62397537c3d1265c3dd38c3dbb409de1fd4273b9177fa3dadac284d56c2daab4

Sharing

Copy URL Twitter E-mail

General

Target

62397537c3d1265c3dd38c3dbb409de1fd4273b9177fa3dadac284d56c2daab4
Size

163KB
MD5

62e241da57f9124b809dd09d13daa755
SHA1

4718d74df193a0153a918ad845a10e7ccf6d800f
SHA256

62397537c3d1265c3dd38c3dbb409de1fd4273b9177fa3dadac284d56c2daab4
SHA512

f6d1cecc859dde2006abc3d1d6395e7afe68096245cb0589174c9d9cf28e866f48f7a0ae87c92101229bd3fe1d78f53faa4a31e9e8b16757869d98991c4fc90b
SSDEEP

3072:kqxLyXoo8h6zVrLurpxTzWLOKFuDQr+G3bOn2TFPWSx1zpjwQKLmPYn:kq9y4niZOxTzavFuDQr+Zn2JPWW1zpja

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

62397537c3d1265c3dd38c3dbb409de1fd4273b9177fa3dadac284d56c2daab4
.exe windows x86

df5c28fe4d646cb24a56d50ffe1d07e9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

PsLookupProcessByProcessId
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlAppendUnicodeToString
memcpy
wcslen
memset
ExFreePoolWithTag
IoDeleteSymbolicLink
RtlFreeUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
_except_handler3
IofCompleteRequest
RtlAssert
KeInitializeEvent
IoAttachDeviceToDeviceStack
ObReferenceObjectByName
IoDriverObjectType
RtlInitUnicodeString
KeStackAttachProcess
KeSetPriorityThread
KeGetCurrentThread
IofCallDriver
ExAllocatePool
ZwQuerySystemInformation
RtlCompareString
strncpy
strlen
MmGetSystemRoutineAddress
ZwClose
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwCreateFile
ExAllocatePoolWithTag
strcpy
ZwReadFile
ZwQueryInformationFile
MmUnmapIoSpace
MmIsAddressValid
MmMapIoSpace
KeUnstackDetachProcess
PsGetVersion
ObfDereferenceObject
KeDelayExecutionThread
IoGetCurrentProcess
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

KeGetCurrentIrql
KfLowerIrql
KfRaiseIrql
KeStallExecutionProcessor
HalMakeBeep

Sections

.text
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 914B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 161KB - Virtual size: 161KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

df5c28fe4d646cb24a56d50ffe1d07e9

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 16KB

.rdata Size: - Virtual size: 372B

.data Size: - Virtual size: 1KB

INIT Size: - Virtual size: 1KB

.vmp0 Size: - Virtual size: 914B

.vmp1 Size: - Virtual size: 119KB

.vmp2 Size: 161KB - Virtual size: 161KB

.reloc Size: 512B - Virtual size: 208B

.text
Size: - Virtual size: 16KB

.rdata
Size: - Virtual size: 372B

.data
Size: - Virtual size: 1KB

INIT
Size: - Virtual size: 1KB

.vmp0
Size: - Virtual size: 914B

.vmp1
Size: - Virtual size: 119KB

.vmp2
Size: 161KB - Virtual size: 161KB

.reloc
Size: 512B - Virtual size: 208B