3a1b1596e6c1f79f95a961dd5c8a953b98a29ab3d5cdb4c144b2804940f245aa

Sharing

Copy URL Twitter E-mail

General

Target

3a1b1596e6c1f79f95a961dd5c8a953b98a29ab3d5cdb4c144b2804940f245aa
Size

7.2MB
MD5

e3616adc244da2d816810b584b8353dc
SHA1

e73c5dd276bd4f0bc12bf794394fbac043a36a0a
SHA256

3a1b1596e6c1f79f95a961dd5c8a953b98a29ab3d5cdb4c144b2804940f245aa
SHA512

8d2cb1ee4dcae096aa097e3f1059baf5f34f3ea1e81c6058160a0bb2e9186a22d952887d4fcdfcb7df4260e1a55545aff5b8bf216748971c0da1cbbda8aff5f4
SSDEEP

196608:QrZir5qJ+lgRvbpfjVBYjRAweBUwMJbfrHVsFkCimFH:QrZS0dRJBYju3UNJbT1YkC1F

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3a1b1596e6c1f79f95a961dd5c8a953b98a29ab3d5cdb4c144b2804940f245aa

Files

3a1b1596e6c1f79f95a961dd5c8a953b98a29ab3d5cdb4c144b2804940f245aa
.exe windows:6 windows x64

98e674ce20c9d7295f0fba0ceed0e343

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mfc140u

ord5083
ord5339
ord9041
ord5552
ord5363
ord5080
ord2358
ord2212
ord2231
ord6250
ord2187
ord1091
ord2222
ord4658
ord491
ord1122
ord5382
ord5385
ord7888
ord2802
ord4561
ord4578
ord3071
ord3307
ord3308
ord10163
ord11085
ord10704
ord8731
ord1089
ord8901
ord2697
ord13397
ord6000
ord11813
ord11817
ord11757
ord6724
ord4726
ord11850
ord3172
ord3278
ord3279
ord3812
ord11806
ord2629
ord5723
ord13354
ord13761
ord13864
ord11406
ord8043
ord4335
ord6631
ord8449
ord14217
ord5229
ord14211
ord12610
ord2967
ord4352
ord9384
ord5582
ord4360
ord4828
ord4767
ord4752
ord4814
ord4859
ord4782
ord4837
ord4853
ord4794
ord4800
ord4806
ord4788
ord4843
ord4776
ord1755
ord1734
ord1748
ord1722
ord1700
ord11940
ord11944
ord13513
ord3173
ord10691
ord6729
ord8656
ord14209
ord11625
ord3718
ord7460
ord8830
ord11415
ord11414
ord5451
ord9979
ord9975
ord1491
ord1489
ord266
ord265
ord4656
ord9977
ord9978
ord9976
ord14360
ord7913
ord9946
ord3230
ord3209
ord7651
ord5062
ord3212
ord320
ord6850
ord450
ord11855
ord8926
ord7235
ord4510
ord8417
ord4513
ord12241
ord4949
ord11673
ord533
ord13407
ord11677
ord5498
ord1153
ord12785
ord11996
ord11999
ord3728
ord1034
ord310
ord300
ord6718
ord2415
ord2270
ord2909
ord8058
ord12600
ord8452
ord14033
ord14039
ord8409
ord8416
ord4511
ord13986
ord2903
ord1670
ord1667
ord1505
ord1504
ord1503
ord1501
ord280
ord7461
ord7450
ord5227
ord7893
ord7922
ord2357
ord3756
ord6320
ord4947
ord2418
ord2417
ord316
ord1508
ord1511
ord2414
ord8059
ord1641
ord5709
ord285
ord12240
ord1671
ord3731
ord5706
ord2921
ord11921
ord7920
ord11933
ord11901
ord8167
ord7393
ord1450
ord8084
ord11929
ord10124
ord12606
ord12544
ord2340
ord4445
ord7716
ord8023
ord5183
ord10070
ord2182
ord2439
ord12222
ord12223
ord14210
ord7650
ord2346
ord2350
ord2344
ord14216
ord9089
ord962
ord4011
ord3949
ord12625
ord7668
ord2011
ord11664
ord11665
ord14088
ord12212
ord7719
ord13597
ord12932
ord14288
ord6121
ord14290
ord6123
ord14289
ord6122
ord13545
ord983
ord6614
ord2178
ord1428
ord6505
ord5555
ord9941
ord12030
ord8900
ord14225
ord11771
ord12087
ord14278
ord12443
ord1033
ord286
ord296
ord6717
ord2370

kernel32

GetModuleHandleA
ResetEvent
GetTickCount
VirtualFreeEx
GetPrivateProfileIntW
TerminateProcess
CreateThread
VirtualFree
VirtualAlloc
SetFilePointer
WritePrivateProfileStringW
GetModuleHandleW
DefineDosDeviceW
LoadLibraryW
GetDriveTypeW
VerSetConditionMask
VerifyVersionInfoW
DeleteFileW
WaitForSingleObject
GetExitCodeThread
CreateRemoteThread
GetCurrentProcessId
ReadProcessMemory
GetFileSize
LocalFree
VirtualAllocEx
GetProcAddress
VirtualProtectEx
CloseHandle
Process32FirstW
Process32NextW
GetFileAttributesW
MultiByteToWideChar
WideCharToMultiByte
GetFullPathNameA
CreateFileA
InitializeCriticalSection
GetLocalTime
SetLocalTime
CreateDirectoryW
GetCommandLineW
CreateMutexW
CreateMutexA
OpenMutexA
LockResource
LoadResource
FindResourceW
CreateToolhelp32Snapshot
CreateProcessW
OpenMutexW
GetComputerNameA
OpenProcess
CreateFileW
GetModuleFileNameW
DeviceIoControl
GetCurrentProcess
WriteProcessMemory
ReadFile
CopyFileW
GetPrivateProfileStringW
DeleteCriticalSection
OutputDebugStringW
GetLastError
EnterCriticalSection
LeaveCriticalSection
Sleep
GetShortPathNameW
InitializeCriticalSectionEx
SetEvent
WaitForSingleObjectEx
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
FlsSetValue
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
GlobalFree
GetProcAddress
LocalAlloc
LocalFree
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

SetActiveWindow
GetActiveWindow
SetWindowTextA
IsWindowEnabled
GetDesktopWindow
GetWindowTextA
GetWindowThreadProcessId
MessageBoxW
SendMessageW
IsWindow
RegisterWindowMessageA
FindWindowW
SendMessageA
wsprintfW
EnableWindow
GetProcessWindowStation
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetUserObjectInformationW

advapi32

GetTokenInformation
FreeSid
OpenProcessToken
AllocateAndInitializeSid
EqualSid
OpenServiceW
StartServiceW
OpenSCManagerW
CloseServiceHandle
QueryServiceStatus
OpenServiceA
ChangeServiceConfigA
OpenSCManagerA
CreateServiceA

shell32

SHGetPathFromIDListW
ShellExecuteW
SHGetSpecialFolderLocation

comctl32

InitCommonControlsEx

shlwapi

ord217

ole32

CoInitializeSecurity
CoSetProxyBlanket
CoCreateInstance

oleaut32

VariantInit
VariantTimeToSystemTime
SystemTimeToVariantTime
SafeArrayGetElement
VariantClear
SysFreeString
SysAllocString

msvcp140

?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ

wintrust

WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

crypt32

CertGetNameStringW

setupapi

SetupDiGetClassDevsW
CM_Get_Device_IDW
SetupDiEnumDeviceInfo

iphlpapi

GetAdaptersInfo

vcruntime140

memcmp
_CxxThrowException
__vcrt_InitializeCriticalSectionEx
__CxxFrameHandler3
memcpy
__std_terminate
memmove
wcsstr
strstr
wcsrchr
__std_exception_destroy
__std_exception_copy
memchr
memset
__C_specific_handler

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free
malloc

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
_errno
terminate
_crt_atexit
_register_onexit_function
_initialize_onexit_table
exit
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
_beginthreadex
_exit
_initterm_e
_initterm
_get_wide_winmain_command_line
_initialize_wide_environment
_configure_wide_argv
_set_app_type
_seh_filter_exe

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__stdio_common_vsnwprintf_s
__p__commode
__stdio_common_vsscanf
__stdio_common_vsprintf
fflush
_wfopen_s
fclose
__stdio_common_vfwprintf
__stdio_common_vfprintf
__acrt_iob_func
__stdio_common_vswprintf

api-ms-win-crt-filesystem-l1-1-0

_wsplitpath
_wmkdir
_waccess
_wsplitpath_s

api-ms-win-crt-string-l1-1-0

wcscat_s
strncpy_s
wcscpy_s
strcpy_s
_wcsicmp

api-ms-win-crt-convert-l1-1-0

_wtoi
_wtof
_wtoi64
wcstol
_itow
atof

api-ms-win-crt-time-l1-1-0

_localtime64
_localtime64_s
_ftime64
_time64

api-ms-win-crt-utility-l1-1-0

qsort
rand
srand

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-math-l1-1-0

sqrtf
ceil
floor
__setusermatherr

wtsapi32

WTSSendMessageW

Exports

Exports

�<�װ_��o� j��Iug�0W �ͣBz��G8�JH,�e;��p�<�u��RO��6, ��C<o ��Q�t �Ð�<!� j��1��}$��Т�&ԏ�wI>�C�c0b�m/{۴(�̏,G�"�`r�`��ړt��/ �O3h>.L'0��Q@5?)�R ��u��e0�ҫ�+�e��evFxa�ip�H�H�(�`��7��É��e&!$��T�^٤��b�K�*}��^�ޚwJ��p��Hm�d�9"�:�|h�$��{��2��W��C��/��P򄅺��A��Ƽ`H3o��b�1��R�b1��C'��s`�ɵ�/��)[�3�H��ע�R8�;�9��?��ֻ�N��@*�pyd��}�5y�F�Tn� B�ާXj1��@M~� ��Ȟ:#�2ٛ��lQ��+>IP�3n��d��?M��}yX��f-�5b��h�7L��%Y~�� ץM�c�i��X��ߨĶP�[� �n��K ��E��7d-�� #��sc�|6��v�q]b��N|Y��%E� ��x��V��1�7��{Tv�[H��6�.\��Ҹ4��|7+�v�O��곫��#��G��ݡ%~s|W�N�!vk�Ϊ�~!;D�n��M��ZG�ꡥ��qq5��I��G?�l8�Z� ��M��R��5ٗ�~�wNQWd��gG��e䬎��9��D��s�DJ\��s3V��<�͢b��lV��stw�7�P[��2��n{��~�-��gB�ٕA�5[��ҒSkR�lL�ce ��x�!�D��g��}�PF1�͕��*`�eb8�l?V��̇�̔�R�g�yv�9��s�:]�h ��f� �h�w(��["��szx]�)�::�UV(��Ʈ��P��g�a��M�P~�4�� k��̌& �x��s"��+0�/fN�<�{שū��ag\ .��_��E�+�� 8/AL��V7��,Α�Fl59e�� >�ʯ ��T`��?�1��!�Y:-�s_�%�E��L��0� ��4��Q��q��1�6ICiyɅ�hɼ�EǖN�˲ �\��?��PF!��o�.υ��t� �X��&��7׶�{e>Cp�S��2W��8S��gl��9��q�`#P��瓱�Qr�f�D�i�"��$��Ф�2X�9ɓ��ME:��ŏʖ��E�i��=�k�N�D�!�djժy1��R��$|,�ǳE�:��()��!�]�B��#B:��]�Pɝ�&�i��>��|Y��<'1T��b�疐��&�S3D��\�׃��%+;RdV"�,�[p��c1�k;uĩ��c��7�E�Ƚ��T�p�*�%O�E��_��h�:�ؚ��JUww�i��N ��T��*�Kv9��r��j/�Ƞ��[-ԙ��,�ڌ�� *n��E��ٌ��Ć+P�L�`��&Ӡ�Os�Xo3Q��H٭LHg�bt��ߗ(<�^��B'�G[��:��t.�c�� q�x�@qr�~�/��T�ा�K��[�T�"_G܌1�w]Yt�F{�1�|YaSi�훽ɵD��X�wI��T��/��B,��\��9��0kJ��?�M}��[��a.�o��q9��w�Ml�S�}��7r��&/�>��s��(��H�I��r�R+3�n�؛+4곻>^]��d��Z��U��(��R.*��͒��舼�:�=C{�D��ĳȎ��,��Ai��Lt�� V��2��w_�cY��$4�d{V��Қ� �;'P%(�]�7��%�^2�T��*/��f0m�?򋁗��\��1��T]1��o�9W�'��wɁ{q݆��4�Ѝ�8=ID\�2%�F7�7Y��:Q)v=�,6zb�?�)��{M��BB��:D�`)e��v�!�+��>T#��d�|��߲��ke��0�%�g��̃�O�� *��eh��NQ�} �� #�t�乗�L��!5by�"> �4C��/b$*��T��p!�8�U�^>/�� ] ,EZ��˸��i�9��n��m��(�� ;`�q��Ǥ�:�u@n]�� 5^�@�l��`�R��o��V�*��R%��P��t��ca�);Ǔ��e��b+Z��3 �[>�F�f��N�deB �mH+قso��7�K+�em�l��f��D�$�� L��q��2�L�!J&�O��#H�F��Y=+ ��}!Wiu[�I��p]�j��ߦ�ŀ �ęw>�2�9��Y�y�[t6R��V�2?[�+��t4�~�x��f�˼T�e�㔅dƩ��{��0M]зr <i؃�m5�4 �,��8��T�Z~��N��I"~�eg��֎;m�D��!}z � ��|ƓBhC�r0B��ޕQ �yJ��W(��C(�N.�)Jf��f�E��R�A(��{} =�`�� 2w��9n4��E�j�l�'� k6��A�D��q��b��a��t#!��?��B�M*DCFt��D"�@�W�TP _�_.sT��_��|�I��d��ʾKQT�}z��g�W��R�P|B�C�4�WT��\+�j�BSy�E)��ܰ ��Rb��V��e��N�{7�3��j#��$�bЭ�Pe��|a�/R��k�.��=��3��8��l*�2-A�Y>s|3]��xrT�ޜ��g<!\��Vv��Alp��/ ��f��E�>��xcT6G� 0��33{�=XP]U�d}��+*�F{��d�z��N0w��B�Ό��BV�ڡ�м�T=�A�.k16

Sections

.text
Size: - Virtual size: 468KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 5.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 7.1MB - Virtual size: 7.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

98e674ce20c9d7295f0fba0ceed0e343

Headers

DLL Characteristics

File Characteristics

Imports

mfc140u

kernel32

user32

advapi32

shell32

comctl32

shlwapi

ole32

oleaut32

msvcp140

wintrust

crypt32

setupapi

iphlpapi

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 468KB

.rdata Size: - Virtual size: 138KB

.data Size: - Virtual size: 75KB

.pdata Size: - Virtual size: 14KB

.gfids Size: - Virtual size: 52B

.tls Size: - Virtual size: 9B

.vmp0 Size: - Virtual size: 5.6MB

.vmp1 Size: 7.1MB - Virtual size: 7.1MB

.reloc Size: 512B - Virtual size: 200B

.rsrc Size: 48KB - Virtual size: 48KB

.text
Size: - Virtual size: 468KB

.rdata
Size: - Virtual size: 138KB

.data
Size: - Virtual size: 75KB

.pdata
Size: - Virtual size: 14KB

.gfids
Size: - Virtual size: 52B

.tls
Size: - Virtual size: 9B

.vmp0
Size: - Virtual size: 5.6MB

.vmp1
Size: 7.1MB - Virtual size: 7.1MB

.reloc
Size: 512B - Virtual size: 200B

.rsrc
Size: 48KB - Virtual size: 48KB