allcome | allcome[.]zip

Resubmissions

25-12-2022 14:22

221225-rppf7abf39 10

25-12-2022 14:22

25-12-2022 14:21

25-12-2022 14:21

25-12-2022 14:13

Sharing

Copy URL

Twitter E-mail

General

Target

allcome.zip
Size

7.4MB
MD5

853a314f529e8d0a81e1082a5fc2acd7
SHA1

0f8b76562383e4f2b4d71399e26affbd760f3466
SHA256

be1bc698d63cbfc97d75edaa1fe850772d1e082a7b9a24aa5e09ed5b3bdeedde
SHA512

cc21dc39e488c070d301a5107e92e422f8cf4a9345508b1c56206949769a2435e5f5f1b30ccdca22eb2f2f2b3a2c0e801a8aa3c418eb20192150e118a1908b4e
SSDEEP

196608:wqNG3GKMWwzq67YKTwE8Jc+0algVV+uZT63SX9DzVOosAeSE:wKG3GKMWw90KL8R0kgVV+x36PsAVE

Score

10^/10

themida allcome

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp.php?usr=Class1c228

Wallets

D92TTxkBTyJfavHWmAJfHpZRLeUY9ReHvf

rEtKYAu1Pwa9ydAB9YfXrTgVTtwB7QAghY

0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81

XeZnNrJyBV3NimCP61bnJK8EYEqe984rn8

t1Vrj6CU9hHRwiuoSWDhgwtRhmPxRu9MqXs

GBEARLBYJHWXMY7AFAGF7VGMRMRK2D5HSRADSABSPMRIW6XPDQBRQSMI

0x43B091611E359447bAC8b2aE1619424A8417De38

qqvqg5fjmjjkd6egvwxv5et63jpakdqvuq3ye335x0

bc1qrzlvgv39ynr32vzacpg8y4y4yklmr370sxwqj3

0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81

ltc1qef2n5uu37e34nvtrfhnurdj9lc574h90grpa0e

380990138409

Signatures

Allcome family
allcome

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
static1/unpack002/2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02	themida

Files

allcome.zip
.zip

Password: infected
__MACOSX/allcome/._2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.zip
__MACOSX/allcome/._95de56b7b27bfdfae1c741a5f02a42d1a4f7a23286ca8b292e85132b8b87bb57.zip
__MACOSX/allcome/._ac1ee2ae3f9d02314391ea2cf5931325da346f5d40ea7cf12f4fb86e62fe1e89.zip
__MACOSX/allcome/._d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.zip
allcome/2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.zip
.zip

Password: infected
2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02
.exe windows x86

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 489KB - Virtual size: 496KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: 8.6MB - Virtual size: 8.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
allcome/95de56b7b27bfdfae1c741a5f02a42d1a4f7a23286ca8b292e85132b8b87bb57.zip
.zip

Password: infected
95de56b7b27bfdfae1c741a5f02a42d1a4f7a23286ca8b292e85132b8b87bb57
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 451KB - Virtual size: 451KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 398KB - Virtual size: 397KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
allcome/ac1ee2ae3f9d02314391ea2cf5931325da346f5d40ea7cf12f4fb86e62fe1e89.zip
.zip

Password: infected
d950b50f5f6430bec1db8de9f36b9a4e.exe
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 502KB - Virtual size: 501KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 147KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
allcome/d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.zip
.zip

Password: infected
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.bin
.exe windows x86

Password: infected

277bb5bca79f7661398975c7af5ce7ba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GetModuleFileNameA
CopyFileA
SetFileAttributesA
CreateDirectoryA
CreateMutexA
WaitForSingleObject
GetModuleHandleA
Sleep
MultiByteToWideChar
CreateFileW
DecodePointer
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapReAlloc
HeapSize
SetFilePointerEx
GetProcessHeap
GetStringTypeW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceFrequency
CloseHandle
WaitForSingleObjectEx
GetExitCodeThread
InitializeCriticalSectionEx
GetProcAddress
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
RtlUnwind
RaiseException
GetLastError
SetLastError
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetStdHandle
WriteFile
GetModuleFileNameW
HeapFree
HeapAlloc
GetFileType
LCMapStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
WriteConsoleW

user32

SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
LoadStringA
GetKeyState

shell32

SHGetFolderPathA
ShellExecuteA

wtsapi32

WTSEnumerateProcessesA
WTSFreeMemory

urlmon

IsValidURL

wininet

InternetReadFile
InternetCloseHandle
InternetOpenUrlA
InternetOpenA

shlwapi

PathFindFileNameA

Sections

.text
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 489KB - Virtual size: 496KB

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 512B - Virtual size: 12B

.idata Size: 512B - Virtual size: 8KB

.themida Size: 8.6MB - Virtual size: 8.6MB

Password: infected

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 451KB - Virtual size: 451KB

.rsrc Size: 398KB - Virtual size: 397KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 502KB - Virtual size: 501KB

.rsrc Size: 147KB - Virtual size: 146KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

Password: infected

277bb5bca79f7661398975c7af5ce7ba

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shell32

wtsapi32

urlmon

wininet

shlwapi

Sections

.text Size: 75KB - Virtual size: 74KB

.rdata Size: 34KB - Virtual size: 33KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 489KB - Virtual size: 496KB

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 512B - Virtual size: 12B

.idata
Size: 512B - Virtual size: 8KB

.themida
Size: 8.6MB - Virtual size: 8.6MB

.text
Size: 451KB - Virtual size: 451KB

.rsrc
Size: 398KB - Virtual size: 397KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 502KB - Virtual size: 501KB

.rsrc
Size: 147KB - Virtual size: 146KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 75KB - Virtual size: 74KB

.rdata
Size: 34KB - Virtual size: 33KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 4KB