e85415477ce6fa5f5af429bae00413ebf24f6143c429bc63cbdd56bbc92da054

Sharing

Copy URL Twitter E-mail

General

Target

e85415477ce6fa5f5af429bae00413ebf24f6143c429bc63cbdd56bbc92da054
Size

838KB
MD5

665e55bc31e33f62118b78badda83770
SHA1

8489f2b0ca98db067c9e052c566bf64a517a706a
SHA256

e85415477ce6fa5f5af429bae00413ebf24f6143c429bc63cbdd56bbc92da054
SHA512

77a0b69ca89cbd0efcc6deee90fac790c7a8118922f476b455bd76e45eff891a2c05fda0933049b77b20b9093aadc26759bbf65ffb1e33e009d5f8b0a5f2247d
SSDEEP

24576:QOHJERcGT0X5u2lOqr5pKp2sVdpk38Vj4:QOkcGT0XxC5V838R4

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

e85415477ce6fa5f5af429bae00413ebf24f6143c429bc63cbdd56bbc92da054
.dll regsvr32 windows x86

0023981adddba34dcb9761ec343b9047

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:ec:cb:22:74:bc:f4:87:7b:86:4f:67:ed:1d:1b:49
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

01/08/2012, 00:00

Not After

31/10/2015, 23:59

Subject

CN=Changsha Spring Culture Communications Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Changsha Spring Culture Communications Ltd.,L=Changsha,ST=Hunan,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:82:4c:7e:69:36:f8:17:16:bc:25:9b:b9:f5:54:11:bb:a7:05:5c
Signer

Actual PE Digest

65:82:4c:7e:69:36:f8:17:16:bc:25:9b:b9:f5:54:11:bb:a7:05:5c

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Changsha Spring Culture Communications Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Changsha Spring Culture Communications Ltd.,L=Changsha,ST=Hunan,C=CN

10/12/2012, 09:17
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
HeapReAlloc
HeapFree
GetModuleFileNameW
lstrlenW
lstrcatW
GetModuleHandleW
GetProcAddress
lstrcpynW
CreateDirectoryW
GetTempPathW
GetTempFileNameW
GetWindowsDirectoryW
GetLogicalDriveStringsW
lstrcpyW
GetDriveTypeW
FindFirstFileW
FindClose
CreateFileW
GetFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
CloseHandle
WriteFile
OpenProcess
ExpandEnvironmentStringsW
DeleteFileW
GetLastError
SetFileAttributesW
FindNextFileW
GetSystemDirectoryW
LoadLibraryW
FreeLibrary
GetFileSize
SetFilePointer
GetLocalTime
SetEndOfFile
lstrlenA
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
WaitForSingleObject
VirtualFreeEx
MultiByteToWideChar
ResumeThread
GetTickCount
CreateToolhelp32Snapshot
GetCurrentProcessId
Module32FirstW
Module32NextW
GetCommandLineW
FreeResource
FindResourceW
LoadResource
GetPrivateProfileStringW
WaitNamedPipeW
InitializeCriticalSection
WideCharToMultiByte
TerminateThread
CopyFileW
SizeofResource
HeapDestroy
HeapCreate
ReadFile
GetLongPathNameW
MoveFileW
LockResource
SetNamedPipeHandleState
DeleteCriticalSection
GetVersion
GetVolumeInformationW
lstrcmpiA
lstrcpynA
LocalAlloc
LocalFree
ReadProcessMemory
CreateThread
OpenThread
SetLastError
lstrcatA
lstrcpyA
CreateDirectoryA
SetFileAttributesA
DeleteFileA
GetModuleFileNameA
GetExitCodeThread
GetCurrentThreadId
TerminateProcess
EnterCriticalSection
LeaveCriticalSection
InterlockedIncrement
InterlockedDecrement
DeviceIoControl
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
VirtualQuery
VirtualProtect
lstrcmpA
SystemTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
InterlockedExchange
LoadLibraryA
RaiseException
GetCommandLineA
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
Sleep
ExitProcess
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
VirtualFree
QueryPerformanceCounter
GetSystemTimeAsFileTime
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwind
HeapSize
GetConsoleCP
GetConsoleMode
CreateFileA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
GetProcessHeap

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllGetVersion
DllRegisterServer

Sections

.text
Size: 169KB - Virtual size: 168KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sdata
Size: 1024B - Virtual size: 600B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 449KB - Virtual size: 449KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 140KB - Virtual size: 140KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0023981adddba34dcb9761ec343b9047

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4aCertificate

Key Usages

55:ec:cb:22:74:bc:f4:87:7b:86:4f:67:ed:1d:1b:49Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

65:82:4c:7e:69:36:f8:17:16:bc:25:9b:b9:f5:54:11:bb:a7:05:5cSigner

Signature Validations

Verification

10/12/2012, 09:17 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 169KB - Virtual size: 168KB

.rdata Size: 40KB - Virtual size: 40KB

.data Size: 7KB - Virtual size: 15KB

.sdata Size: 1024B - Virtual size: 600B

.rsrc Size: 449KB - Virtual size: 449KB

.vmp0 Size: 13KB - Virtual size: 13KB

.vmp1 Size: 140KB - Virtual size: 140KB

.reloc Size: 9KB - Virtual size: 8KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

55:ec:cb:22:74:bc:f4:87:7b:86:4f:67:ed:1d:1b:49
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

65:82:4c:7e:69:36:f8:17:16:bc:25:9b:b9:f5:54:11:bb:a7:05:5c
Signer

10/12/2012, 09:17
Valid: false

.text
Size: 169KB - Virtual size: 168KB

.rdata
Size: 40KB - Virtual size: 40KB

.data
Size: 7KB - Virtual size: 15KB

.sdata
Size: 1024B - Virtual size: 600B

.rsrc
Size: 449KB - Virtual size: 449KB

.vmp0
Size: 13KB - Virtual size: 13KB

.vmp1
Size: 140KB - Virtual size: 140KB

.reloc
Size: 9KB - Virtual size: 8KB