70bf432cf6602de7e78014fc5be5c79aea126095516cb7bab91af901f7c78063

Sharing

Copy URL

Twitter E-mail

General

Target

70bf432cf6602de7e78014fc5be5c79aea126095516cb7bab91af901f7c78063
Size

523KB
MD5

244100b644502f191dc82cc785e3a5f1
SHA1

39db0d24155143bc9abe7e6712ceb3f217b81932
SHA256

70bf432cf6602de7e78014fc5be5c79aea126095516cb7bab91af901f7c78063
SHA512

0449153db4900438ecde6c34574fbe15534179e1c0e041f4ba00ece9a6ea5494771d5f944acdbdcd9753dae0ff6f33d3ed6437a3a4b34ae11496b7a79d4670df
SSDEEP

12288:X5fsecYdzYo3kU2yjU+oRAvLh2oKTWk7DhrAJHZLKQecStT:XRxdEo3kAjZE0GTWk7D+1KXl

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
70bf432cf6602de7e78014fc5be5c79aea126095516cb7bab91af901f7c78063

Files

70bf432cf6602de7e78014fc5be5c79aea126095516cb7bab91af901f7c78063
.dll windows:5 windows x86 arch:x86

c61cb466c27a2128eb37aac1934fcc85

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

G:\Office15Main\65_VC8\VBA\R7W32ND\presplit\vbarunjt\obj\expsrv.pdb

Imports

ole32

CoDisconnectObject
CoGetClassObject
CreateBindCtx
MkParseDisplayName
BindMoniker
CoCreateInstance
CoGetMalloc

oleaut32

VarBstrFromR4
SafeArrayAllocDescriptor
SafeArrayCreate
SafeArrayDestroyData
SafeArrayDestroy
SafeArrayPutElement
VariantClear
VariantCopy
VariantChangeTypeEx
SetErrorInfo
SysAllocStringLen
SysStringLen
SysStringByteLen
SysAllocStringByteLen
GetErrorInfo
CreateErrorInfo
LoadTypeLi
RevokeActiveObject
SafeArrayAllocData
SafeArrayDestroyDescriptor
SafeArrayUnlock
SafeArrayCopy
SafeArrayRedim
SysAllocString
SafeArrayLock
GetActiveObject
VariantCopyInd
SysReAllocString
SysReAllocStringLen
VarI2FromStr
VarI4FromR8
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
LHashValOfNameSysA
LoadRegTypeLi
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
VariantInit
VariantChangeType
SafeArrayGetElement
SafeArrayGetDim
VarBstrFromDate
VarBstrFromCy
VarBstrFromR8
VarCyFromI4
VarBstrFromI4
VarBstrFromI2
VarCyFromStr
SysFreeString

user32

LoadStringA
GetSystemMetrics
CharUpperBuffA
CharUpperBuffW
CharLowerBuffA
CharLowerBuffW
FindWindowA
FindWindowW
GetKeyboardLayout
SendMessageA
AttachThreadInput
IsWindowVisible
CharToOemA
OemToCharBuffA
SetFocus
GetFocus
IsWindowEnabled
SetForegroundWindow
GetWindowTextA
MessageBeep
GetDesktopWindow
GetWindowThreadProcessId
GetWindow
WaitForInputIdle
GetAsyncKeyState
GetKeyboardState
SetKeyboardState
VkKeyScanA
VkKeyScanW
keybd_event
GetForegroundWindow
SetWindowsHookExA
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx

msvcr100

_ismbblead
wcsncpy_s
_errno
atoi
wcscat_s
wcschr
wcscpy_s
_ltoa_s
_mbscat_s
strcpy_s
strcat_s
_wcsicmp
_findclose
_finite
_CIpow
floor
memchr
memcmp
free
malloc
realloc
__doserrno
_commit
toupper
_fullpath
remove
rename
_close
_isatty
_locking
_lseek
_read
_write
_findfirst64i32
_findnext64i32
_sopen_s
_getdcwd
_CItan
_mkdir
_rmdir
_chdrive
_getdrive
_mbspbrk
_mbsrchr
getenv_s
_mbsnicmp
_CIatan
_CIexp
_CIlog
_CIsqrt
_environ
_itoa_s
modf
wcsncmp
iswdigit
iswspace
_splitpath_s
longjmp
_stricmp
bsearch
qsort
_malloc_crt
_encoded_null
_initterm
_initterm_e
_amsg_exit
__CppXcptFilter
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
__clean_type_info_names_internal
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_resetstkoflw
memcpy
_setjmp3
memmove
memset
wcsrchr
_CIcos
_CIsin
_chdir

kernel32

GetVersion
InterlockedIncrement
GetProcAddress
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
InterlockedCompareExchange
InterlockedExchange
DecodePointer
EncodePointer
RtlUnwind
GetUserDefaultLCID
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetPrivateProfileIntA
CreateProcessW
CreateProcessA
lstrcatA
SetLocalTime
GetCurrentProcess
GetLocalTime
GetVolumeInformationA
FindFirstFileA
GetFileAttributesA
SetFileAttributesA
FileTimeToSystemTime
FileTimeToLocalFileTime
CloseHandle
SetFileTime
GetFileTime
FindClose
lstrcmpiA
IsValidCodePage
IsBadReadPtr
RaiseException
GetComputerNameA
GetSystemDirectoryA
GetTickCount
Sleep
SetErrorMode
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
FreeLibrary
FormatMessageW
GetModuleFileNameW
GetLocaleInfoA
LCMapStringW
CompareStringW
CreateFileA
LoadLibraryA
OpenFile
SetLastError
LCMapStringA
GetUserDefaultLangID
GetSystemDefaultLangID
IsDBCSLeadByte
DisableThreadLibraryCalls
InterlockedDecrement
GetModuleHandleA
GetModuleFileNameA
VirtualQuery
VirtualProtect
GetLastError
MultiByteToWideChar
CompareStringA
WideCharToMultiByte

advapi32

RegQueryValueExA
RegCreateKeyW
RegDeleteKeyA
RegQueryInfoKeyA
RegCloseKey
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
RegSetValueExW
RegSetValueExA
RegQueryValueExW
RegCreateKeyA
RegOpenKeyW
RegOpenKeyA
RegEnumValueW
RegEnumValueA
RegEnumKeyW
RegEnumKeyA
RegDeleteValueW
RegDeleteValueA
RegDeleteKeyW

Exports

Exports

BASIC_CLASS_AddRef
BASIC_CLASS_GetIDsOfNames
BASIC_CLASS_Invoke
BASIC_CLASS_QueryInterface
BASIC_CLASS_Release
BASIC_DISPINTERFACE_GetTICount
BASIC_DISPINTERFACE_GetTypeInfo
CopyRecord
CreateIExprSrvObj
DllFunctionCall
EVENT_SINK2_AddRef
EVENT_SINK2_Release
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
EVENT_SINK_QueryInterface
EVENT_SINK_Release
EbCreateContext
EbDestroyContext
EbGetErrorInfo
EbGetHandleOfExecutingProject
EbGetObjConnectionCounts
EbGetVBAObject
EbIsProjectOnStack
EbLibraryLoad
EbLibraryUnload
EbLoadRunTime
EbResetProject
EbResetProjectNormal
EbSetContextWorkerThread
GetMem1
GetMem2
GetMem4
GetMem8
GetMemEvent
GetMemNewObj
GetMemObj
GetMemStr
GetMemVar
IID_IVbaHost
MethCallEngine
ProcCallEngine
PutMem1
PutMem2
PutMem4
PutMem8
PutMemEvent
PutMemNewObj
PutMemObj
PutMemStr
PutMemVar
SetMemEvent
SetMemNewObj
SetMemObj
SetMemVar
TipCreateInstanceEx
TipCreateInstanceProject2
TipGetAddressOfPredeclaredInstance
TipInvokeMethod
TipInvokeMethod2
TipSetOption
TipUnloadInstance
TipUnloadProject
VarPtr
Zombie_AddRef
Zombie_GetIDsOfNames
Zombie_GetTypeInfo
Zombie_GetTypeInfoCount
Zombie_Invoke
Zombie_QueryInterface
Zombie_Release
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
__vbaAryConstruct
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryRebase1Var
__vbaAryRecCopy
__vbaAryRecMove
__vbaAryUnlock
__vbaAryVar
__vbaAryVarVarg
__vbaBoolErrVar
__vbaBoolStr
__vbaBoolVar
__vbaBoolVarNull
__vbaCVarAryUdt
__vbaCastObj
__vbaCastObjVar
__vbaCheckType
__vbaCheckTypeVar
__vbaChkstk
__vbaCopyBytes
__vbaCopyBytesZero
__vbaCyAbs
__vbaCyAdd
__vbaCyErrVar
__vbaCyFix
__vbaCyForInit
__vbaCyForNext
__vbaCyI2
__vbaCyI4
__vbaCyInt
__vbaCyMul
__vbaCyMulI2
__vbaCySgn
__vbaCyStr
__vbaCySub
__vbaCyUI1
__vbaCyVar
__vbaDateR4
__vbaDateR8
__vbaDateStr
__vbaDateVar
__vbaDerefAry
__vbaDerefAry1
__vbaEnd
__vbaErase
__vbaEraseKeepData
__vbaEraseNoPop
__vbaError
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitEachAry
__vbaExitEachColl
__vbaExitEachVar
__vbaExitProc
__vbaFPException
__vbaFPFix
__vbaFPInt
__vbaFailedFriend
__vbaFileClose
__vbaFileCloseAll
__vbaFileLock
__vbaFileOpen
__vbaFileSeek
__vbaFixstrConstruct
__vbaForEachAry
__vbaForEachCollAd
__vbaForEachCollObj
__vbaForEachCollVar
__vbaForEachVar
__vbaFpCDblR4
__vbaFpCDblR8
__vbaFpCSngR4
__vbaFpCSngR8
__vbaFpCmpCy
__vbaFpCy
__vbaFpI2
__vbaFpI4
__vbaFpR4
__vbaFpR8
__vbaFpUI1
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaFreeVarg
__vbaGenerateBoundsError
__vbaGet3
__vbaGet4
__vbaGetFxStr3
__vbaGetFxStr4
__vbaGetOwner3
__vbaGetOwner4
__vbaGosub
__vbaGosubFree
__vbaGosubReturn
__vbaHresultCheck
__vbaHresultCheckNonvirt
__vbaHresultCheckObj
__vbaI2Abs
__vbaI2Cy
__vbaI2ErrVar
__vbaI2ForNextCheck
__vbaI2I4
__vbaI2Sgn
__vbaI2Str
__vbaI2Var
__vbaI4Abs
__vbaI4Cy
__vbaI4ErrVar
__vbaI4ForNextCheck
__vbaI4Sgn
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrB
__vbaInStrVar
__vbaInStrVarB
__vbaInputFile
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdCallSt
__vbaLateIdNamedCall
__vbaLateIdNamedCallLd
__vbaLateIdNamedCallSt
__vbaLateIdNamedStAd
__vbaLateIdSt
__vbaLateIdStAd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemCallSt
__vbaLateMemNamedCall
__vbaLateMemNamedCallLd
__vbaLateMemNamedCallSt
__vbaLateMemNamedStAd
__vbaLateMemSt
__vbaLateMemStAd
__vbaLbound
__vbaLdZeroAry
__vbaLenBstr
__vbaLenBstrB
__vbaLenVar
__vbaLenVarB
__vbaLineInputStr
__vbaLineInputVar
__vbaLsetFixstr
__vbaLsetFixstrFree
__vbaMidStmtBstr
__vbaMidStmtBstrB
__vbaMidStmtVar
__vbaMidStmtVarB
__vbaNameFile
__vbaNew
__vbaNew2
__vbaNextEachAry
__vbaNextEachCollAd
__vbaNextEachCollObj
__vbaNextEachCollVar
__vbaNextEachVar
__vbaObjAddref
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaOnGoCheck
__vbaPowerR8
__vbaPrintFile
__vbaPrintObj
__vbaPut3
__vbaPut4
__vbaPutFxStr3
__vbaPutFxStr4
__vbaPutOwner3
__vbaPutOwner4
__vbaR4Cy
__vbaR4ErrVar
__vbaR4ForNextCheck
__vbaR4Sgn
__vbaR4Str
__vbaR4Var
__vbaR8Cy
__vbaR8ErrVar
__vbaR8FixI2
__vbaR8FixI4
__vbaR8ForNextCheck
__vbaR8IntI2
__vbaR8IntI4
__vbaR8Sgn
__vbaR8Str
__vbaR8Var
__vbaRaiseEvent
__vbaRecAnsiToUni
__vbaRecAssign
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaRedimPreserveVar
__vbaRedimPreserveVar2
__vbaRedimVar
__vbaRedimVar2
__vbaRefVarAry
__vbaResume
__vbaRsetFixstr
__vbaRsetFixstrFree
__vbaSetSystemError
__vbaStopExe
__vbaStr2Vec
__vbaStrAryToAnsi
__vbaStrAryToUnicode
__vbaStrBool
__vbaStrCat
__vbaStrCmp
__vbaStrComp
__vbaStrCompVar
__vbaStrCopy
__vbaStrCy
__vbaStrDate
__vbaStrErrVarCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrLike
__vbaStrMove
__vbaStrR4
__vbaStrR8
__vbaStrTextCmp
__vbaStrTextLike
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrUI1
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUI1Cy
__vbaUI1ErrVar
__vbaUI1I2
__vbaUI1I4
__vbaUI1Sgn
__vbaUI1Str
__vbaUI1Var
__vbaUbound
__vbaUdtVar
__vbaUnkVar
__vbaVar2Vec
__vbaVarAbs
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGe
__vbaVarCmpGt
__vbaVarCmpLe
__vbaVarCmpLt
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDateVar
__vbaVarDiv
__vbaVarDup
__vbaVarEqv
__vbaVarErrI4
__vbaVarFix
__vbaVarForInit
__vbaVarForNext
__vbaVarIdiv
__vbaVarImp
__vbaVarIndexLoad
__vbaVarIndexLoadRef
__vbaVarIndexLoadRefLock
__vbaVarIndexStore
__vbaVarIndexStoreObj
__vbaVarInt
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarLateMemCallSt
__vbaVarLateMemSt
__vbaVarLateMemStAd
__vbaVarLike
__vbaVarLikeVar
__vbaVarMod
__vbaVarMove
__vbaVarMul
__vbaVarNeg
__vbaVarNot
__vbaVarOr
__vbaVarPow
__vbaVarSetObj
__vbaVarSetObjAddref
__vbaVarSetUnk
__vbaVarSetUnkAddref
__vbaVarSetVar
__vbaVarSetVarAddref
__vbaVarSub
__vbaVarTextCmpEq
__vbaVarTextCmpGe
__vbaVarTextCmpGt
__vbaVarTextCmpLe
__vbaVarTextCmpLt
__vbaVarTextCmpNe
__vbaVarTextLike
__vbaVarTextLikeVar
__vbaVarTextTstEq
__vbaVarTextTstGe
__vbaVarTextTstGt
__vbaVarTextTstLe
__vbaVarTextTstLt
__vbaVarTextTstNe
__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstLe
__vbaVarTstLt
__vbaVarTstNe
__vbaVarVargNofree
__vbaVarXor
__vbaVarZero
__vbaVargObj
__vbaVargObjAddref
__vbaVargParmRef
__vbaVargUnk
__vbaVargUnkAddref
__vbaVargVar
__vbaVargVarCopy
__vbaVargVarMove
__vbaVargVarRef
__vbaVerifyVarObj
__vbaWriteFile
_allmul
rtBoolFromErrVar
rtBstrFromErrVar
rtCyFromErrVar
rtDecFromVar
rtI2FromErrVar
rtI4FromErrVar
rtR4FromErrVar
rtR8FromErrVar
rtUI1FromErrVar
rtcAbsVar
rtcAnsiValueBstr
rtcAppActivate
rtcAppleScript
rtcArray
rtcAtn
rtcBeep
rtcBstrFromAnsi
rtcBstrFromByte
rtcBstrFromChar
rtcBstrFromError
rtcBstrFromFormatVar
rtcByteValueBstr
rtcCVErrFromVar
rtcCallByName
rtcChangeDir
rtcChangeDrive
rtcCharValueBstr
rtcChoose
rtcCommandBstr
rtcCommandVar
rtcCompareBstr
rtcCos
rtcCreateObject
rtcCreateObject2
rtcCurrentDir
rtcCurrentDirBstr
rtcDDB
rtcDateAdd
rtcDateDiff
rtcDateFromVar
rtcDatePart
rtcDeleteSetting
rtcDir
rtcDoEvents
rtcEndOfFile
rtcEnvironBstr
rtcEnvironVar
rtcErrObj
rtcExp
rtcFV
rtcFileAttributes
rtcFileCopy
rtcFileDateTime
rtcFileLen
rtcFileLength
rtcFileLocation
rtcFileReset
rtcFileSeek
rtcFileWidth
rtcFilter
rtcFixVar
rtcFormatCurrency
rtcFormatDateTime
rtcFormatNumber
rtcFormatPercent
rtcFreeFile
rtcGetAllSettings
rtcGetCurrentCalendar
rtcGetDateBstr
rtcGetDateValue
rtcGetDateVar
rtcGetDayOfMonth
rtcGetDayOfWeek
rtcGetErl
rtcGetFileAttr
rtcGetHostLCID
rtcGetHourOfDay
rtcGetMinuteOfHour
rtcGetMonthOfYear
rtcGetObject
rtcGetPresentDate
rtcGetSecondOfMinute
rtcGetSetting
rtcGetTimeBstr
rtcGetTimeValue
rtcGetTimeVar
rtcGetTimer
rtcGetYear

Sections

.text
Size: 165KB - Virtual size: 165KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

ENGINE
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 222KB - Virtual size: 224KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c61cb466c27a2128eb37aac1934fcc85

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ole32

oleaut32

user32

msvcr100

kernel32

advapi32

Exports

Exports

Sections

.text Size: 165KB - Virtual size: 165KB

ENGINE Size: 53KB - Virtual size: 52KB

.rdata Size: 36KB - Virtual size: 36KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 43KB - Virtual size: 42KB

.reloc Size: 222KB - Virtual size: 224KB

.text
Size: 165KB - Virtual size: 165KB

ENGINE
Size: 53KB - Virtual size: 52KB

.rdata
Size: 36KB - Virtual size: 36KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 43KB - Virtual size: 42KB

.reloc
Size: 222KB - Virtual size: 224KB