GuLoader/CloudEye

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\FD1HVy\Desktop\xeuovifzzc.exe

Sample File

Binary

Malicious

Mime Type	application/vnd.microsoft.portable-executable
File Size	108.00 KB
MD5	4d361636994eb14917467808fd94cad0
SHA1	b83834a176fcb3eae08d6c1d34ac1c9acac81228
SHA256	b240e52ea8a55a50760de6017d644d2d0fcc43fd8918abdf99964efb464c37b6
SSDeep	3072:Erdhvrr4E7jSkjuZjlWxBpUza52zXu6UVSLoYRLfPK:ELIGvuUwJ6
ImpHash	f838f5f3d768134274b21cb017be38ad

PE Information

Image Base	0x400000
Entry Point	0x4014d4
Size Of Code	0x17000
Size Of Initialized Data	0x3000
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2014-04-18 22:46:08+00:00

Version Information (7)

FileVersion	2.04
InternalName	Blkrenskriftw
LegalCopyright	Internal
LegalTrademarks	Internal
OriginalFilename	Blkrenskriftw.exe
ProductName	inter
ProductVersion	2.04

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x16ae4	0x17000	0x1000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.72
.data	0x418000	0xe58	0x1000	0x18000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
.rsrc	0x419000	0x1598	0x2000	0x19000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.09

Imports (1)

MSVBVM60.DLL (99)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
(by ordinal)	0x247	0x401000	0x1758c	0x1758c	-
_CIcos	0x0	0x401004	0x17590	0x17590	0x53
_adj_fptan	0x0	0x401008	0x17594	0x17594	0x1b3
__vbaVarMove	0x0	0x40100c	0x17598	0x17598	0x178
(by ordinal)	0x2b4	0x401010	0x1759c	0x1759c	-
(by ordinal)	0x249	0x401014	0x175a0	0x175a0	-
__vbaFreeVar	0x0	0x401018	0x175a4	0x175a4	0xb1
__vbaLenBstr	0x0	0x40101c	0x175a8	0x175a8	0xe9
(by ordinal)	0x2b8	0x401020	0x175ac	0x175ac	-
__vbaFreeVarList	0x0	0x401024	0x175b0	0x175b0	0xb2
_adj_fdiv_m64	0x0	0x401028	0x175b4	0x175b4	0x1aa
_adj_fprem1	0x0	0x40102c	0x175b8	0x175b8	0x1b2
(by ordinal)	0x206	0x401030	0x175bc	0x175bc	-
(by ordinal)	0x207	0x401034	0x175c0	0x175c0	-
__vbaStrCat	0x0	0x401038	0x175c4	0x175c4	0x133
(by ordinal)	0x229	0x40103c	0x175c8	0x175c8	-
__vbaHresultCheckObj	0x0	0x401040	0x175cc	0x175cc	0xc0
__vbaLenBstrB	0x0	0x401044	0x175d0	0x175d0	0xea
(by ordinal)	0x22c	0x401048	0x175d4	0x175d4	-
(by ordinal)	0x22d	0x40104c	0x175d8	0x175d8	-
_adj_fdiv_m32	0x0	0x401050	0x175dc	0x175dc	0x1a8
__vbaAryDestruct	0x0	0x401054	0x175e0	0x175e0	0x5d
__vbaLateMemSt	0x0	0x401058	0x175e4	0x175e4	0xe5
(by ordinal)	0x24f	0x40105c	0x175e8	0x175e8	-
(by ordinal)	0x252	0x401060	0x175ec	0x175ec	-
__vbaObjSet	0x0	0x401064	0x175f0	0x175f0	0xff
(by ordinal)	0x253	0x401068	0x175f4	0x175f4	-
_adj_fdiv_m16i	0x0	0x40106c	0x175f8	0x175f8	0x1a7
__vbaObjSetAddref	0x0	0x401070	0x175fc	0x175fc	0x100
_adj_fdivr_m16i	0x0	0x401074	0x17600	0x17600	0x1ac
(by ordinal)	0x2bf	0x401078	0x17604	0x17604	-
(by ordinal)	0x208	0x40107c	0x17608	0x17608	-
(by ordinal)	0x2c2	0x401080	0x1760c	0x1760c	-
__vbaFpR8	0x0	0x401084	0x17610	0x17610	0xab
_CIsin	0x0	0x401088	0x17614	0x17614	0x56
(by ordinal)	0x277	0x40108c	0x17618	0x17618	-
(by ordinal)	0x20c	0x401090	0x1761c	0x1761c	-
__vbaChkstk	0x0	0x401094	0x17620	0x17620	0x6f
EVENT_SINK_AddRef	0x0	0x401098	0x17624	0x17624	0x11
__vbaGenerateBoundsError	0x0	0x40109c	0x17628	0x17628	0xb4
__vbaStrCmp	0x0	0x4010a0	0x1762c	0x1762c	0x134
__vbaVarTstEq	0x0	0x4010a4	0x17630	0x17630	0x193
__vbaAryConstruct2	0x0	0x4010a8	0x17634	0x17634	0x5b
__vbaObjVar	0x0	0x4010ac	0x17638	0x17638	0x101
(by ordinal)	0x231	0x4010b0	0x1763c	0x1763c	-
(by ordinal)	0x2a0	0x4010b4	0x17640	0x17640	-
_adj_fpatan	0x0	0x4010b8	0x17644	0x17644	0x1b0
(by ordinal)	0x2a3	0x4010bc	0x17648	0x17648	-
__vbaRedim	0x0	0x4010c0	0x1764c	0x1764c	0x123
(by ordinal)	0x2a6	0x4010c4	0x17650	0x17650	-
EVENT_SINK_Release	0x0	0x4010c8	0x17654	0x17654	0x15
__vbaUI1I2	0x0	0x4010cc	0x17658	0x17658	0x14c
_CIsqrt	0x0	0x4010d0	0x1765c	0x1765c	0x57
EVENT_SINK_QueryInterface	0x0	0x4010d4	0x17660	0x17660	0x14
(by ordinal)	0x2c6	0x4010d8	0x17664	0x17664	-
__vbaExceptHandler	0x0	0x4010dc	0x17668	0x17668	0x8e
(by ordinal)	0x25e	0x4010e0	0x1766c	0x1766c	-
_adj_fprem	0x0	0x4010e4	0x17670	0x17670	0x1b1
_adj_fdivr_m64	0x0	0x4010e8	0x17674	0x17674	0x1af
__vbaFPException	0x0	0x4010ec	0x17678	0x17678	0x93
(by ordinal)	0x2cd	0x4010f0	0x1767c	0x1767c	-
__vbaStrVarVal	0x0	0x4010f4	0x17680	0x17680	0x149
(by ordinal)	0x217	0x4010f8	0x17684	0x17684	-
(by ordinal)	0x218	0x4010fc	0x17688	0x17688	-
_CIlog	0x0	0x401100	0x1768c	0x1768c	0x55
__vbaNew2	0x0	0x401104	0x17690	0x17690	0xf7
_adj_fdiv_m32i	0x0	0x401108	0x17694	0x17694	0x1a9
_adj_fdivr_m32i	0x0	0x40110c	0x17698	0x17698	0x1ae
__vbaStrCopy	0x0	0x401110	0x1769c	0x1769c	0x137
(by ordinal)	0x23d	0x401114	0x176a0	0x176a0	-
__vbaI4Str	0x0	0x401118	0x176a4	0x176a4	0xce
(by ordinal)	0x23e	0x40111c	0x176a8	0x176a8	-
__vbaFreeStrList	0x0	0x401120	0x176ac	0x176ac	0xb0
(by ordinal)	0x2aa	0x401124	0x176b0	0x176b0	-
(by ordinal)	0x2ab	0x401128	0x176b4	0x176b4	-
_adj_fdivr_m32	0x0	0x40112c	0x176b8	0x176b8	0x1ad
_adj_fdiv_r	0x0	0x401130	0x176bc	0x176bc	0x1ab
(by ordinal)	0x2ad	0x401134	0x176c0	0x176c0	-
(by ordinal)	0x64	0x401138	0x176c4	0x176c4	-
(by ordinal)	0x262	0x40113c	0x176c8	0x176c8	-
__vbaInStrB	0x0	0x401140	0x176cc	0x176cc	0xd1
(by ordinal)	0x263	0x401144	0x176d0	0x176d0	-
__vbaVarDup	0x0	0x401148	0x176d4	0x176d4	0x162
__vbaStrComp	0x0	0x40114c	0x176d8	0x176d8	0x135
(by ordinal)	0x266	0x401150	0x176dc	0x176dc	-
__vbaLateMemCallLd	0x0	0x401154	0x176e0	0x176e0	0xdf
(by ordinal)	0x269	0x401158	0x176e4	0x176e4	-
_CIatan	0x0	0x40115c	0x176e8	0x176e8	0x52
__vbaStrMove	0x0	0x401160	0x176ec	0x176ec	0x13f
(by ordinal)	0x21c	0x401164	0x176f0	0x176f0	-
_allmul	0x0	0x401168	0x176f4	0x176f4	0x1b4
(by ordinal)	0x28b	0x40116c	0x176f8	0x176f8	-
_CItan	0x0	0x401170	0x176fc	0x176fc	0x58
(by ordinal)	0x222	0x401174	0x17700	0x17700	-
__vbaFPInt	0x0	0x401178	0x17704	0x17704	0x95
_CIexp	0x0	0x40117c	0x17708	0x17708	0x54
__vbaFreeObj	0x0	0x401180	0x1770c	0x1770c	0xad
__vbaFreeStr	0x0	0x401184	0x17710	0x17710	0xaf
(by ordinal)	0x244	0x401188	0x17714	0x17714	-

Icons (1)

Memory Dumps (32)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
xeuovifzzc.exe	1	0x00400000	0x0041AFFF	Relevant Image	32-bit	0x004014D4	... Memory Dump Actions Go to Process Go to AV Match Download Dump
buffer	1	0x00430000	0x0043FFFF	Marked Executable	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00430000	0x0043FFFF	First Execution	32-bit	0x00436788	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x001C0000	0x001C7FFF	First Execution	32-bit	0x001C0000	... Memory Dump Actions Go to Process Download Dump
ntdll.dll	1	0x77970000	0x77AFDFFF	First Execution	32-bit	0x779E2210	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x001C0000	0x001C7FFF	Content Changed	32-bit	0x001C2253	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	First Execution	32-bit	0x00560000	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x001C0000	0x001C7FFF	Content Changed	32-bit	0x001C1252	... Memory Dump Actions Go to Process Download Dump
xeuovifzzc.exe	1	0x00400000	0x0041AFFF	Process Termination	32-bit	-	... Memory Dump Actions Go to Process Go to AV Match Download Dump
ntdll.dll	2	0x77970000	0x77AFDFFF	First Execution	32-bit	0x779E2210	... Memory Dump Actions Go to Process Download Dump
msvbvm60.dll	2	0x00400000	0x00552FFF	First Execution	32-bit	0x0041E310	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00561448	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1EED0000	0x1F1EFFFF	First Execution	32-bit	0x1EF42070	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x0056148E	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00562526	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00561448	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00562526	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x0056148E	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00561514	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00562526	... Memory Dump Actions Go to Process Download Dump
msvbvm60.dll	2	0x00400000	0x00552FFF	Content Changed	32-bit	0x0041AFF0	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1EE40000	0x1EE53FFF	First Execution	32-bit	0x1EE40000	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1ED00000	0x1EE13FFF	Marked Executable	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	3	0x06120000	0x06233FFF	Content Changed	64-bit	0x0618FC52	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x00560000	0x0065FFFF	Content Changed	32-bit	0x00561448	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1EE60000	0x1EE75FFF	Image In Buffer	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x001C0000	0x001ECFFF	Marked Executable	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1ECD0000	0x1ECFCFFF	Marked Executable	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	2	0x1EE20000	0x1EE33FFF	Marked Executable	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	4	0x01270000	0x01285FFF	First Execution	32-bit	0x01281370	... Memory Dump Actions Go to Process Download Dump
buffer	4	0x006F0000	0x0071CFFF	Content Changed	32-bit	0x006F82A0	... Memory Dump Actions Go to Process Download Dump
buffer	4	0x006F0000	0x0071CFFF	Content Changed	32-bit	0x006FCBB0	... Memory Dump Actions Go to Process Download Dump

Local AV Matches (1)

Threat Name	Severity
Trojan.GenericKD.33970835	Malicious

c:\users\fd1hvy\appdata\local\microsoft\windows\inetcache\counters2.dat

Modified File

Stream

Not Queried

Mime Type	application/octet-stream
File Size	128 Bytes
MD5	f3344e084c76cf0e0a3ad5bacde88678
SHA1	7609c6b4fe4da79d21ddea0cbc56b9e0ce5822a7
SHA256	67a2c36c1223e17b98b6114a85c345a63696aabb2d8225e7c3423762f7109ed7
SSDeep	3:iu/B:i
ImpHash	-

c:\users\fd1hvy\appdata\local\temp\~dfb2071bb696631c1a.tmp

Dropped File

OLE Compound

Not Queried

Mime Type	application/CDFV2
File Size	16.00 KB
MD5	88d950c2cc09df5dc7cb67686350af63
SHA1	dd0ee149de98e95ee907954bd54ccaed95f8f51f
SHA256	8a4fb9961deeb6da4a46add778f09ca73b6db766632e61a495e08859bb3ab7c7
SSDeep	48:rgNpSKr46b73xsM/m/vQ6KETIRciYZSVPBTzZleZ3zGXhqe3j+jglrhitfW:+9nhs/o6SRcimWd1leZmke3SErhitfW
ImpHash	-

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After