249c5999fed16005d30c9a19d31bfedbe87fdada2d8b5a8bd6774544a0872d21[.]exe[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

249c5999fed16005d30c9a19d31bfedbe87fdada2d8b5a8bd6774544a0872d21.exe.zip
Size

5.9MB
MD5

ffbe79bfa5b3bb5f37c98e8c47dc2e04
SHA1

bc2299d43d9d91f1f3047f94c2a3e60ea767ebda
SHA256

71f519971ebbb82288ae9023f9825220c5d2aaa47963de6fe1767ba4f873e02b
SHA512

8595a7dacb653b4023f721c22781cdfcb90cf0b1e1801e7a27dc0c93ef13f020902b3cdd8e46e72d09e2e8ce13a9f13c86b61dad03407aa6b416a8d926c3db0f
SSDEEP

98304:10h8iypwxHOB4qrCtuEcmlOsgh4D1TNkWlrrentdfvwLSBS0o6dkywyPHqng6kTg:12+BXrCtu9mlOiFGsPotdfvwjNRdyfqF

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/249c5999fed16005d30c9a19d31bfedbe87fdada2d8b5a8bd6774544a0872d21.exe	themida

Files

249c5999fed16005d30c9a19d31bfedbe87fdada2d8b5a8bd6774544a0872d21.exe.zip
.zip

Password: infected
249c5999fed16005d30c9a19d31bfedbe87fdada2d8b5a8bd6774544a0872d21.exe
.exe windows:6 windows x64

a4308f82c6f6f467c58289d16d7acab2

Code Sign

7a:09:f4:ab:3a:2d:ff:a8:40:0e:d7:4a:6d:fa:2c:26
Certificate

Issuer

CN=HP EliteDesk 800 G6 TWR 272Y1EA

Not Before

10/09/2023, 12:59

Not After

11/09/2033, 12:59

Subject

CN=HP EliteDesk 800 G6 TWR 272Y1EA

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4d:bf:af:cc:1c:81:ac:6d:8d:4b:16:58:1d:88:8b:8c:13:08:72:33:a0:90:fb:96:93:b3:c1:d7:bb:2e:ca:aa
Signer

Actual PE Digest

4d:bf:af:cc:1c:81:ac:6d:8d:4b:16:58:1d:88:8b:8c:13:08:72:33:a0:90:fb:96:93:b3:c1:d7:bb:2e:ca:aa

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleHandleA
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

CharNextA

advapi32

RegCloseKey

shell32

ShellExecuteA

ole32

CoCreateInstance

Sections

Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 240KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.zip0
Size: - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.zip1
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.zip2
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.zip3
Size: 6.2MB - Virtual size: 6.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 184B

IMAGE_SCN_MEM_READ

.rsrc
Size: 78KB - Virtual size: 157KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

a4308f82c6f6f467c58289d16d7acab2

Code Sign

7a:09:f4:ab:3a:2d:ff:a8:40:0e:d7:4a:6d:fa:2c:26Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

4d:bf:af:cc:1c:81:ac:6d:8d:4b:16:58:1d:88:8b:8c:13:08:72:33:a0:90:fb:96:93:b3:c1:d7:bb:2e:ca:aaSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

Sections

Size: - Virtual size: 3.1MB

Size: - Virtual size: 240KB

Size: - Virtual size: 73KB

Size: - Virtual size: 85KB

Size: - Virtual size: 252B

.zip0 Size: - Virtual size: 156KB

Size: - Virtual size: 9KB

.idata Size: - Virtual size: 4KB

.tls Size: - Virtual size: 4KB

.themida Size: - Virtual size: 3.9MB

.zip1 Size: - Virtual size: 1.3MB

.zip2 Size: 1024B - Virtual size: 944B

.zip3 Size: 6.2MB - Virtual size: 6.2MB

.reloc Size: 512B - Virtual size: 184B

.rsrc Size: 78KB - Virtual size: 157KB

7a:09:f4:ab:3a:2d:ff:a8:40:0e:d7:4a:6d:fa:2c:26
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

4d:bf:af:cc:1c:81:ac:6d:8d:4b:16:58:1d:88:8b:8c:13:08:72:33:a0:90:fb:96:93:b3:c1:d7:bb:2e:ca:aa
Signer

.zip0
Size: - Virtual size: 156KB

.idata
Size: - Virtual size: 4KB

.tls
Size: - Virtual size: 4KB

.themida
Size: - Virtual size: 3.9MB

.zip1
Size: - Virtual size: 1.3MB

.zip2
Size: 1024B - Virtual size: 944B

.zip3
Size: 6.2MB - Virtual size: 6.2MB

.reloc
Size: 512B - Virtual size: 184B

.rsrc
Size: 78KB - Virtual size: 157KB