Summary

aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e

File aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e

Summary
Download Resubmit sample

Size 468.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2e5f06102dc47cbd6b1221e61f9c7ada
SHA1 2862e12286f2e87bace0b757ac2831ea71ea5a27
SHA256 aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e
SHA512
989f3837ab549e2f735012b1880a68cb9e4d5264c4be524106a44e40c66c6c5c4c991cf17d46913f80a6d94f0f24b556a58767e66484100e7b2c56c286f36a2b
CRC32 AB4E81F4
ssdeep None
Yara
  • SEH__vba - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6631139

6631140

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 24, 2025, 9:20 p.m. June 24, 2025, 9:27 p.m. 409 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-21 09:34:03,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpt1gcja
2025-06-21 09:34:03,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\wosnGvHGPxWWMWTPfuTZ
2025-06-21 09:34:03,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\leOdNrODgAEKBvByoohrkxFeqHWu
2025-06-21 09:34:03,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-21 09:34:03,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-21 09:34:03,905 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-21 09:34:04,125 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-06-21 09:34:04,125 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-21 09:34:04,125 [analyzer] DEBUG: Started auxiliary module Human
2025-06-21 09:34:04,140 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-21 09:34:04,140 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-21 09:34:04,217 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-21 09:34:04,217 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-21 09:34:04,217 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-21 09:34:04,217 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-21 09:34:04,390 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e.exe' with arguments '' and pid 1164
2025-06-21 09:34:04,578 [analyzer] DEBUG: Loaded monitor into process with pid 1164
2025-06-21 09:34:07,655 [analyzer] INFO: Added new file to list with pid 1164 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-33257.exe
2025-06-21 09:34:07,733 [analyzer] INFO: Injected into process with pid 2876 and name u'Unicorn-33257.exe'
2025-06-21 09:34:07,890 [analyzer] DEBUG: Loaded monitor into process with pid 2876
2025-06-21 09:34:10,967 [analyzer] INFO: Added new file to list with pid 2876 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-6744.exe
2025-06-21 09:34:11,062 [analyzer] INFO: Injected into process with pid 2916 and name u'Unicorn-6744.exe'
2025-06-21 09:34:11,233 [analyzer] DEBUG: Loaded monitor into process with pid 2916
2025-06-21 09:34:14,312 [analyzer] INFO: Added new file to list with pid 2916 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-51041.exe
2025-06-21 09:34:14,390 [analyzer] INFO: Injected into process with pid 2664 and name u'Unicorn-51041.exe'
2025-06-21 09:34:14,546 [analyzer] DEBUG: Loaded monitor into process with pid 2664
2025-06-21 09:34:17,608 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-36781.exe
2025-06-21 09:34:17,780 [analyzer] INFO: Injected into process with pid 1532 and name u'Unicorn-36781.exe'
2025-06-21 09:34:17,953 [analyzer] DEBUG: Loaded monitor into process with pid 1532
2025-06-21 09:34:21,030 [analyzer] INFO: Added new file to list with pid 1532 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-52489.exe
2025-06-21 09:34:21,092 [analyzer] INFO: Injected into process with pid 3068 and name u'Unicorn-52489.exe'
2025-06-21 09:34:21,265 [analyzer] DEBUG: Loaded monitor into process with pid 3068
2025-06-21 09:34:24,328 [analyzer] INFO: Added new file to list with pid 3068 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-38229.exe
2025-06-21 09:34:24,405 [analyzer] INFO: Injected into process with pid 2568 and name u'Unicorn-38229.exe'
2025-06-21 09:34:24,578 [analyzer] DEBUG: Loaded monitor into process with pid 2568
2025-06-21 09:34:27,640 [analyzer] INFO: Added new file to list with pid 2568 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-24005.exe
2025-06-21 09:34:27,733 [analyzer] INFO: Injected into process with pid 1680 and name u'Unicorn-24005.exe'
2025-06-21 09:34:27,890 [analyzer] DEBUG: Loaded monitor into process with pid 1680
2025-06-21 09:34:30,967 [analyzer] INFO: Added new file to list with pid 1680 and path C:\Users\Administrator\AppData\Local\Temp\Unicorn-63065.exe
2025-06-21 09:34:31,046 [analyzer] INFO: Injected into process with pid 2976 and name u'Unicorn-63065.exe'
2025-06-21 09:34:31,217 [analyzer] DEBUG: Loaded monitor into process with pid 2976
2025-06-21 09:34:33,437 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-21 09:34:34,062 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-21 09:34:34,062 [lib.api.process] INFO: Successfully terminated process with pid 1164.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 2876.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 2916.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 2664.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 1532.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 3068.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 2568.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 1680.
2025-06-21 09:34:34,078 [lib.api.process] INFO: Successfully terminated process with pid 2976.
2025-06-21 09:34:34,187 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-24 21:20:57,106 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:20:58,327 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:20:59,352 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:00,532 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:01,567 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:02,602 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:03,635 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:04,670 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:05,708 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:06,753 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:07,786 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:09,103 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:10,159 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:11,223 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:12,273 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:13,318 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:14,574 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:15,721 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:17,006 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:18,136 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:19,251 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:20,344 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:21,563 [cuckoo.core.scheduler] DEBUG: Task #6585859: no machine available yet
2025-06-24 21:21:22,639 [cuckoo.core.scheduler] INFO: Task #6585859: acquired machine win7x642 (label=win7x642)
2025-06-24 21:21:22,644 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.202 for task #6585859
2025-06-24 21:21:23,162 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2786797 (interface=vboxnet0, host=192.168.168.202)
2025-06-24 21:21:23,688 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x642
2025-06-24 21:21:31,118 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x642 to vmcloak
2025-06-24 21:24:31,738 [cuckoo.core.guest] INFO: Starting analysis #6585859 on guest (id=win7x642, ip=192.168.168.202)
2025-06-24 21:24:32,743 [cuckoo.core.guest] DEBUG: win7x642: not ready yet
2025-06-24 21:24:37,765 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x642, ip=192.168.168.202)
2025-06-24 21:24:38,164 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x642, ip=192.168.168.202, monitor=latest, size=6660546)
2025-06-24 21:24:40,651 [cuckoo.core.resultserver] DEBUG: Task #6585859: live log analysis.log initialized.
2025-06-24 21:24:40,692 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:41,980 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:42,008 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0001.jpg'
2025-06-24 21:24:42,026 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 133573
2025-06-24 21:24:44,507 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:47,232 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0002.jpg'
2025-06-24 21:24:47,244 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 137114
2025-06-24 21:24:47,762 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:50,393 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0003.jpg'
2025-06-24 21:24:50,405 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 126996
2025-06-24 21:24:51,071 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:52,509 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0004.jpg'
2025-06-24 21:24:52,520 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 126912
2025-06-24 21:24:54,372 [cuckoo.core.guest] DEBUG: win7x642: analysis #6585859 still processing
2025-06-24 21:24:54,478 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:24:55,680 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0005.jpg'
2025-06-24 21:24:55,690 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 128142
2025-06-24 21:24:57,791 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:25:01,103 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:25:01,892 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0006.jpg'
2025-06-24 21:25:01,904 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 129261
2025-06-24 21:25:04,417 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:25:06,041 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0007.jpg'
2025-06-24 21:25:06,055 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 130532
2025-06-24 21:25:07,758 [cuckoo.core.resultserver] DEBUG: Task #6585859 is sending a BSON stream
2025-06-24 21:25:09,200 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'shots/0008.jpg'
2025-06-24 21:25:09,208 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 130936
2025-06-24 21:25:09,452 [cuckoo.core.guest] DEBUG: win7x642: analysis #6585859 still processing
2025-06-24 21:25:10,381 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'curtain/1750491273.61.curtain.log'
2025-06-24 21:25:10,389 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 36
2025-06-24 21:25:10,633 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'sysmon/1750491273.8.sysmon.xml'
2025-06-24 21:25:10,676 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 1542224
2025-06-24 21:25:10,692 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/de8c69e6b0eda4a7_unicorn-6744.exe'
2025-06-24 21:25:10,697 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479237
2025-06-24 21:25:10,703 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/3edb27daf6f653f5_unicorn-24005.exe'
2025-06-24 21:25:10,912 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479242
2025-06-24 21:25:11,255 [cuckoo.core.resultserver] DEBUG: Task #6585859 had connection reset for <Context for LOG>
2025-06-24 21:25:11,294 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/02852039fd46378a_unicorn-38229.exe'
2025-06-24 21:25:11,807 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479241
2025-06-24 21:25:11,825 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/680a9e3c266015c4_unicorn-63065.exe'
2025-06-24 21:25:11,838 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479243
2025-06-24 21:25:11,840 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/919683b3d144cde6_unicorn-51041.exe'
2025-06-24 21:25:11,842 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/9b3bb42f0d89ee05_unicorn-33257.exe'
2025-06-24 21:25:11,845 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/98fe9ee167dcc1d1_unicorn-52489.exe'
2025-06-24 21:25:11,848 [cuckoo.core.resultserver] DEBUG: Task #6585859: File upload for 'files/350b645ddd74e230_unicorn-36781.exe'
2025-06-24 21:25:11,854 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479239
2025-06-24 21:25:11,857 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479240
2025-06-24 21:25:11,860 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479238
2025-06-24 21:25:11,866 [cuckoo.core.resultserver] DEBUG: Task #6585859 uploaded file length: 479236
2025-06-24 21:25:12,465 [cuckoo.core.guest] INFO: win7x642: analysis completed successfully
2025-06-24 21:25:12,481 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-24 21:25:12,528 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-24 21:25:13,725 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x642 to path /srv/cuckoo/cwd/storage/analyses/6585859/memory.dmp
2025-06-24 21:25:13,744 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x642
2025-06-24 21:27:46,265 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.202 for task #6585859
2025-06-24 21:27:46,910 [cuckoo.core.scheduler] DEBUG: Released database task #6585859
2025-06-24 21:27:46,925 [cuckoo.core.scheduler] INFO: Task #6585859: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description (no description) rule SEH__vba
One or more processes crashed (8 events)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.instruction_r: ff 15 d0 10 4b 00 83 c4 0c 8d 4d c0 51 8d 55 c4
exception.symbol: aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e+0x2ab99
exception.instruction: call dword ptr [0x4b10d0]
exception.module: aabb6000d5d762939a948b81d3ced9999f704f432befb7a148b537088527aa4e.exe
exception.exception_code: 0xc0000005
exception.offset: 175001
exception.address: 0x42ab99
registers.esp: 1636932
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 5640048
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-33257+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 1636928
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 6364456
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-6744+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 1636928
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 5709096
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-51041+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.instruction_r: ff 15 d0 10 4b 00 83 c4 0c 8d 4d c0 51 8d 55 c4
exception.symbol: unicorn-51041+0x2ab99
exception.instruction: call dword ptr [0x4b10d0]
exception.module: Unicorn-51041.exe
exception.exception_code: 0xc0000005
exception.offset: 175001
exception.address: 0x42ab99
registers.esp: 1636932
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 8985896
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-36781+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.instruction_r: ff 15 d0 10 4b 00 83 c4 0c 8d 4d c0 51 8d 55 c4
exception.symbol: unicorn-36781+0x2ab99
exception.instruction: call dword ptr [0x4b10d0]
exception.module: Unicorn-36781.exe
exception.exception_code: 0xc0000005
exception.offset: 175001
exception.address: 0x42ab99
registers.esp: 1636932
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 5578024
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-52489+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.instruction_r: ff 15 d0 10 4b 00 83 c4 0c 8d 4d c0 51 8d 55 c4
exception.symbol: unicorn-52489+0x2ab99
exception.instruction: call dword ptr [0x4b10d0]
exception.module: Unicorn-52489.exe
exception.exception_code: 0xc0000005
exception.offset: 175001
exception.address: 0x42ab99
registers.esp: 1636932
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 5315880
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-38229+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x680fff
registers.esp: 1636928
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 3349800
1 0 0

__exception__

 stacktrace: 
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
unicorn-24005+0x297de @ 0x4297de
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
DllCanUnloadNow+0x1c1d9 DllRegisterServer-0xa1b8 msvbvm60+0xbbe8b @ 0x729fbe8b
IID_IVbaHost+0x2e809 UserDllMain-0x36aae msvbvm60+0x5ce49 @ 0x7299ce49
IID_IVbaHost+0x3133d UserDllMain-0x33f7a msvbvm60+0x5f97d @ 0x7299f97d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75d062fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75d06d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75d077c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75d07bca
__vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8
__vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f
__vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d

exception.instruction_r: ff 15 d0 10 4b 00 83 c4 0c 8d 4d c0 51 8d 55 c4
exception.symbol: unicorn-24005+0x2ab99
exception.instruction: call dword ptr [0x4b10d0]
exception.module: Unicorn-24005.exe
exception.exception_code: 0xc0000005
exception.offset: 175001
exception.address: 0x42ab99
registers.esp: 1636932
registers.edi: 1637180
registers.eax: 1637116
registers.ebp: 1637168
registers.edx: 1637112
registers.ebx: 1
registers.esi: 1637388
registers.ecx: 5971240
1 0 0
Foreign language identified in PE resource (1 event)
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000747c4 size 0x00000234
Creates executable files on the filesystem (8 events)
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-38229.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-24005.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-6744.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-63065.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-51041.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-33257.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-52489.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-36781.exe
Drops an executable to the user AppData folder (2 events)
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-6744.exe
file C:\Users\Administrator\AppData\Local\Temp\Unicorn-24005.exe
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003a0000
process_handle: 0xffffffff
1 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x0002b000', u'virtual_address': u'0x00001000', u'entropy': 7.57163704380617, u'name': u'.text', u'virtual_size': u'0x0002a5c4'} entropy 7.57163704381 description A section with a high entropy has been found
entropy 0.370689655172 description Overall entropy of this PE file is high
File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)
G Data Antivirus (Windows) Virus: Generic.Dacic.94CCEEA9.A.009F1AA1 (Engine A), Win32.Trojan.PSE.1FY1FUT (Engine B)
Avast Core Security (Linux) Win32:Evo-gen [Trj]
C4S ClamAV (Linux) Win.Packed.Generic-9967832-0
Trend Micro SProtect (Linux) Trojan.Win32.FAREIT.SME
WithSecure (Linux) Trojan.TR/Crypt.XPACK.Gen
eScan Antivirus (Linux) Generic.Dacic.94CCEEA9.A.009F1AA1(DB)
ESET Security (Windows) a variant of Win32/VBClone.E trojan
Sophos Anti-Virus (Linux) Troj/VB-KCP
DrWeb Antivirus (Linux) Trojan.Siggen29.56020
ClamAV (Linux) Win.Packed.Generic-9967832-0
Bitdefender Antivirus (Linux) Generic.Dacic.94CCEEA9.A.009F1AA1
Kaspersky Standard (Windows) Trojan.Win32.VB.dosq
Emsisoft Commandline Scanner (Windows) Generic.Dacic.94CCEEA9.A.009F1AA1 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.