022db0f32428e80e79271f0b1fb758c513bd1b3c123a166e8e99fc2b2df860dd

Sharing

Copy URL Twitter E-mail

General

Target

022db0f32428e80e79271f0b1fb758c513bd1b3c123a166e8e99fc2b2df860dd
Size

5.1MB
MD5

7734f8e47d892258bf19ce6e6b788bbd
SHA1

b9bb57b53fee0c2c81e73982db845b249bee9991
SHA256

022db0f32428e80e79271f0b1fb758c513bd1b3c123a166e8e99fc2b2df860dd
SHA512

d216f7b866ca0ce7cfd02b6de66edcd4545a680f55d59efce477cc41c94dd1adb91f242004f0ba38f5f0f7c989c9229e611eef4af46a4bbd0d931915ea6c7c30
SSDEEP

49152:tBK1T8EbeuRFFMOJxosfpxq9A/vRfrgiGo04H323AUqlm197cmRszB4QA8HB:tsN8EPXed2/vhPLN323eQxcmRsFAm

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Files

022db0f32428e80e79271f0b1fb758c513bd1b3c123a166e8e99fc2b2df860dd
.exe windows x64

Code Sign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

77:00:6a:fb:54:16:03:51:95:78:42:49
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

29/10/2018, 16:49

Not After

29/01/2022, 16:49

Subject

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:a8:f7:25:76:dc:7b:14:7a:18:63:9e:8d:4d:eb:37
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

28/01/2021, 11:08

Not After

01/03/2032, 11:08

Subject

CN=Globalsign TSA for CodeSign1 - R6,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

10/12/2014, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

95:1a:00:f2:61:0d:aa:c9:e3:62:a6:c7:43:c3:8f:57:18:aa:62:86:37:fe:9d:c4:36:3c:7d:78:51:c7:8e:e6
Signer

Actual PE Digest

95:1a:00:f2:61:0d:aa:c9:e3:62:a6:c7:43:c3:8f:57:18:aa:62:86:37:fe:9d:c4:36:3c:7d:78:51:c7:8e:e6

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

29/11/2021, 11:26
Valid: true

Chain 1

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 484KB - Virtual size: 488KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 144KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Code Sign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

77:00:6a:fb:54:16:03:51:95:78:42:49Certificate

Extended Key Usages

Key Usages

01:a8:f7:25:76:dc:7b:14:7a:18:63:9e:8d:4d:eb:37Certificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51Certificate

Key Usages

95:1a:00:f2:61:0d:aa:c9:e3:62:a6:c7:43:c3:8f:57:18:aa:62:86:37:fe:9d:c4:36:3c:7d:78:51:c7:8e:e6Signer

Signature Validations

Verification

29/11/2021, 11:26 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Sections

Size: 484KB - Virtual size: 488KB

.rsrc Size: 144KB - Virtual size: 143KB

.idata Size: 512B - Virtual size: 8KB

.themida Size: 4.5MB - Virtual size: 4.5MB

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

77:00:6a:fb:54:16:03:51:95:78:42:49
Certificate

01:a8:f7:25:76:dc:7b:14:7a:18:63:9e:8d:4d:eb:37
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

95:1a:00:f2:61:0d:aa:c9:e3:62:a6:c7:43:c3:8f:57:18:aa:62:86:37:fe:9d:c4:36:3c:7d:78:51:c7:8e:e6
Signer

29/11/2021, 11:26
Valid: true

.rsrc
Size: 144KB - Virtual size: 143KB

.idata
Size: 512B - Virtual size: 8KB

.themida
Size: 4.5MB - Virtual size: 4.5MB