re1[.]txt | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

re1.txt
Size

2.7MB
MD5

a085b69bcc14708065edab46f9e276f1
SHA1

0bc8280ea18237ff27b215b6ea3a22ff091a7ca5
SHA256

61a7ffd66336813c001c6e4e1dc9ba60e01b61784c5e1402e9f799cdb963e3bc
SHA512

4ec6f2e77ad5629bef576a3147618c6253020a69a54fc704cbf55abdaaeea2170c01b325ce69aa0a0dab39288eea3bc03fb9973c966609ef2cab106bd9a8a466
SSDEEP

49152:LOgRmBo9zpxJ3Nxt4Por0++Ao7ORprPX6iD/ZZtCB37u/55blBSnktGxCniMh6+g:Kgqo9zpX+Pi9fRNPX/QwPGxCipETps

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

sample vmprotect

resource	yara_rule
sample	vmprotect

Files

re1.txt
.exe windows x64

4b451c602dabb7c135d7516e76712204

Code Sign

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17-06-2021 17:55

Not After

16-06-2022 17:55

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e4:47:1c:9c:06:9d:c4:33:1b:3a:c9:ec:aa:da:19:86:88:94:44:48:17:0b:e3:a7:ec:a2:62:50:5f:85:3b:1a
Signer

Actual PE Digest

e4:47:1c:9c:06:9d:c4:33:1b:3a:c9:ec:aa:da:19:86:88:94:44:48:17:0b:e3:a7:ec:a2:62:50:5f:85:3b:1a

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

30-07-2022 11:07
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeDelayExecutionThread
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

hal

KeQueryPerformanceCounter
KeQueryPerformanceCounter

ndis.sys

NdisAllocateGenericObject

fwpkclnt.sys

FwpmFilterAdd0

wdfldr.sys

WdfVersionBind

Sections

.text
Size: - Virtual size: 181KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4b451c602dabb7c135d7516e76712204

Code Sign

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

e4:47:1c:9c:06:9d:c4:33:1b:3a:c9:ec:aa:da:19:86:88:94:44:48:17:0b:e3:a7:ec:a2:62:50:5f:85:3b:1aSigner

Signature Validations

Verification

30-07-2022 11:07 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

ndis.sys

fwpkclnt.sys

wdfldr.sys

Sections

.text Size: - Virtual size: 181KB

.rdata Size: - Virtual size: 23KB

.data Size: - Virtual size: 60KB

.pdata Size: - Virtual size: 3KB

INIT Size: - Virtual size: 3KB

.vmp0 Size: - Virtual size: 1.3MB

.vmp1 Size: 512B - Virtual size: 8B

.vmp2 Size: 2.7MB - Virtual size: 2.7MB

.reloc Size: 512B - Virtual size: 180B

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

e4:47:1c:9c:06:9d:c4:33:1b:3a:c9:ec:aa:da:19:86:88:94:44:48:17:0b:e3:a7:ec:a2:62:50:5f:85:3b:1a
Signer

30-07-2022 11:07
Valid: false

.text
Size: - Virtual size: 181KB

.rdata
Size: - Virtual size: 23KB

.data
Size: - Virtual size: 60KB

.pdata
Size: - Virtual size: 3KB

INIT
Size: - Virtual size: 3KB

.vmp0
Size: - Virtual size: 1.3MB

.vmp1
Size: 512B - Virtual size: 8B

.vmp2
Size: 2.7MB - Virtual size: 2.7MB

.reloc
Size: 512B - Virtual size: 180B