Notepad++[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Notepad++.exe
Size

9.3MB
MD5

72d3de3eea3c1a7039395f2914c3307c
SHA1

ca62f58c31e3332cfe7a89840bc2e2f27b03fca0
SHA256

ff9b36255a9b8bfe5e2a87bcb3b964005731b9789200168ab65d4352bcc20d1f
SHA512

086d96ea04086d4377383f8bed62de30aab513b628903130d2c184e2b2f6ffcac6214fdd2784f4fc45cd3c368027052b443a61bed3ea4b7754d6f55261adbae1
SSDEEP

196608:lGg6ivJJOI/uCSV7nhJXkzpVmUTt58g3VYfNKBTqGr87u:wgHvmrVzh22Ur3VOKnr7

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Files

Notepad++.exe
.exe windows x86

dd2789256df2289a07a7ff7f35161563

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

10/11/2021, 00:00

Not After

09/11/2024, 23:59

Subject

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9a:d0:55:32:8c:9e:e8:5f:ff:1b:46:e3:fd:74:d6:8f:a0:3b:cf:4f
Signer

Actual PE Digest

9a:d0:55:32:8c:9e:e8:5f:ff:1b:46:e3:fd:74:d6:8f:a0:3b:cf:4f

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

30/03/2023, 11:01
Valid: true

Chain 1

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

mscoree

_CorExeMain

user32

CharUpperBuffW

Sections

Size: - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.imports
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.äüö0
Size: - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.taggant
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.äüö1
Size: - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.äüö2
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.äüö3
Size: 9.2MB - Virtual size: 9.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dd2789256df2289a07a7ff7f35161563

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45Certificate

Extended Key Usages

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

9a:d0:55:32:8c:9e:e8:5f:ff:1b:46:e3:fd:74:d6:8f:a0:3b:cf:4fSigner

Signature Validations

Verification

30/03/2023, 11:01 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

mscoree

user32

Sections

Size: - Virtual size: 2.2MB

Size: - Virtual size: 89KB

Size: - Virtual size: 12B

.imports Size: - Virtual size: 8KB

.äüö0 Size: - Virtual size: 90KB

.themida Size: - Virtual size: 5.1MB

.boot Size: - Virtual size: 2.9MB

.taggant Size: - Virtual size: 8KB

.äüö1 Size: - Virtual size: 2.2MB

.äüö2 Size: 1024B - Virtual size: 856B

.äüö3 Size: 9.2MB - Virtual size: 9.2MB

.rsrc Size: 90KB - Virtual size: 89KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

9a:d0:55:32:8c:9e:e8:5f:ff:1b:46:e3:fd:74:d6:8f:a0:3b:cf:4f
Signer

30/03/2023, 11:01
Valid: true

.imports
Size: - Virtual size: 8KB

.äüö0
Size: - Virtual size: 90KB

.themida
Size: - Virtual size: 5.1MB

.boot
Size: - Virtual size: 2.9MB

.taggant
Size: - Virtual size: 8KB

.äüö1
Size: - Virtual size: 2.2MB

.äüö2
Size: 1024B - Virtual size: 856B

.äüö3
Size: 9.2MB - Virtual size: 9.2MB

.rsrc
Size: 90KB - Virtual size: 89KB