unpacked_30295a4c[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

unpacked_30295a4c.exe
Size

9.5MB
MD5

d469a579506ac4338300d4fb1765a663
SHA1

0ed9dafd29d01c1268b435de0f8d5d9b14c49970
SHA256

e686c86cc9ad4ffd1c30243e60d424c1aa836739e6344009d203bbb1b3116269
SHA512

a21305b12a16af77d6d07b96299548f3387ab4b38fbf1c5b596191500721b10193a4c8cd1566d61ddb15c1c0ea74c03954d117e9a3a97ad46633ae1ff88430e7
SSDEEP

196608:7MhQc7AVYt5/twdjj0c2ZPj03DN14gIdrfN:7CQ7C5/Kj2N03pbIR

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_30295a4c.exe

Files

unpacked_30295a4c.exe
.exe windows x64

845c8b9122d3397d6773dbf44ae44f3a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

GetCurrentHwProfileW

iphlpapi

GetAdaptersInfo

kernel32

GetStdHandle
DeviceIoControl
InitializeCriticalSectionEx
GetModuleHandleA
Sleep
GetLastError
GetFileAttributesA
CreateFileA
GetCurrentProcess
CloseHandle
K32GetModuleInformation
DeleteCriticalSection
CreateDirectoryA
lstrlenW
InitializeSListHead
GetSystemTimeAsFileTime
SetConsoleTextAttribute
DeleteFileA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetProcAddress
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
LocalFree
MultiByteToWideChar
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
VirtualProtect

msvcp140

??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Cnd_signal
_Thrd_hardware_concurrency
_Cnd_init_in_situ
_Strxfrm
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Xbad_function_call@std@@YAXXZ
?_Throw_C_error@std@@YAXH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?id@?$collate@D@std@@2V0locale@2@A
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Strcoll
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Cnd_wait
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Thrd_join
_Mtx_unlock
_Cnd_broadcast
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z
?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?ignore@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??_D?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??1?$codecvt@DDU_Mbstatet@@@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??Bid@locale@std@@QEAA_KXZ

oleaut32

SysFreeString
SysAllocString
VariantClear

vcruntime140

memcmp
memcpy
__std_exception_destroy
__std_exception_copy
__std_terminate
strchr
memcpy
memset
_CxxThrowException
__current_exception
__current_exception_context
__C_specific_handler
memchr

vcruntime140_1

__CxxFrameHandler4

ws2_32

send
WSASocketW
listen
shutdown
select
socket
closesocket
bind
WSAStartup
accept
htons
__WSAFDIsSet
connect
WSACleanup
getaddrinfo
WSAGetLastError
setsockopt
getnameinfo
ioctlsocket
getpeername
FreeAddrInfoW
getsockopt
recv

ucrtbase

strtol
strtoul
strtod
_strtoui64
_strtoi64
getenv
_unlock_file
_access_s
_lock_file
free
_set_new_mode
realloc
_callnewh
malloc
localeconv
_configthreadlocale
__setusermatherr
_dclass
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_register_onexit_function
_get_initial_narrow_environment
_initterm
_initterm_e
_Exit
exit
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_beginthreadex
system
terminate
_initialize_narrow_environment
_errno
_configure_narrow_argv
_set_fmode
fputc
fopen
fsetpos
__acrt_iob_func
ungetc
_fseeki64
fflush
setvbuf
fgetpos
__stdio_common_vsprintf
fclose
fwrite
_get_stream_buffer_pointers
fgets
__p__commode
fgetc
fread
__stdio_common_vfprintf
tolower
isdigit
isspace
_stricmp
strncpy
_time64

d3d9

Direct3DCreate9

ole32

CoSetProxyBlanket
CoCreateInstance
CoInitializeSecurity
CoUninitialize
CoInitializeEx

Sections

.text
Size: 243KB - Virtual size: 244KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 61KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 10KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 19KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 108KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 108KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 5.7MB - Virtual size: 5.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

845c8b9122d3397d6773dbf44ae44f3a

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

iphlpapi

kernel32

msvcp140

oleaut32

vcruntime140

vcruntime140_1

ws2_32

ucrtbase

d3d9

ole32

Sections

.text Size: 243KB - Virtual size: 244KB

Size: 1KB - Virtual size: 4KB

Size: 61KB - Virtual size: 72KB

Size: 29KB - Virtual size: 32KB

Size: 10KB - Virtual size: 12KB

Size: 19KB - Virtual size: 20KB

Size: 108KB - Virtual size: 112KB

Size: 1KB - Virtual size: 4KB

.imports Size: 1KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 108KB - Virtual size: 112KB

.themida Size: 5.7MB - Virtual size: 5.7MB

.boot Size: 3.3MB - Virtual size: 3.3MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 11KB - Virtual size: 12KB

.text
Size: 243KB - Virtual size: 244KB

.imports
Size: 1KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 108KB - Virtual size: 112KB

.themida
Size: 5.7MB - Virtual size: 5.7MB

.boot
Size: 3.3MB - Virtual size: 3.3MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 11KB - Virtual size: 12KB