2��,i�`?1ɝPLo�^�]�{��7�%=U74�~څ���cM�X�/��u�w\4�e���7)��]���'��������//<�Ԕ�߄��<:=֓�G�k6�6]=�l�_������X{cd��H܋�_����5���SRLJ��V�*U@�v��NS,"P*�6�p�B�fE��k���]��^�Gz!f8��K��P(U�[����wm�oZ���Z���go�8��ء���~@-�f�؋kn"o�:�;Kړ{r��g�.+�i�)�^*�Q �_��ˇqà�� ��n��Ϗ�����~��:��z���������<�a��D2>���5�[��L��Z]}rb��U\�{����?+ ��ӵ���<Sn>�CX�,�B�����S�ի�H���l�.y����31x .H���E�����?͎���s�,S��t��1_���.>� 9���@齕��(nM��pd�@v����<�::���&���{����6\�J�����SN��w����D�U�>K��ۖ���|Ə�N�Y�^�w���j��F��sv)9���E���56��]7�F����p�2Rv'������������Bb3����y<����Ը7��o�˯�<��_>�`.��&�ީ}�N��W8+�5�1�N��K����?-5�jB��q���y������{���FGSQˮ��;/�Wq�<}:��%Af���H�Iu�m<��nkmr����Y�m��6�xx����cf�8����'��β�h�8C8�I���k,�߷_���Pօ��.[/H�^Ђ����xB�'J��l.�{��.�Z�����n`��1G�������4_YS��a��l����o7F�G8tW|����|]��$T���Փ���z�J`� 3� p=���D�EOi��=S��>���"~�If�S�"vw�;�L������ b��J3flvc�����SVlhqES�<:l),�Ъ�ix*�`c�<�`T�� ���$l��Spg�ׯ���_$���|tU�D�7�~8���1U��4,\_�,p�`!X?0�c5=N�T�<8+s����x�E����7������8��H%M���;��u��� �o[��:C�ߔ��-�]��u�x�Z�b�ȼ�(��Zïk�t%�� Q�/f��E1�$���E��]�ܯ�K*��ʭut2N+��r�Id@�"�B��i��X��d'd3�3�(M��Ӿm��҄�]�`�R��L��H����%���sr���&7n�X�;��������HʵN�<a�p��E/�+�5�r;��z�}0U����I�#h�~�d57X2�Z�@�����kA ��.�?\��`8�ߢLI��\���(���;y�LI��%keŨ��O�̹��kh���nU�c@��-�_�e��?���������O�,���PJ�װh��$:Γ7u��&['�K���&��'+�h|����� '_$�oN7�Y.�"��>�e#��X"��p5��J��27x-4��Db@��<#�2�ٸ�hA���g��f5* ��FX�9���z;�>Ke�;��h�]�q����� �z�x��C�&�+L�XE~��Z��P�&Y ���8�c���8 ��b�O[;�'gQ8���Fe���� ���[pl���C/ \:�� �1\�qR�E��G��k���U��n���fH���y��peRѹ�;{V4��|����N�����W_���kh�)>�����?�^>�[�߇g(�LO�&�v��Ui���700���Z�q�$J���34$��{w�_3��A�G�؆� ,x� 2dYH�^|��:ޭ����'P�yF� ������p�m����������-cf�� �P�F �d�S\�<2**A��,/����BiGc�IJR>�,�y�Ÿ-L�&Yԟ����><�/��Y~�U2��h��qí��A�y��@ga��3���ل���jH�kY�,w�c�Z�ZY�73���|Zg� D�7�?Fn�����*��[�Ig���j� ���OZ����q���[>�S���������ͥ��C#�w9͜����U��Džl����+�˕��7%&eʯ�'��[� zkc��S*�f��z~͋�~���6yʜa�ŘڐGHC+�>mn�0��zÒI]ۣ�����K�u������'��zJKA��hi_Tr�;6��;���� SH�@)�i�w6?:o�bK���f��x���fi��<+ߏW4�P!�e�'c��G�3J�ԝ){�2������#oV�ba]K�����n>(�v��y{���`q*�l\�����rLsē�1�b�eF�[m�����3�ğ1�dk�V'�O����J�^i6�w�i�H�R�B�?��Q)w��h��� �i,df,��Ӡ��s�y�;�2����߉��yjc7�� D���yC5�(�PKw��g�/գ�u��-+���ؒ���� �a���~G �o���?�ܮ��~�x� ��lt�x��|���>�6�#y�m,lo���y��0W} @�k}���)�h�M���[GH��I�_V�W���w8��QD�s0E�禉�^D���A<�j�Z�܆v�yC�/K4|���X�'B;����8y&0wj0��{�-&s�Xz��<��npJ'�ڷ��R�\�!�����1�����T�����*z�����TI��=\��=��J��~����K����;^Db��Gq��4��[�m����%�w�0���."mo��膨1Z@L�"��T�z��% �ʆ��٧<�ˑ��K����f�� F���:��C>��vLg��#�;H|kd@���It�>�n5煮죆T���fz=�o����j���%����c�%���Q���������0��"נx��l�d���\�Fxݵy۳`t��� ;�؇y/��SW������PFY2c ���1�@i�We �^�r�ځl/2S_�V�ނ ;muQ8@#��4��8��Ŝ�$i�Xa$,9�DU8���_��-�-��qRp��Aݪ�{�Lr���
General
-
Target
Main_installerz_orig.exe
-
Size
760.8MB
-
MD5
a35d2a15af93729a75b106396d289490
-
SHA1
2c036421fb7f54947fdc5178c94380008172acad
-
SHA256
49013b1dd60835b12dba909737894009ee608e39f548549160f6f849fbe584c8
-
SHA512
0f838b07b34e3b3b501b88e3d9bc8e242f7a2bf9628b72bb3e71a3b7c2fb6ef57f1c720b219804da474f14b856533b5f41ac47f013a25efeeaf7dafbdc0cc96e
-
SSDEEP
98304:cjXMYpuLnmMYaVn6oRx675Boi3rX9KSCGz6WWJ4KRlMpgpyro:cTPuLnmB1zoi7RbzBW9DPpyE
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource Main_installerz_orig.exe
Files
-
Main_installerz_orig.exe.exe windows x64
5893e69089e19900fac24ac96df96468
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntdll
memset
wtsapi32
WTSSendMessageW
kernel32
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress
user32
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW
Exports
Exports
Sections
.text Size: - Virtual size: 2.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1.1MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: - Virtual size: 47KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
[0] Size: 754.4MB - Virtual size: 754.4MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.vmp0 Size: - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: 6.3MB - Virtual size: 6.3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 105KB - Virtual size: 104KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ