File_pass1234[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

File_pass1234.7z
Size

6.2MB
MD5

5bf114c794ba36e71d37eddf919f3d27
SHA1

691bb3110f1518566fe756b9ae9501a32eb50534
SHA256

de2b2a950a6fc58c7bf9b5f1924bdb4840d7504d889d24504f7d92d20b11e3f8
SHA512

7de3e0cfb8e41732b4399cba4ee62f7b54aa8bc01bfab2a4b919f70456571125ca269ec4c0e6f191e41ea72a24e282f14d0284ce2b675eb56bb217eea35f6ed4
SSDEEP

196608:/gB1vqVnFhlQZ2yx0SRkXZ8dy7jdiosReX4EoxWI:4zqJNe2ypR3AdioXPoT

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/Install.exe	themida

Files

File_pass1234.7z
.7z

Password: 1234
Install.exe
.exe windows x86

Password: 1234

38dcd61534bb51b3adf822611cbee22e

Code Sign

36:32:fe:ad:69:49:d3:b8:4f:cc:6e:1b:90:96:ed:6e
Certificate

Issuer

CN=MSI Pulse GL79 12UEK-088XRU Intel Core i5 12500H/ 3.3 GHz - 4.5 GHz/ 16384 Mb/ 17.3 Full HD 1920x1080/ 512 Gb SSD/ DVD nVidia GeForce RTX 3070 6144 DYS (9N7-17L314-088)

Not Before

19/04/2023, 12:10

Not After

20/04/2033, 12:10

Subject

CN=MSI Pulse GL79 12UEK-088XRU Intel Core i5 12500H/ 3.3 GHz - 4.5 GHz/ 16384 Mb/ 17.3 Full HD 1920x1080/ 512 Gb SSD/ DVD nVidia GeForce RTX 3070 6144 DYS (9N7-17L314-088)

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

57:f4:a4:32:e1:11:46:b5:0f:47:35:f3:c5:67:8a:3d:b8:aa:57:8a:93:d7:2e:bf:eb:f5:39:84:29:2c:a6:52
Signer

Actual PE Digest

57:f4:a4:32:e1:11:46:b5:0f:47:35:f3:c5:67:8a:3d:b8:aa:57:8a:93:d7:2e:bf:eb:f5:39:84:29:2c:a6:52

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=MSI Pulse GL79 12UEK-088XRU Intel Core i5 12500H/ 3.3 GHz - 4.5 GHz/ 16384 Mb/ 17.3 Full HD 1920x1080/ 512 Gb SSD/ DVD nVidia GeForce RTX 3070 6144 DYS (9N7-17L314-088)

21/04/2023, 09:03
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

CharNextA
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegCloseKey

shell32

ShellExecuteA

ole32

CoCreateInstance

Sections

Size: - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_MEM_READ

.rsrc
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
miutils.dll
.dll windows x86

Password: 1234

6a01bdb4f986ca85e321051fc8b67365

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

free
_i64tow_s
_purecall
_vsnwprintf
__CxxFrameHandler3
?what@exception@@UBEPBDXZ
_ui64tow_s
??1exception@@UAE@XZ
swscanf_s
fwprintf
_wcsdup
??0exception@@QAE@ABQBDH@Z
memcmp
_except_handler4_common
_onexit
wcsstr
_swprintf_c
__dllonexit
_wcsnicmp
_unlock
_lock
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_initterm
getenv
malloc
_amsg_exit
_XcptFilter
_wcstoui64
memmove
memcpy
_CxxThrowException
??0exception@@QAE@ABQBD@Z
wcstod
wcschr
_wtoi
wcscpy_s
wcstoul
_wcsicmp
__iob_func
_wcstoi64
wcstol
??0exception@@QAE@ABV0@@Z
memset

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
HeapReAlloc
GetProcessHeap

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExW
RegGetValueW
RegCloseKey

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
InitializeCriticalSection
DeleteCriticalSection
WaitForSingleObject
CreateEventW
ResetEvent
SetEvent
LeaveCriticalSection

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount64
GetComputerNameExW
GetSystemTimeAsFileTime
GetTickCount
GetSystemInfo

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-0

SwitchToThread
GetCurrentProcess
GetProcessId
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadLibraryExW
GetModuleHandleW
LoadStringW
DisableThreadLibraryCalls
FreeLibrary

api-ms-win-core-localization-l1-2-0

GetThreadPreferredUILanguages
FormatMessageW

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoCreateGuid
StringFromGUID2

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

RtlGetCurrentProcessorNumber

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

??0CAutoSetActivityId@@QAE@XZ
??0CCritSec@@QAE@XZ
??0DynamicSchema@@QAE@XZ
??0IndicationSchema@@QAE@XZ
??0StaticSchema@@QAE@XZ
??0WMISchema@@QAE@XZ
??0WMISchema@@QAE@_N@Z
??1CAutoSetActivityId@@QAE@XZ
??1CCritSec@@QAE@XZ
??1WMISchema@@UAE@XZ
??4CAutoSetActivityId@@QAEAAV0@ABV0@@Z
??4CCritSec@@QAEAAV0@ABV0@@Z
?CreateInstance@DynamicSchema@@UAGJPBGPAUIWbemClassObject@@KPBU_MI_PropertySet@@_NAAPAU_MI_Instance@@PAUIConversionContext@@@Z
?CreateInstance@IndicationSchema@@UAGJPBGPAUIWbemClassObject@@KPBU_MI_PropertySet@@_NAAPAU_MI_Instance@@PAUIConversionContext@@@Z
?CreateInstance@StaticSchema@@UAGJPBGPAUIWbemClassObject@@KPBU_MI_PropertySet@@_NAAPAU_MI_Instance@@PAUIConversionContext@@@Z
?DeInitialize@WMISchema@@QAGJXZ
?GetFlags@MiSchema@@UBGJXZ
?GetMiClass@DynamicSchema@@UAGJPBG00PAPBU_MI_Class@@@Z
?GetMiClass@IndicationSchema@@UAGJPBG00PAPBU_MI_Class@@@Z
?GetMiClass@StaticSchema@@UAGJPBG00PAPBU_MI_Class@@@Z
?GetNoneCachedWmiClass@WMISchema@@UAGJPBGPAUIWbemServices@@AAV?$CComPtr@UIWbemClassObject@@@ATL@@PAUIConversionContext@@@Z
?GetWmiClass@WMISchema@@UAGJPBG0AAV?$CComPtr@UIWbemClassObject@@@ATL@@PAUIConversionContext@@@Z
?GetWmiIWbemServices@WMISchema@@UAGJPBGAAV?$CComPtr@UIWbemServices@@@ATL@@@Z
?Initialize@StaticSchema@@QAGJPBU_MI_Module@@@Z
?Initialize@WMISchema@@QAEX_N@Z
?SetFlags@MiSchema@@MAGJJ@Z
CimErrorFromErrorCode
CimError_Construct
CimStatusCodeFromWindowsError
ClassCache_AddClass
ClassCache_Delete
ClassCache_GetClass
ClassCache_New
Class_New
Config_GetProtocolHandlerDetails
Config_GetRegString
CreateConversionContext
GetCorrelationId
Instance_Clone
Instance_Construct
Instance_GetResourceURI
Instance_InitDynamic
Instance_IsDynamic
Instance_MatchKeys
Instance_New
Instance_SetElementArray
Instance_SetElementArrayItem
Instance_SetResourceURI
Instance_SetServerName
MI_Hash
MiErrorCategoryFromWindowsError
OSC_Batch_Destroy
OSC_Batch_Get
OSC_Batch_Strdup
OSC_StringToMiValue
OSC_Type_GetSize
PropertySet_New
PublishClientOperationInfo
PublishDebugInfo
PublishDebugMessage
PublishProviderResult
PublishProviderWriteError
PublishProviderWriteMessage
RCClass_AddClassQualifier
RCClass_AddClassQualifierArray
RCClass_AddClassQualifierArrayItem
RCClass_AddElement
RCClass_AddElementArray
RCClass_AddElementArrayItem
RCClass_AddElementQualifier
RCClass_AddElementQualifierArray
RCClass_AddElementQualifierArrayItem
RCClass_AddMethod
RCClass_AddMethodParameter
RCClass_AddMethodParameterQualifier
RCClass_AddMethodParameterQualifierArray
RCClass_AddMethodParameterQualifierArrayItem
RCClass_AddMethodQualifier
RCClass_AddMethodQualifierArray
RCClass_AddMethodQualifierArrayItem
RCClass_New
ResultFromHRESULT
ResultToHRESULT
RtlDeleteCachedFastLock
RtlInitializeCachedFastLock
RtlInterlockedCompareWait
RtlInterlockedWakeAll
RtlQueueAcquireCachedFastLockExclusive
RtlQueueAcquireCachedFastLockShared
RtlQueueAcquireFastLockExclusive
RtlQueueAcquireFastLockShared
RtlReleaseCachedFastLockExclusive
RtlReleaseCachedFastLockShared
RtlReleaseFastLockExclusive
RtlReleaseFastLockShared
RtlTryAcquireCachedFastLockShared
RtlTryAcquireFastLockExclusive
RtlTryAcquireFastLockShared
RtlpInitFastLock
RtlpReleaseIdleSlots
SetCorrelationIdToWbemContext
SetModifiedPropertyNamesToContext
WriteWBEM_MC_CLIENT_REQUEST_FAILURE
XMLDOM_Free
XMLDOM_Parse
XML_FormatError
XML_Init
XML_Next
XML_PutError
XML_RegisterNameSpace
XML_SetText
XML_StripWhitespace
_CimTypeToType@8
_CompareInstance@12
_CompareValue@12
_DestinationOptions_Create@8
_DestinationOptions_Duplicate@8
_DestinationOptions_MigrateOptions@16
_FindClassDecl@8
_FindMethodDecl@8
_FindQualifierInWMIObject@16
_GetMethodParameters@32
_GetReferenceFromWMIObjectPath@16
_InstanceToWMIEvent@16
_InstanceToWMIExtendedStatus@16
_InstanceToWMIObject@24
_IsLifeCycleIndicationQuery@12
_OperationOptions_CopyOptions@8
_OperationOptions_Create@12
_OperationOptions_MigrateOptions@8
_OptionsValueToContextValue@24
_Options_FindValue@8
_ParametersToWMIObject@40
_PropertyToVariant@20
_QualifierFlavorToWMI@4
_SetProperties@24
_SubscriptionDeliveryOptions_Create@12
_SubscriptionDeliveryOptions_MigrateOptions@8
_TypeToCimType@4
_ValueClear@8
_ValueToVariant@24
_VariantArrayToSafeArray@12
_VariantToValue@28
_WMIEventToCIMIndication@12
_WMIExtendedObjectToInstance@20
_WMIObjectToClass@20
_WMIObjectToInstance@28
_WMIQualifierFlavorToMI@8

Sections

.text
Size: 166KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 1234

Password: 1234

38dcd61534bb51b3adf822611cbee22e

Code Sign

36:32:fe:ad:69:49:d3:b8:4f:cc:6e:1b:90:96:ed:6eCertificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

57:f4:a4:32:e1:11:46:b5:0f:47:35:f3:c5:67:8a:3d:b8:aa:57:8a:93:d7:2e:bf:eb:f5:39:84:29:2c:a6:52Signer

Signature Validations

Verification

21/04/2023, 09:03 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

Sections

Size: - Virtual size: 2.0MB

Size: - Virtual size: 168KB

Size: - Virtual size: 34KB

Size: - Virtual size: 1.4MB

Size: - Virtual size: 41KB

.idata Size: - Virtual size: 4KB

.tls Size: - Virtual size: 4KB

.vmp0 Size: - Virtual size: 120KB

.themida Size: - Virtual size: 3.1MB

.boot Size: - Virtual size: 1.8MB

.vmp1 Size: - Virtual size: 1.4MB

.vmp2 Size: 6.1MB - Virtual size: 6.1MB

.reloc Size: 1KB - Virtual size: 1KB

.rsrc Size: 120KB - Virtual size: 119KB

Password: 1234

6a01bdb4f986ca85e321051fc8b67365

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 166KB - Virtual size: 166KB

.data Size: 2KB - Virtual size: 131KB

.idata Size: 4KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 84B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 10KB - Virtual size: 10KB

36:32:fe:ad:69:49:d3:b8:4f:cc:6e:1b:90:96:ed:6e
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

57:f4:a4:32:e1:11:46:b5:0f:47:35:f3:c5:67:8a:3d:b8:aa:57:8a:93:d7:2e:bf:eb:f5:39:84:29:2c:a6:52
Signer

21/04/2023, 09:03
Valid: false

.idata
Size: - Virtual size: 4KB

.tls
Size: - Virtual size: 4KB

.vmp0
Size: - Virtual size: 120KB

.themida
Size: - Virtual size: 3.1MB

.boot
Size: - Virtual size: 1.8MB

.vmp1
Size: - Virtual size: 1.4MB

.vmp2
Size: 6.1MB - Virtual size: 6.1MB

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 120KB - Virtual size: 119KB

.text
Size: 166KB - Virtual size: 166KB

.data
Size: 2KB - Virtual size: 131KB

.idata
Size: 4KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 84B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 10KB - Virtual size: 10KB