVM60 ref: 0040E3B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074F0,00000054), ref: 0040E3CC
__vbaFreeStr.MSVBVM60 ref: 0040E3D5
__vbaFreeObj.MSVBVM60 ref: 0040E3DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E3F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040E41B
__vbaFreeObj.MSVBVM60 ref: 0040E430
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E449
__vbaStrI2.MSVBVM60(000000C8), ref: 0040E454
__vbaStrMove.MSVBVM60 ref: 0040E45F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074F0,00000054), ref: 0040E479
__vbaFreeStr.MSVBVM60 ref: 0040E482
__vbaFreeObj.MSVBVM60 ref: 0040E48B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E4A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074D0,000000F0), ref: 0040E4C8
__vbaFreeObj.MSVBVM60 ref: 0040E4DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E4F6
__vbaStrI2.MSVBVM60(000000A0), ref: 0040E501
__vbaStrMove.MSVBVM60 ref: 0040E50C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074F0,00000054), ref: 0040E526
__vbaFreeStr.MSVBVM60 ref: 0040E52F
__vbaFreeObj.MSVBVM60 ref: 0040E538

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move
String ID:
API String ID: 1589273832-0
Opcode ID: 379ea3765e5af314ad5f453610cca845d453eb75f90509deb16a7d9f19d08d56
Instruction ID: cfffcb0f6003e92d88f736ae2ad91d2e8261de0951408bb7b3057c9d87e8e5ef
Opcode Fuzzy Hash: 379ea3765e5af314ad5f453610cca845d453eb75f90509deb16a7d9f19d08d56
Instruction Fuzzy Hash: D0914F31A00245ABDB009FB5CD88EAE7BBCFF48705F108539F542E75A1DB786946CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D620 Relevance: 9.1, APIs: 6, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E0040D620(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				void* _t23;
				void* _t29;
				void* _t30;
				char* _t31;
				intOrPtr* _t33;
				intOrPtr* _t44;
				intOrPtr* _t46;
				intOrPtr* _t47;
				void* _t48;
				void* _t50;
				intOrPtr _t51;

				_t51 = _t50 - 0xc;
				 *[fs:0x0] = _t51;
				_v16 = _t51 - 0x24;
				_v12 = 0x4010f0;
				_v8 = 0;
				_t46 = _a4;
				 *((intOrPtr*)( *_t46 + 4))(_t46, __edi, __esi, __ebx,  *[fs:0x0], 0x401186, _t48);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_t23 =  *((intOrPtr*)( *_t46 + 0x32c))(_t46);
				_t33 = __imp____vbaObjSet;
				_t44 =  *_t33( &_v36, _t23);
				_t47 =  *_t33( &_v32,  *((intOrPtr*)( *_t46 + 0x324))(_t46));
				_t29 =  *((intOrPtr*)( *_t47 + 0xa0))(_t47,  &_v28);
				asm("fclex");
				if(_t29 < 0) {
					__imp____vbaHresultCheckObj(_t29, _t47, 0x4074e0, 0xa0);
				}
				_t30 =  *((intOrPtr*)( *_t44 + 0x54))(_t44, _v28);
				asm("fclex");
				if(_t30 < 0) {
					__imp____vbaHresultCheckObj(_t30, _t44, 0x4074f0, 0x54);
				}
				__imp____vbaFreeStr();
				_t31 =  &_v36;
				__imp____vbaFreeObjList(2,  &_v32, _t31);
				_push(0x40d70f);
				return _t31;
			}

0x0040d623
0x0040d632
0x0040d63f
0x0040d642
0x0040d64b
0x0040d64e
0x0040d654
0x0040d65a
0x0040d65d
0x0040d660
0x0040d663
0x0040d669
0x0040d676
0x0040d688
0x0040d691
0x0040d699
0x0040d69b
0x0040d6a9
0x0040d6a9
0x0040d6b6
0x0040d6bb
0x0040d6bd
0x0040d6c8
0x0040d6c8
0x0040d6d1
0x0040d6d7
0x0040d6e1
0x0040d6ea
0x00000000

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D674
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D686
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074E0,000000A0,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D6A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074F0,00000054,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D6C8
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D6D1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00401186), ref: 0040D6E1

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckFreeHresult$List
String ID:
API String ID: 2830907855-0
Opcode ID: 281f1b9a5f0ac1c1d2d7da50d7f8fa8a2d8c4047caa3dd9ca370c50370486af1
Instruction ID: fb9d06809fb7f965de9e5e6255bda1f486782a40148adf14d3c442f0134af40c
Opcode Fuzzy Hash: 281f1b9a5f0ac1c1d2d7da50d7f8fa8a2d8c4047caa3dd9ca370c50370486af1
Instruction Fuzzy Hash: 86211D70900249AFDB109FA5CD49EAFBBFCFF48704F10812AF545A31A1D7789945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004105A0 Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaNew2.MSVBVM60(00407A20,0041133C,?,?,?,?,?,?,?,?,00401186), ref: 004105F8
__vbaObjSetAddref.MSVBVM60(?,00401170,?,?,?,?,?,?,?,?,00401186), ref: 0041060E
__vbaHresultCheckObj.MSVBVM60(00000000,02B3E9AC,00407A10,00000010,?,?,?,?,?,?,?,?,00401186), ref: 0041062B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401186), ref: 00410634
__vbaNew2.MSVBVM60(00407BB4,00411010,?,?,?,?,?,?,?,?,00401186), ref: 0041064C
__vbaHresultCheckObj.MSVBVM60(00000000,005404A0,00407230,000001BC,?,?,?,?,?,?,?,?,00401186), ref: 00410675

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckHresultNew2$AddrefFree
String ID:
API String ID: 4015893416-0
Opcode ID: 78ddf6b98a59f16f161818537b2fac434ea9bbf79a9db2ac722cca1ecbe8624b
Instruction ID: de10622d7d530a891a444557367db9db3dcc9e99ca436ff96b44cbd4ef364f2a
Opcode Fuzzy Hash: 78ddf6b98a59f16f161818537b2fac434ea9bbf79a9db2ac722cca1ecbe8624b
Instruction Fuzzy Hash: 0521A374A00204ABC7009F65CE45ADEBBB8FB48700B20853AF651B36E1C37858818B98

Uniqueness

Uniqueness Score: -1.00%

Function 004100E0 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E004100E0(signed char _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				signed char _t15;
				signed char _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t21;
				void* _t22;
				signed char _t23;
				void* _t26;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t40;

				 *[fs:0x0] = _t40;
				_v16 = _t40 - 0x10;
				_v12 = 0x401148;
				_t15 = _a4;
				_v8 = _t15 & 0x00000001;
				_t16 = _t15 & 0x000000fe;
				_a4 = _t16;
				 *((intOrPtr*)( *_t16 + 4))(_t16, _t34, _t36, _t26,  *[fs:0x0], 0x401186);
				_t18 =  *0x411024; // 0x0
				if(_t18 == 0) {
					__imp____vbaNew2(0x406c60, 0x411024);
				}
				_t37 =  *0x411024; // 0x0
				_t20 =  *((intOrPtr*)( *_t37 + 0x1bc))(_t37, 0xffffffff);
				asm("fclex");
				if(_t20 < 0) {
					__imp____vbaHresultCheckObj(_t20, _t37, 0x4079c4, 0x1bc);
				}
				_t21 =  *0x411010; // 0x5404a0
				if(_t21 == 0) {
					__imp____vbaNew2(0x407bb4, 0x411010);
				}
				_t38 =  *0x411010; // 0x5404a0
				_t22 =  *((intOrPtr*)( *_t38 + 0x1bc))(_t38, 0);
				asm("fclex");
				if(_t22 < 0) {
					__imp____vbaHresultCheckObj(_t22, _t38, 0x407230, 0x1bc);
				}
				_v8 = 0;
				_t23 = _a4;
				 *((intOrPtr*)( *_t23 + 8))(_t23);
				 *[fs:0x0] = _v24;
				return _v8;
			}

0x004100f2
0x004100ff
0x00410102
0x00410109
0x00410111
0x00410114
0x00410117
0x0041011c
0x0041011f
0x00410126
0x00410132
0x00410132
0x00410138
0x00410143
0x0041014b
0x0041014d
0x0041015b
0x0041015b
0x00410161
0x00410168
0x00410174
0x00410174
0x0041017a
0x00410185
0x0041018d
0x0041018f
0x0041019d
0x0041019d
0x004101a3
0x004101aa
0x004101b0
0x004101bb
0x004101c6

APIs

__vbaNew2.MSVBVM60(00406C60,00411024,?,?,?,?,?,?,00401186), ref: 00410132
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004079C4,000001BC,?,?,?,?,?,?,00401186), ref: 0041015B
__vbaNew2.MSVBVM60(00407BB4,00411010,?,?,?,?,?,?,00401186), ref: 00410174
__vbaHresultCheckObj.MSVBVM60(00000000,005404A0,00407230,000001BC,?,?,?,?,?,?,00401186), ref: 0041019D

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckHresultNew2
String ID:
API String ID: 1998677070-0
Opcode ID: 289e525710720ce647f129ee04bde52d07fd0e9582bcd63e0d25116479a698e7
Instruction ID: ef5bc2f68a0a9d6af99f82fc43cff1bc5c7c197f985a77063a862a5cd70b0e72
Opcode Fuzzy Hash: 289e525710720ce647f129ee04bde52d07fd0e9582bcd63e0d25116479a698e7
Instruction Fuzzy Hash: A4218175B40240BBD710DF69CE49BDA7BF8FB09714F10816AF945E76A0C778A8808B98

Uniqueness

Uniqueness Score: -1.00%

Function 004101D0 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaNew2.MSVBVM60(00407A20,0041133C,?,?,?,?,?,?,?,?,00401186), ref: 00410228
__vbaObjSetAddref.MSVBVM60(?,00401150,?,?,?,?,?,?,?,?,00401186), ref: 0041023E
__vbaHresultCheckObj.MSVBVM60(00000000,02B3E9AC,00407A10,00000010,?,?,?,?,?,?,?,?,00401186), ref: 0041025B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401186), ref: 00410264

Memory Dump Source

Source File: 00000000.00000002.515259832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.515244693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515293210.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.515304205.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 20a9c60f855d2ff761649c30d33cdf927133c8ae100917f8970f8fdea304e204
Instruction ID: 25fb5bacfb309643818aadf6102744031a4e32d005fbae359a864b7f90695bab
Opcode Fuzzy Hash: 20a9c60f855d2ff761649c30d33cdf927133c8ae100917f8970f8fdea304e204
Instruction Fuzzy Hash: 94115874900208EFDB00DF55CD49ADEBFB8FB58704F20846AF955B72A1C7745985CB98

Uniqueness

Uniqueness Score: -1.00%