4e361d0c964f035aa07e9b92f0726eeb6da809004a3a0110a14882d377e2ff29

Sharing

Copy URL Twitter E-mail

General

Target

4e361d0c964f035aa07e9b92f0726eeb6da809004a3a0110a14882d377e2ff29
Size

2.2MB
MD5

e51fa2b85f0bcf79c3641935df164648
SHA1

0805d4eec3a08d3e5b26cdcd9d6c1766902dc8a7
SHA256

4e361d0c964f035aa07e9b92f0726eeb6da809004a3a0110a14882d377e2ff29
SHA512

61bd10ae2508abebd8b9b47d022851e1a96d6df72e68beab3b1f80e0bfd025e132630640cd16d20acf095c898ba98473a586ed633b6118f833aecdc892bb32b7
SSDEEP

49152:q9v4YC7svXseUem93hPGI2ISfRGDNavL5JMQizKXtofc:q9v4YwsvXjUx93huIG53vhec

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

4e361d0c964f035aa07e9b92f0726eeb6da809004a3a0110a14882d377e2ff29
.exe windows x64

34dc4ded407e0ae64b408fd6ed966776

Code Sign

72:3f:42:40:15:b5:66:58:b0:88:23:75:3d:e0:b2:64
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

06/09/2018, 00:00

Not After

06/09/2019, 23:59

Subject

CN=浙江振创网络科技有限公司,O=浙江振创网络科技有限公司,L=金华市,ST=浙江省,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0a:f0:48:6b:eb:72:4d:59:d1:22:94:29:3f:56:dd:48:3c:9f:df:81
Signer

Actual PE Digest

0a:f0:48:6b:eb:72:4d:59:d1:22:94:29:3f:56:dd:48:3c:9f:df:81

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltmgr.sys

FltSetCallbackDataDirty
FltDoCompletionProcessingWhenSafe
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltLockUserBuffer
FltGetRequestorProcessIdEx
FltEnumerateFilters
FltObjectDereference
FltGetFileNameInformation
FltReleaseFileNameInformation
FltGetVolumeName
FltCreateFileEx
FltReadFile
FltQueryInformationFile
FltSetInformationFile
FltClose
FltGetVolumeInstanceFromName
FltGetVolumeFromFileObject
FltGetRequestorProcess

fwpkclnt.sys

FwpmBfeStateGet0
FwpmBfeStateSubscribeChanges0
FwpmBfeStateUnsubscribeChanges0
FwpmEngineOpen0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmTransactionCommit0
FwpmTransactionAbort0
FwpmCalloutAdd0
FwpmCalloutDeleteById0
FwpmFilterAdd0
FwpmFilterDeleteById0
FwpmFilterGetById0
FwpsCalloutRegister1
FwpsCalloutUnregisterById0

ntoskrnl.exe

ZwClose
ZwOpenKeyEx
ZwQueryValueKey
RtlRandomEx
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeLookasideListEx
ExDeleteLookasideListEx
ExFlushLookasideListEx
RtlCopyUnicodeString
MmIsAddressValid
KeQueryTimeIncrement
ObReferenceObjectByHandle
PsGetCurrentProcessId
ExEventObjectType
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
DbgPrint
ExAllocatePoolWithTag
ExFreePoolWithTag
MmMapLockedPagesSpecifyCache
__C_specific_handler
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
PsTerminateSystemThread
IoGetTopLevelIrp
IoSetTopLevelIrp
ObfDereferenceObject
FsRtlIsPagingFile
sprintf_s
strlen
KeClearEvent
IoCreateFile
ZwQueryInformationFile
ZwSetInformationFile
ZwWriteFile
_vsnprintf
wcslen
ObRegisterCallbacks
ObUnRegisterCallbacks
ObGetFilterVersion
PsGetProcessId
_vsnwprintf
PsProcessType
PsThreadType
_wcsnicmp
RtlUnicodeStringToInteger
PsSetCreateProcessNotifyRoutine
ZwTerminateProcess
ZwOpenProcess
PsLookupProcessByProcessId
PsSuspendProcess
IoThreadToProcess
CmRegisterCallback
CmUnRegisterCallback
strcat_s
wcsncpy
RtlUnicodeStringToAnsiString
IoCreateSynchronizationEvent
strncpy
DbgSetDebugFilterState
ExAllocatePool
RtlFreeAnsiString
IoCreateSymbolicLink
IoCreateDevice
RtlAssert
PsGetProcessPeb
_strnicmp
PsSetLoadImageNotifyRoutine
wcsnlen
PsSetCreateThreadNotifyRoutine
KeReleaseSpinLock
RtlInitUnicodeString
RtlRandom
PsRemoveLoadImageNotifyRoutine
PsGetVersion
ZwAllocateVirtualMemory
KeAcquireSpinLockRaiseToDpc
strncat
wcsncat
wcsncmp
KeInitializeMutex
RtlEqualUnicodeString
KeReleaseMutex
RtlCompareMemory
IofCallDriver
IoDriverObjectType
ObReferenceObjectByName
strncmp
RtlAnsiStringToUnicodeString
MmGetSystemRoutineAddress
RtlInitAnsiString
KeDelayExecutionThread
RtlFreeUnicodeString
ObOpenObjectByPointer
IoDeleteDevice
IoGetDeviceObjectPointer
IoAttachDeviceToDeviceStack
ZwReadFile
IoFreeMdl
ZwCreateFile
IoAllocateMdl
IoBuildDeviceIoControlRequest
ZwQuerySymbolicLinkObject
ZwQuerySystemInformation
ZwOpenSymbolicLinkObject
wcscpy_s
KeInitializeApc
ZwMapViewOfSection
KeInsertQueueApc
ZwUnmapViewOfSection
ZwCreateSection
_wcsicmp
RtlTimeToTimeFields
RtlGetVersion
ExSystemTimeToLocalTime
ExAcquireSpinLockSharedAtDpcLevel
ExAcquireSpinLockShared
ExReleaseSpinLockSharedFromDpcLevel
ExReleaseSpinLockShared
ExAcquireSpinLockExclusiveAtDpcLevel
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusiveFromDpcLevel
ExReleaseSpinLockExclusive
MmProbeAndLockPages
MmUnlockPages
IoDeleteSymbolicLink
PsGetProcessInheritedFromUniqueProcessId
ZwQueryInformationProcess
PsRemoveCreateThreadNotifyRoutine
ObQueryNameString
KeBugCheckEx
IofCompleteRequest
PsCreateSystemThread
_stricmp
NtQuerySystemInformation
ZwClose
ZwWaitForSingleObject
ZwDeviceIoControlFile
ZwOpenFile
_wcsnicmp
ZwEnumerateKey
ZwOpenKey
RtlInitUnicodeString
ZwCreateEvent
ZwQueryValueKey
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
ExFreePoolWithTag
MmGetSystemRoutineAddress
ZwCreateFile
KeQueryTimeIncrement
RtlTimeToTimeFields
ExSystemTimeToLocalTime
DbgBreakPointWithStatus
IoAllocateMdl
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
KeWaitForSingleObject
KeReleaseMutex
KeInitializeMutex
ExAllocatePool
__C_specific_handler
KeQueryActiveProcessors
DbgPrint
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

tdi.sys

TdiMapUserRequest

hal

KeQueryPerformanceCounter
KeQueryPerformanceCounter

Sections

.text
Size: 155KB - Virtual size: 154KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 295KB - Virtual size: 295KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

34dc4ded407e0ae64b408fd6ed966776

Code Sign

72:3f:42:40:15:b5:66:58:b0:88:23:75:3d:e0:b2:64Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

0a:f0:48:6b:eb:72:4d:59:d1:22:94:29:3f:56:dd:48:3c:9f:df:81Signer

Headers

DLL Characteristics

File Characteristics

Imports

fltmgr.sys

fwpkclnt.sys

ntoskrnl.exe

tdi.sys

hal

Sections

.text Size: 155KB - Virtual size: 154KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 1024B - Virtual size: 7KB

.pdata Size: 6KB - Virtual size: 5KB

INIT Size: 5KB - Virtual size: 5KB

.vmp0 Size: 1.7MB - Virtual size: 1.7MB

.vmp1 Size: 295KB - Virtual size: 295KB

.reloc Size: 512B - Virtual size: 192B

.rsrc Size: 1024B - Virtual size: 856B

72:3f:42:40:15:b5:66:58:b0:88:23:75:3d:e0:b2:64
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

0a:f0:48:6b:eb:72:4d:59:d1:22:94:29:3f:56:dd:48:3c:9f:df:81
Signer

.text
Size: 155KB - Virtual size: 154KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 1024B - Virtual size: 7KB

.pdata
Size: 6KB - Virtual size: 5KB

INIT
Size: 5KB - Virtual size: 5KB

.vmp0
Size: 1.7MB - Virtual size: 1.7MB

.vmp1
Size: 295KB - Virtual size: 295KB

.reloc
Size: 512B - Virtual size: 192B

.rsrc
Size: 1024B - Virtual size: 856B