a324f24386cddedeaa163b98533b3b03962205bdce1a48cd6630e95aba2379ec

Sharing

Copy URL

Twitter E-mail

General

Target

a324f24386cddedeaa163b98533b3b03962205bdce1a48cd6630e95aba2379ec
Size

3.7MB
MD5

ad813c97f7cd48856a9c2847ad55b90a
SHA1

c16bc7b76e6de3998bacef08f80a6acce3c5cee2
SHA256

a324f24386cddedeaa163b98533b3b03962205bdce1a48cd6630e95aba2379ec
SHA512

4f5cb2049e03ad76910693b96a3465c9ba6e268f0bf1ba7fce7eb374241acfa08ba645829fabe8ef76606289903655480867f314c17c79efc8b242419d46fadb
SSDEEP

98304:rlC4QBL6dQNbMFd6KkEl4ucp7YY+0RJ3ZOITgkAQL:rlChB+Gb6doEl4uS7xPZOILHL

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
themida

Processes:

resource yara_rule

sample themida

resource	yara_rule
sample	themida

Files

a324f24386cddedeaa163b98533b3b03962205bdce1a48cd6630e95aba2379ec
.exe windows x86

Code Sign

33:00:00:00:3a:6a:e3:33:70:8f:da:7a:7b:00:00:00:00:00:3a
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-03-2020 17:31

Not After

05-03-2021 17:31

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

19-09-2018 00:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15-06-2016 00:00

Not After

15-06-2024 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-04-2011 19:55

Not After

15-04-2021 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

23:f4:b4:91:12:3a:c4:cd:bd:68:04:2d
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

29-10-2020 09:57

Not After

30-10-2023 09:57

Subject

SERIALNUMBER=CHE-354.686.492,CN=Proton Technologies AG,O=Proton Technologies AG,STREET=Route de la Galaise 32,L=Plan-les-Ouates,ST=Geneva,C=CH,1.2.840.113549.1.9.1=#0c0f61646d696e4070726f746f6e2e6d65,1.3.6.1.4.1.311.60.2.1.2=#130647656e657661,1.3.6.1.4.1.311.60.2.1.3=#13024348,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19-02-2018 00:00

Not After

18-03-2029 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02-08-2011 10:00

Not After

29-03-2029 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f
Signer

Actual PE Digest

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=CHE-354.686.492,CN=Proton Technologies AG,O=Proton Technologies AG,STREET=Route de la Galaise 32,L=Plan-les-Ouates,ST=Geneva,C=CH,1.2.840.113549.1.9.1=#0c0f61646d696e4070726f746f6e2e6d65,1.3.6.1.4.1.311.60.2.1.2=#130647656e657661,1.3.6.1.4.1.311.60.2.1.3=#13024348,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

07-12-2020 16:28
Valid: true

Chain 1

SERIALNUMBER=CHE-354.686.492,CN=Proton Technologies AG,O=Proton Technologies AG,STREET=Route de la Galaise 32,L=Plan-les-Ouates,ST=Geneva,C=CH,1.2.840.113549.1.9.1=#0c0f61646d696e4070726f746f6e2e6d65,1.3.6.1.4.1.311.60.2.1.2=#130647656e657661,1.3.6.1.4.1.311.60.2.1.3=#13024348,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Chain 2

SERIALNUMBER=CHE-354.686.492,CN=Proton Technologies AG,O=Proton Technologies AG,STREET=Route de la Galaise 32,L=Plan-les-Ouates,ST=Geneva,C=CH,1.2.840.113549.1.9.1=#0c0f61646d696e4070726f746f6e2e6d65,1.3.6.1.4.1.311.60.2.1.2=#130647656e657661,1.3.6.1.4.1.311.60.2.1.3=#13024348,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f
Signer

Actual PE Digest

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

14-02-2022 17:36
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

Size: 100KB - Virtual size: 200KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 17KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

£€^��
Size: 2KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 4.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

£€^��
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

£€^��
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 379KB - Virtual size: 378KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:00:3a:6a:e3:33:70:8f:da:7a:7b:00:00:00:00:00:3aCertificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate

Key Usages

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

23:f4:b4:91:12:3a:c4:cd:bd:68:04:2dCertificate

Extended Key Usages

Key Usages

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3aCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7fSigner

Signature Validations

Verification

07-12-2020 16:28 Valid: true

Chain 1

Chain 2

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7fSigner

Signature Validations

Verification

14-02-2022 17:36 Valid: false

Headers

DLL Characteristics

File Characteristics

Sections

Size: 100KB - Virtual size: 200KB

Size: 17KB - Virtual size: 69KB

Size: 512B - Virtual size: 12B

.idata Size: 512B - Virtual size: 8KB

£€^�� Size: 2KB - Virtual size: 8KB

.themida Size: - Virtual size: 4.7MB

.boot Size: 3.2MB - Virtual size: 3.2MB

£€^�� Size: 3KB - Virtual size: 3KB

£€^�� Size: 3KB - Virtual size: 3KB

.rsrc Size: 379KB - Virtual size: 378KB

33:00:00:00:3a:6a:e3:33:70:8f:da:7a:7b:00:00:00:00:00:3a
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

23:f4:b4:91:12:3a:c4:cd:bd:68:04:2d
Certificate

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f
Signer

07-12-2020 16:28
Valid: true

af:9d:f4:ff:d0:3a:ef:c2:05:8b:e7:a5:c8:19:af:92:8a:8b:29:06:48:58:0b:b6:f7:f2:12:56:bf:4e:4f:7f
Signer

14-02-2022 17:36
Valid: false

.idata
Size: 512B - Virtual size: 8KB

£€^��
Size: 2KB - Virtual size: 8KB

.themida
Size: - Virtual size: 4.7MB

.boot
Size: 3.2MB - Virtual size: 3.2MB

£€^��
Size: 3KB - Virtual size: 3KB

£€^��
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 379KB - Virtual size: 378KB