181230b8707c3a39c262a55cdbab51032df42f47af88af248497ed44cb9c02eb

Sharing

Copy URL Twitter E-mail

General

Target

181230b8707c3a39c262a55cdbab51032df42f47af88af248497ed44cb9c02eb
Size

3.4MB
MD5

a1bbcc6d7fb38edbc84ed674c811de47
SHA1

8021cb9713595ddc60efbb3b8424168ae0583344
SHA256

181230b8707c3a39c262a55cdbab51032df42f47af88af248497ed44cb9c02eb
SHA512

aef205ca4879ec7afffadf53efd29d7d26b35806b8b797e9cfb9a2c4fb442bc9a74ade25adfd8d5aaea2bb8c17e6bc11a0945231c760c91fa2a61f09997921d2
SSDEEP

98304:YEfuI5ol31YcR4vzvNPqJlASWecD5wYQZnBf1017:oFYs4rFCrA6cw/9Q

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

181230b8707c3a39c262a55cdbab51032df42f47af88af248497ed44cb9c02eb
.exe windows x86

67fbefe3ec0d5c6448ec6769a37b6ab5

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:a1:97:df:be:66:5b:60:22:3d:b9:bb:c6:80:06:42
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

02/07/2012, 00:00

Not After

02/07/2015, 23:59

Subject

CN=Yonyou Software Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=U8 Platform,O=Yonyou Software Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f1:53:42:8a:94:e8:7e:75:33:db:71:45:b1:82:92:e1:79:48:41:d4
Signer

Actual PE Digest

f1:53:42:8a:94:e8:7e:75:33:db:71:45:b1:82:92:e1:79:48:41:d4

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Yonyou Software Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=U8 Platform,O=Yonyou Software Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

21/04/2014, 06:41
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

accept
ioctlsocket
WSACloseEvent
htons
socket
WSACleanup
closesocket
shutdown
WSAGetLastError
recv
send
WSAStartup
bind
listen
WSACreateEvent
WSAEventSelect
WSAWaitForMultipleEvents
WSAEnumNetworkEvents

rpcrt4

UuidFromStringA
UuidCreate
UuidToStringA

crypt32

CertGetNameStringA

mfc42

ord5466
ord5194
ord938
ord5216
ord5683
ord535
ord6930
ord5448
ord6407
ord532
ord665
ord1979
ord6385
ord5186
ord354
ord700
ord5632
ord398
ord5442
ord801
ord6883
ord541
ord5572
ord2915
ord823
ord1997
ord800
ord858
ord2820
ord3811
ord540
ord2818
ord860
ord539
ord5651
ord941
ord939
ord924
ord350
ord3701
ord798
ord500
ord533
ord772
ord3127
ord3616
ord4277
ord4129
ord5860
ord6877
ord537
ord6142
ord922
ord2614
ord3663
ord5606
ord4160
ord4189
ord825
ord3439
ord913
ord5710
ord4278
ord6663
ord5594
ord3337
ord920
ord3054
ord3810
ord3425
ord3880
ord5933
ord936
ord2814

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_acmdln
exit
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
strtok
strncmp
strncat
fwrite
_strlwr
srand
rand
time
malloc
free
fread
_ftol
strtoul
strncpy
_mbscmp
_itoa
strchr
sprintf
fopen
fclose
strstr
_open
_close
printf
_mbschr
_mbsstr
atoi
atol
_CxxThrowException
__CxxFrameHandler
__getmainargs
_filelength
_strcmpi
_stricmp
_memicmp
localtime
_mbstok

kernel32

ReleaseMutex
GetModuleHandleA
CreateMutexA
DeviceIoControl
SetLastError
WideCharToMultiByte
QueryDosDeviceA
GetStartupInfoA
GetProcessHeap
TlsFree
LocalAlloc
TlsSetValue
GetCurrentProcessId
OpenFile
CopyFileA
DeleteFileA
SetFileAttributesA
MoveFileExA
InterlockedDecrement
TlsGetValue
GetCurrentThreadId
lstrcmpiA
SetEvent
TlsAlloc
CreateEventA
GlobalAlloc
CreateNamedPipeA
ResetEvent
ConnectNamedPipe
WaitForMultipleObjects
ReadFile
DisconnectNamedPipe
GlobalFree
CreateWaitableTimerA
SetWaitableTimer
WaitForSingleObject
CancelWaitableTimer
SleepEx
SetConsoleCtrlHandler
GetModuleFileNameA
lstrcmpA
MultiByteToWideChar
GetVersionExA
GetComputerNameA
lstrcpynA
DeleteCriticalSection
InitializeCriticalSection
LoadLibraryA
GetProcAddress
FreeLibrary
GetExitCodeThread
CloseHandle
CreateThread
GetTickCount
Sleep
EnterCriticalSection
WriteFile
GetLastError
FormatMessageA
LocalFree
LeaveCriticalSection
GetSystemDirectoryA
lstrcatA
CreateFileA
SetFilePointer
lstrlenA
lstrcpyA
OutputDebugStringA
LoadLibraryA
GetProcAddress
GetLastError
FreeLibrary
InitializeCriticalSection
GetModuleFileNameW
GetModuleHandleW
TerminateProcess
GetCurrentProcess
DeleteCriticalSection
LoadLibraryW
CreateEventW
CompareStringW
SetLastError
GetModuleHandleA
VirtualProtect
GetTickCount
EnterCriticalSection
LeaveCriticalSection
VirtualFree
VirtualAlloc
WriteProcessMemory
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCurrentThreadId
Thread32First
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
GetSystemInfo
LoadResource
MultiByteToWideChar
WideCharToMultiByte
FindResourceExW
FindResourceExA
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
GetSystemTime
GetLocalTime
SystemTimeToFileTime
CompareFileTime
GetCommandLineA
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
LCMapStringA
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
WriteFile
GetStdHandle
GetModuleFileNameA
RaiseException
Sleep
ExitProcess
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
RtlUnwind
HeapSize
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
FlushFileBuffers
VirtualQuery
GetModuleFileNameW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

wsprintfA
SendMessageA
IsWindow
CharLowerA
MessageBoxW
CharUpperBuffW

advapi32

RegOpenKeyExA
ControlService
StartServiceCtrlDispatcherA
SetServiceStatus
RegisterServiceCtrlHandlerA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
DeleteService
RegCreateKeyExA
RegDeleteValueA
RegSetValueExA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
OpenServiceA
RegQueryValueExA
RegCloseKey
QueryServiceStatus

ole32

CoInitializeEx
CoSetProxyBlanket
CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
SysFreeString
SysAllocString
SysAllocStringByteLen
SysStringByteLen

setupapi

SetupDiGetDeviceRegistryPropertyA
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsA
SetupDiEnumDeviceInfo

Exports

Exports

�f��1vۘ�CL�N~��|�� A̺O�R�Q�Af��O��j��A�(l�*g�Qm�u��e&{�� *k��t:�Օ��L�4J�ߚ��g�ux�O��6��JWq,�)�$��!��Y^��6��T��QP'��M[_9�H�Ⱥ�<�mǟ-��V�bkΡ��wq"��/b�2>��į7#Z�^U�ד�,�d`��r-ʿ�[�v�u��.�r��ͨ�)��V42@b��-Y��G � ��C��^� ��c��:�"��ۗ 9�.��1��t^�L6A�֡�G��Z�a�%O�#iUܶ}}��y ��\זe]{�\a� #��3�ݎS��<�œf�\��V �C��"�*x��5�$��׻ � ��(��@��C��K�D�5y��3�ȱ#&a^�ao�+M��7��5P�L�硕�5j8�bq�r�biKC�� Y�i��g��G��f}�4�E��HQ��b�E�� \�W��q^��M�*�:�D��٢Kî��@�}"xn~�h��)�6�}L��"��d�Ѳ�o��$Qyp��[�<(.�_��Dg��Q�X��(��6 ��7:Z��b\р;{��Eh��5X1��,��.ے��r��٢�n,��y��])x�pS-:/L^�/�P�:��j��e��@�w]�!W�s��Z=p6��3 4�?�f��,�\�U�N\$6�=A�F�1��qY�VƳKR�Q V��f�5<i=o-D�y��)k�= ��iZ�.]iM�'&��j~�x�;�*�t��맷OW�[�d^��kv�M��΋��rx��$-�O�^Y��@��WlC8�+ �s�EeMJ�E1l<E��q_S8��u&�RC�?P�oѱ��*�RIc�đ@pQ�$�P:�z�^�<��:��x�%��@��a��)g:��9mE��2��{�2��r��ਓ�5��@�4^\f ��ިGߟev�_ݓ�ӴȠP�*�p��h�:��>[��3��5��Y�>k ��TmA@�|��F�i�l2~;XV�Й��X}H��)��E��w~��G��i�,QLc*�+kN��Dbj㑁v0��5��NF��4$��`>��7��Ӏ��N{<Q�N .��Hy�fT�7�|k�'��l_6H� Š��a,��P��k>ϑ��M��69�r��|>.�]��O��o��.Fp��_�B��)=��f :Q��a�|��xÎ(Q�|H�!e��c=��q39�Tis�gr��{^�@��a�t��x��Ь��1'�A�x8# ��Щ��f� �KEl2��I��}d�&`��;��E�Wh�@i @��0��ϵ�pՂ/��˩�T�l�`��^+��䷥�u��7��6�$樄ƶx�k*p�J#��*�U�G 2�B�]��͹�zG��E1��c��Y�ڸ�� "U�si��m7�7�RU(P��z��#��ꖣ�Ȩ�>�`�$)d��H��y��;Y�S��l�|�}��,(��%u��&i{�wp�ZG�/f�E|Vr� ��(T��H~`�)8Nqne��b��C�Jo!zRz�H76Cxb8M��2�6�}�� ;�>�<�p��O�3-r��DGo$:@�hÝI�5��b�a��M��n~0\��E ��/.��PS�yĨt��"B9�n��T1��V��(�8��iȊ�T��X�=+f�R��.ۭe'��&��4��UsS!,�{_�!�_g2s��W��2k��7�s��a:> �#Ti��`N�.o��[��z(��J��ʣ��(T.?&r�r1Ǿ�s��E��]$�1D��\f�\�2��Q��Yv�_��ݨ��4o��ѭR@��&�8�ܦx�"��̼��HTw#|��ŭ��Oc�2�4/��J�v��y��$ڲz��y�0g�%��a��Gp��R��X�` �_*Jm�=��P��P(�%�"Wb�Ű�Am�d�X,��DU��o��:��3S�K��F `V�'��ZN�"X(��ܦ��P��z�|�j\p�=w��Fb ��l&O@��#�X:i��y��5H +�6$��'�k��t�"U0��τ�<�P(�Y�Ɗ5�G��)��B ᤳ˜C��Ŋ(&s{0�u�,a�ҡ��;�:B��e�4�Ú�n�:h�`n�5��z.x5knɝ��fTمçЄ��sniY��=�&t�YL�� !c`�0�D-�Jԙ+?#؞[+k=흐Ѿ��bJ��R$��9k⎂R�Y�m��|@D��hS�� m��@'��Խ��dǛ}��+ƤORQ��Һ@��R&� �6��5�o��sd��3�v��w3�@��nI��1<miɫ��9o�ܼ,�)�E��ZL��7��bYwt�3�}�Ț�3�?�ƒw�"��_q��<��5tP�U2��4 ~��G`Q��J��_�2��g2��>��)e�#�Dv:�B�=��E�jx��u߹�t�Ҡ�3�VNo��ߵ�Q||]��h�b ��g��)Ԡ�zh��M!B�y[��V�{�F��ӅQ+`x��<cK7�CY+�S$��f�h}�BS��Tcc��?3N_8�I�tE�9J��t��J�,�v�.�z�GxiQ�u� 2#��Sc%��G<��L��< �>�l"Nԉ�,!7.�;焇c.l�2|��V�ub!ժ�,�C��&�s4�Tg��2�7� ��̏��͋�(�Q�"��R?�Bu��{{ ��*��[� ��Zvl��m�^��F'�Ʌ�q�l\

Sections

.text
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 68KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.v-lizer
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

67fbefe3ec0d5c6448ec6769a37b6ab5

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

2c:a1:97:df:be:66:5b:60:22:3d:b9:bb:c6:80:06:42Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f1:53:42:8a:94:e8:7e:75:33:db:71:45:b1:82:92:e1:79:48:41:d4Signer

Signature Validations

Verification

21/04/2014, 06:41 Valid: false

Headers

File Characteristics

Imports

ws2_32

rpcrt4

crypt32

mfc42

msvcrt

kernel32

user32

advapi32

ole32

oleaut32

setupapi

Exports

Exports

Sections

.text Size: 156KB - Virtual size: 155KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 68KB - Virtual size: 75KB

.vmp0 Size: 3.0MB - Virtual size: 3.0MB

.tls Size: 4KB - Virtual size: 24B

.vmp1 Size: 72KB - Virtual size: 71KB

.v-lizer Size: 93KB - Virtual size: 93KB

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

2c:a1:97:df:be:66:5b:60:22:3d:b9:bb:c6:80:06:42
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f1:53:42:8a:94:e8:7e:75:33:db:71:45:b1:82:92:e1:79:48:41:d4
Signer

21/04/2014, 06:41
Valid: false

.text
Size: 156KB - Virtual size: 155KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 68KB - Virtual size: 75KB

.vmp0
Size: 3.0MB - Virtual size: 3.0MB

.tls
Size: 4KB - Virtual size: 24B

.vmp1
Size: 72KB - Virtual size: 71KB

.v-lizer
Size: 93KB - Virtual size: 93KB