demoo[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

demoo.dll
Size

3.3MB
MD5

1af9024e05e21428386247905f59a7ab
SHA1

1802f64add91791808262bb60984424f95f28e2e
SHA256

3d2ced1b815c6aa31457030af8e4255dfb1b06d6b583a747e15272530824a6fa
SHA512

3171177b8aa8c7cc7354231f512879ef86c8c81c3784a38837852c1f80efa45a560ba2ddafb17fc5002bb8bfdb1b1ed3cb1de5cd933e5e167a0c7a1727c39cb4
SSDEEP

49152:tddVTzDbWcYqqQuSFm1wiIl6u8Qnh4pHQ3dZsUMMKM0rY1quaj8P9QerV3i5wOpg:TTbWnjQJFdi86ubKHQ3EUMMKM0KWeFNj

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

demoo.dll
.dll windows x86

9895dafc8af4ba6549dff55dc23599c0

Code Sign

4b:36:ad:fe:bc:72:82:90:41:f0:d9:7a:62:4f:9f:14
Certificate

Issuer

CN=IBM Inc.,ST=Berlin,C=Germany,1.2.840.113549.1.9.1=#0c126e6574737570704075732e69626d2e636f6d

Not Before

04-12-2021 14:14

Not After

30-12-2031 16:00

Subject

CN=IBM Inc.,ST=Berlin,C=Germany,1.2.840.113549.1.9.1=#0c126e6574737570704075732e69626d2e636f6d

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:8e:9a:d2:ed:18:e6:81:e7:d4:84:72:cf:f9:e9:9e:c7:03:04:ba
Signer

Actual PE Digest

01:8e:9a:d2:ed:18:e6:81:e7:d4:84:72:cf:f9:e9:9e:c7:03:04:ba

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=IBM Inc.,ST=Berlin,C=Germany,1.2.840.113549.1.9.1=#0c126e6574737570704075732e69626d2e636f6d

30-01-2022 13:06
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

QueryFullProcessImageNameW
GetCurrentProcess
LocalFree
GetLastError
GetCommandLineW
CreateProcessA
CloseHandle
WriteConsoleW
SetFilePointerEx
GetModuleHandleA
ExitProcess
GetProcAddress
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
HeapSize
LCMapStringW
GetStringTypeW
HeapReAlloc
RtlUnwind
OutputDebugStringW
LoadLibraryExW
HeapAlloc
GetCommandLineA
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
EncodePointer
DecodePointer
GetModuleHandleExW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetModuleFileNameW
GetProcessHeap
SetLastError
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
HeapFree
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
Sleep
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
EnterCriticalSection
LeaveCriticalSection
CreateFileW
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

ShowWindow
GetForegroundWindow
GetProcessWindowStation
GetUserObjectInformationW

advapi32

OpenProcessToken
GetTokenInformation

shell32

CommandLineToArgvW
ShellExecuteW
ord680

shlwapi

PathFileExistsA

ws2_32

connect
htons
closesocket
WSACleanup
recv
send
WSAStartup
socket
gethostbyname

Exports

Exports

cYreenQillm

Sections

.text
Size: - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 233B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9895dafc8af4ba6549dff55dc23599c0

Code Sign

4b:36:ad:fe:bc:72:82:90:41:f0:d9:7a:62:4f:9f:14Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

01:8e:9a:d2:ed:18:e6:81:e7:d4:84:72:cf:f9:e9:9e:c7:03:04:baSigner

Signature Validations

Verification

30-01-2022 13:06 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

ws2_32

Exports

Exports

Sections

.text Size: - Virtual size: 47KB

.rdata Size: - Virtual size: 18KB

.data Size: - Virtual size: 11KB

.vmp0 Size: - Virtual size: 1.6MB

.vmp1 Size: 3.3MB - Virtual size: 3.3MB

.reloc Size: 1KB - Virtual size: 1KB

.rsrc Size: 512B - Virtual size: 233B

4b:36:ad:fe:bc:72:82:90:41:f0:d9:7a:62:4f:9f:14
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

01:8e:9a:d2:ed:18:e6:81:e7:d4:84:72:cf:f9:e9:9e:c7:03:04:ba
Signer

30-01-2022 13:06
Valid: false

.text
Size: - Virtual size: 47KB

.rdata
Size: - Virtual size: 18KB

.data
Size: - Virtual size: 11KB

.vmp0
Size: - Virtual size: 1.6MB

.vmp1
Size: 3.3MB - Virtual size: 3.3MB

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 233B