arkei | c1072380a7f84c66069ef375aed7a1563dccb69950b9b35436712d74a6c99677

Sharing

Copy URL

Twitter E-mail

General

Target

c1072380a7f84c66069ef375aed7a1563dccb69950b9b35436712d74a6c99677
Size

1.9MB
MD5

38f88448e44f0b6b72e37200eb69a853
SHA1

ce6e058f75350f6753f8d1c16ce9573f9491515c
SHA256

c1072380a7f84c66069ef375aed7a1563dccb69950b9b35436712d74a6c99677
SHA512

99328cdab2c711517340008c538763b1352f8d08144fde9e198ceff05f0d54f0fd5ddf9bc590e447f2e635d5262aae0d7b9e9a580fdcae69c2138049a21078ec
SSDEEP

24576:xqy7O5jU5KuXB4tDnfqGpLVMs9tg3zlsjYT1QyRz2jGSdsQdoMJmA7vrAKo3v/Zz:kk8Dn/LVMsXgjliYTJMjGNQzbvhofJ

Score

10^/10

themida default arkei

Malware Config

Extracted

Family

arkei

Botnet

Default

http://45.95.235.77/6LuciSfmJZ.php

Signatures

Arkei family
arkei
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
themida

Processes:

resource yara_rule

sample themida

resource	yara_rule
sample	themida

Files

c1072380a7f84c66069ef375aed7a1563dccb69950b9b35436712d74a6c99677
.exe windows x86

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a9:5b:61:11:e3:75:4f:4f:01:41:3d:0a:90:f5:38:c0
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03-03-2021 00:00

Not After

01-03-2022 23:59

Subject

CN=Avira Operations GmbH & Co. KG,O=Avira Operations GmbH & Co. KG,POSTALCODE=88069,STREET=Kaplaneiweg 1,L=Tettnang,ST=Baden-Württemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-11-2018 00:00

Not After

31-12-2030 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-07-2015 21:03

Not After

22-07-2025 21:03

Subject

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29-04-2021 00:00

Not After

28-04-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:0c:f3:cc:d3:8a:d4:27:50:bb:db:62:ab:d8:d6:dd
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24-06-2021 00:00

Not After

28-06-2022 23:59

Subject

SERIALNUMBER=HBA 722586,CN=Avira Operations GmbH & Co. KG,OU=Engineering Services,O=Avira Operations GmbH & Co. KG,L=Tettnang,ST=Baden-Württemberg,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1303556c6d,1.3.6.1.4.1.311.60.2.1.2=#0c12426164656e2d57c3bc727474656d62657267,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

8c:77:a0:00:8f:f4:d1:b0:c6:3d:9f:3a:48:83:8d:6b
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

23-10-2020 00:00

Not After

22-01-2032 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #2,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-05-2019 00:00

Not After

18-01-2038 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d3:c6:63:84:29:43:4b:1f:e8:d7:d5:7e:50:08:69:53:71:2e:09:c9:4b:62:f4:ed:c7:88:12:57:4e:d9:22:8b
Signer

Actual PE Digest

d3:c6:63:84:29:43:4b:1f:e8:d7:d5:7e:50:08:69:53:71:2e:09:c9:4b:62:f4:ed:c7:88:12:57:4e:d9:22:8b

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=HBA 722586,CN=Avira Operations GmbH & Co. KG,OU=Engineering Services,O=Avira Operations GmbH & Co. KG,L=Tettnang,ST=Baden-Württemberg,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1303556c6d,1.3.6.1.4.1.311.60.2.1.2=#0c12426164656e2d57c3bc727474656d62657267,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

14-02-2022 17:36
Valid: true

Chain 1

SERIALNUMBER=HBA 722586,CN=Avira Operations GmbH & Co. KG,OU=Engineering Services,O=Avira Operations GmbH & Co. KG,L=Tettnang,ST=Baden-Württemberg,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1303556c6d,1.3.6.1.4.1.311.60.2.1.2=#0c12426164656e2d57c3bc727474656d62657267,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

0a:60:84:ae:7a:5a:a7:28:9f:ee:61:e6:10:9c:58:75:3e:8a:24:be
Signer

Actual PE Digest

0a:60:84:ae:7a:5a:a7:28:9f:ee:61:e6:10:9c:58:75:3e:8a:24:be

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Avira Operations GmbH & Co. KG,O=Avira Operations GmbH & Co. KG,POSTALCODE=88069,STREET=Kaplaneiweg 1,L=Tettnang,ST=Baden-Württemberg,C=DE

08-11-2021 15:33
Valid: true

Chain 1

CN=Avira Operations GmbH & Co. KG,O=Avira Operations GmbH & Co. KG,POSTALCODE=88069,STREET=Kaplaneiweg 1,L=Tettnang,ST=Baden-Württemberg,C=DE

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 86KB - Virtual size: 85KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.taggant
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

a9:5b:61:11:e3:75:4f:4f:01:41:3d:0a:90:f5:38:c0Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44Certificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0e:0c:f3:cc:d3:8a:d4:27:50:bb:db:62:ab:d8:d6:ddCertificate

Extended Key Usages

Key Usages

8c:77:a0:00:8f:f4:d1:b0:c6:3d:9f:3a:48:83:8d:6bCertificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

d3:c6:63:84:29:43:4b:1f:e8:d7:d5:7e:50:08:69:53:71:2e:09:c9:4b:62:f4:ed:c7:88:12:57:4e:d9:22:8bSigner

Signature Validations

Verification

14-02-2022 17:36 Valid: true

Chain 1

0a:60:84:ae:7a:5a:a7:28:9f:ee:61:e6:10:9c:58:75:3e:8a:24:beSigner

Signature Validations

Verification

08-11-2021 15:33 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 86KB - Virtual size: 85KB

.rdata Size: 28KB - Virtual size: 27KB

.data Size: 3KB - Virtual size: 11KB

.reloc Size: 9KB - Virtual size: 9KB

.imports Size: 512B - Virtual size: 4KB

.themida Size: - Virtual size: 2.7MB

.boot Size: 1.7MB - Virtual size: 1.7MB

.taggant Size: 8KB - Virtual size: 8KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

a9:5b:61:11:e3:75:4f:4f:01:41:3d:0a:90:f5:38:c0
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0e:0c:f3:cc:d3:8a:d4:27:50:bb:db:62:ab:d8:d6:dd
Certificate

8c:77:a0:00:8f:f4:d1:b0:c6:3d:9f:3a:48:83:8d:6b
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

d3:c6:63:84:29:43:4b:1f:e8:d7:d5:7e:50:08:69:53:71:2e:09:c9:4b:62:f4:ed:c7:88:12:57:4e:d9:22:8b
Signer

14-02-2022 17:36
Valid: true

0a:60:84:ae:7a:5a:a7:28:9f:ee:61:e6:10:9c:58:75:3e:8a:24:be
Signer

08-11-2021 15:33
Valid: true

.text
Size: 86KB - Virtual size: 85KB

.rdata
Size: 28KB - Virtual size: 27KB

.data
Size: 3KB - Virtual size: 11KB

.reloc
Size: 9KB - Virtual size: 9KB

.imports
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 2.7MB

.boot
Size: 1.7MB - Virtual size: 1.7MB

.taggant
Size: 8KB - Virtual size: 8KB