unpacked_z32denox4s[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

unpacked_z32denox4s.exe
Size

37.7MB
MD5

775c429471986830d018582c574ba8d5
SHA1

13b8d331f29b21834af245bddde69edb477d8559
SHA256

3f1d5a2fbc8b7e3db55519333ca22cae56e4e632fc0d4942a997f568d3154778
SHA512

86235f9d2e2e3bc47e5d35b07b7c175d54fac77087942235be430cb3014bb99258c4adffb44e8ccf34180d595e7117451913bbd77975245ac5c6c92413be185a
SSDEEP

786432:O19MbtdZWjmb2IQjvG7pnKKSkhGAqqyxWcAr:O1ObtPW82IQjMpnKKSkXqqh

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_z32denox4s.exe

Files

unpacked_z32denox4s.exe
.exe windows:6 windows x64

c9d039c79a822a22e636d28b8c638960

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegQueryValueExA
ReportEventW
RegisterEventSourceW
DeregisterEventSource
GetUserNameW
SetNamedSecurityInfoW
SetEntriesInAclW
RegEnumValueW
RegDeleteValueW
FreeSid
AllocateAndInitializeSid
RegDeleteKeyA
RegCreateKeyA
InitiateShutdownW
RegCreateKeyExW
LookupPrivilegeValueW
GetTokenInformation
AdjustTokenPrivileges
OpenProcessToken
RegSetValueExW
RegSetValueExA
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegDeleteValueA
RegCloseKey

comctl32

InitCommonControls

gdi32

CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
DeleteObject
SetTextColor
SetBkMode
GetStockObject
CreateFontA
BitBlt
SelectObject

iphlpapi

GetIfEntry2
FreeMibTable
GetIfTable2Ex

kernel32

GetShortPathNameW
SetFileAttributesA
GetTempPathA
DeviceIoControl
CreateProcessW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
LocalFree
lstrcpyW
lstrcatW
GetLogicalDriveStringsA
SetLastError
GetSystemTime
SystemTimeToFileTime
GetModuleHandleExW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber
CreateFiber
FindFirstFileW
MultiByteToWideChar
WideCharToMultiByte
GetFileType
WriteFile
DeleteFileA
VirtualProtect
QueryPerformanceCounter
GetSystemTimeAsFileTime
RtlVirtualUnwind
FreeLibrary
LoadLibraryW
TerminateProcess
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetModuleHandleW
GetProcAddress
ConvertThreadToFiber
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitOnceComplete
InitOnceBeginInitialize
GetFileAttributesA
FindNextFileW
FindClose
CreateFileA
GetEnvironmentVariableW
CloseHandle
WaitForSingleObject
CreateProcessA
GetSystemDirectoryA
LoadLibraryA
CreateFileW
GetDriveTypeA
GetLastError
Sleep
GetCurrentProcess
GlobalAlloc
GlobalUnlock
SetConsoleTitleA
SetConsoleTextAttribute
AttachConsole
FreeConsole
AllocConsole
GetStdHandle
GetExitCodeProcess
Process32NextW
Process32FirstW
ConvertFiberToThread
CreateToolhelp32Snapshot
GetThreadId
CreateThread
GetCurrentProcessId
GlobalLock
CheckRemoteDebuggerPresent
IsDebuggerPresent
RtlCompareMemory
RtlLookupFunctionEntry
GlobalFree

msvcp140

_Query_perf_counter
_Query_perf_frequency
_Thrd_sleep
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Incref@facet@locale@std@@UEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
_Xtime_get_ticks
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$numpunct@D@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Random_device@std@@YAIXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_K@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_unlock
_Cnd_init_in_situ
?is@?$ctype@G@std@@QEBA_NFG@Z
_Cnd_wait
_Cnd_broadcast
_Cnd_register_at_thread_exit
_Cnd_unregister_at_thread_exit
?_Throw_C_error@std@@YAXH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xbad_function_call@std@@YAXXZ
?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z
?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??0?$_Yarn@D@std@@QEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Throw_future_error@std@@YAXAEBVerror_code@1@@Z
?_Rethrow_future_exception@std@@YAXVexception_ptr@1@@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exceptions@std@@YAHXZ
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_C_str@?$_Yarn@D@std@@QEBAPEBDXZ
??Bid@locale@std@@QEAA_KXZ
??0facet@locale@std@@IEAA@_K@Z
??1?$codecvt@DDU_Mbstatet@@@std@@MEAA@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z

oleaut32

SysFreeString
SysAllocString
VariantInit
VariantClear

shell32

ShellExecuteW

user32

ReleaseDC
GetSystemMetrics
LoadIconW
LoadCursorW
GetParent
GetWindowTextA
SetWindowTextA
UpdateWindow
PeekMessageW
DefWindowProcW
PostQuitMessage
RegisterClassExW
CreateWindowExW
ShowWindow
CheckDlgButton
IsDlgButtonChecked
SendMessageA
CreateWindowExA
GetUserObjectInformationW
SetFocus
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
GetNextDlgTabItem
MessageBoxA
TranslateMessage
DispatchMessageW
MessageBoxW
GetProcessWindowStation

vcruntime140

__std_terminate
memcmp
__C_specific_handler
strchr
strrchr
wcsstr
strstr
__current_exception
__std_exception_copy
__std_exception_destroy
memchr
_CxxThrowException
memcpy
memcpy
memset
__current_exception_context
_purecall

vcruntime140_1

__CxxFrameHandler4

ws2_32

WSASetLastError
getaddrinfo
WSACleanup
socket
send
recv
connect
closesocket
WSAGetLastError
WSAStartup

ucrtbase

strtoul
atoi
strtol
getenv
_unlock_file
_stat64i32
_lock_file
calloc
realloc
_callnewh
malloc
_set_new_mode
free
_configthreadlocale
localeconv
_dclass
__setusermatherr
_fdsign
_dsign
_fdclass
_dclass
_dsign
_get_narrow_winmain_command_line
_c_exit
_invalid_parameter_noinfo_noreturn
exit
_Exit
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
strerror_s
_register_onexit_function
_crt_atexit
_initterm_e
_initterm
_set_app_type
_register_thread_local_exe_atexit_callback
terminate
_errno
_cexit
_seh_filter_exe
raise
abort
signal
feof
ferror
fgets
_fileno
_flushall
fopen
__acrt_iob_func
ftell
__stdio_common_vfprintf
_close
_lseek
_read
_setmode
_write
_sopen_dispatch
freopen_s
__p__commode
__stdio_common_vsprintf_s
clearerr
__stdio_common_vswprintf
_getcwd
__stdio_common_vsprintf
ungetc
setvbuf
fwrite
_fseeki64
fsetpos
fread
fputc
fgetpos
fgetc
__stdio_common_vsscanf
fflush
fclose
_wfopen
_get_stream_buffer_pointers
_set_fmode
fputs
fseek
strspn
strcspn
strcmp
isalpha
_strnicmp
_stricmp
isupper
strncmp
isdigit
strncpy
islower
isspace
toupper
_mktime64
_gmtime64_s
_time64
rand
qsort
srand

bcrypt

BCryptGenRandom

gdiplus

GdipFree
GdipGetImageEncoders
GdipAlloc
GdiplusShutdown
GdipCloneImage
GdipDisposeImage
GdipSaveImageToFile
GdipGetImageEncodersSize
GdipCreateBitmapFromHBITMAP
GdiplusStartup

ntdll

NtClose
RtlInitUnicodeString
RtlCaptureContext
NtWaitForSingleObject

combase

CoInitializeSecurity
CoSetProxyBlanket
CoCreateInstance
CoCreateGuid

urlmon

URLDownloadToFileA

Exports

Exports

OPENSSL_Applink

Sections

.text
Size: 1.7MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 705KB - Virtual size: 720KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 28KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 70KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 196KB - Virtual size: 200KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 196KB - Virtual size: 200KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 22.5MB - Virtual size: 22.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 12.3MB - Virtual size: 12.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

c9d039c79a822a22e636d28b8c638960

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

comctl32

gdi32

iphlpapi

kernel32

msvcp140

oleaut32

shell32

user32

vcruntime140

vcruntime140_1

ws2_32

ucrtbase

bcrypt

gdiplus

ntdll

combase

urlmon

Exports

Exports

Sections

.text Size: 1.7MB - Virtual size: 1.8MB

Size: 705KB - Virtual size: 720KB

Size: 28KB - Virtual size: 44KB

Size: 70KB - Virtual size: 72KB

Size: 196KB - Virtual size: 200KB

Size: 24KB - Virtual size: 24KB

.edata Size: 512B - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 196KB - Virtual size: 200KB

.themida Size: 22.5MB - Virtual size: 22.5MB

.boot Size: 12.3MB - Virtual size: 12.3MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 16KB - Virtual size: 16KB

.text
Size: 1.7MB - Virtual size: 1.8MB

.edata
Size: 512B - Virtual size: 4KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 196KB - Virtual size: 200KB

.themida
Size: 22.5MB - Virtual size: 22.5MB

.boot
Size: 12.3MB - Virtual size: 12.3MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 16KB - Virtual size: 16KB