19X[.]rar | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

19X.rar
Size

17.7MB
MD5

703e04361ca1e3a3f50c519dc72969df
SHA1

515ec03934a9731c157367092935eed3cb22570e
SHA256

b6fbd300520e46f761b778cfc7595b43db385c79a1d7e4c4ce40e782f78a1c01
SHA512

74faa807deb7e03ad5f22244cd7556b0d7c3e22efb90bdad61590581128e6e3062b461af150bcac4ee7c638c1369ed5ea2a6a881d9c258ad76220d9c63f48ce4
SSDEEP

393216:xFYpkGpGjixj+wg6DfEqVYpFgKeZVzjJfNCVFZyxze3z8Gpmc4:TwX/Z+qDcqCngKe73DCVFoxz+zLpy

Score

7^/10

themida

Malware Config

Signatures

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
static1/unpack001/2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe.vir	themida
static1/unpack001/公司资料.exe.vir	themida
static1/unpack001/提交材料.exe.vir	themida

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe.vir
unpack001/tools-读取浏览器敏感信息.exe.vir
unpack001/信息收集模板.scr.vir
unpack001/公司资料.exe.vir
unpack001/安全检查资产上报收集表-20231103-___xlsx.scr.vir
unpack001/提交材料.exe.vir
unpack001/李志-账号密码记录-解压密码-20231116.exe.vir
unpack001/陈力-病例.exe.vir

Files

19X.rar
.rar
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe.vir
.exe windows:6 windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 677KB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 214KB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 700KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 34KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 22KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 7KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 169KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Due invoices Mazaya_pdf_pdf.vbe.vir
.ps1
tools-读取浏览器敏感信息.exe.vir
.exe windows:6 windows x64

67375d033e34a8ce017a42bfac07388e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

AddAtomA
AddVectoredExceptionHandler
CloseHandle
CreateDirectoryA
CreateFileA
CreateIoCompletionPort
CreateMutexA
CreateSemaphoreA
CreateThread
DeleteAtom
DeleteCriticalSection
DuplicateHandle
ExitProcess
FindAtomA
FormatMessageA
FreeEnvironmentStringsW
GetAtomNameA
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStringsW
GetEnvironmentVariableA
GetErrorMode
GetFileAttributesA
GetHandleInformation
GetLastError
GetModuleFileNameW
GetNativeSystemInfo
GetProcAddress
GetProcessAffinityMask
GetProcessId
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
IsDBCSLeadByteEx
IsDebuggerPresent
K32GetProcessMemoryInfo
LoadLibraryExW
LoadLibraryW
LocalFree
MultiByteToWideChar
OpenProcess
OutputDebugStringA
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
RaiseFailFastException
ReadFile
ReleaseMutex
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
SetConsoleCtrlHandler
SetErrorMode
SetLastError
SetProcessAffinityMask
SetProcessPriorityBoost
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
SuspendThread
SwitchToThread
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WerGetFlags
WerSetFlags
WideCharToMultiByte
WriteConsoleW
WriteFile
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthread
_beginthreadex
_cexit
_commode
_endthreadex
_errno
_fmode
_initterm
_lock
_memccpy
_onexit
_setjmp
_strdup
_ultoa
_unlock
abort
calloc
exit
fprintf
fputc
free
fwrite
localeconv
longjmp
malloc
memcpy
memmove
memset
printf
realloc
signal
strerror
strlen
strncmp
vfprintf
wcslen

api-ms-win-core-synch-l1-2-0

CreateEventA
CreateWaitableTimerExW
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
SetEvent
SetWaitableTimer
Sleep
WaitForSingleObject
WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

Exports

Exports

_ZN6__tsan10OnFinalizeEb
_ZN6__tsan12OnInitializeEv
_ZN6__tsan8OnReportEPKNS_10ReportDescEb
__sanitizer_acquire_crash_state
__sanitizer_free_hook
__sanitizer_get_report_path
__sanitizer_install_malloc_and_free_hooks
__sanitizer_malloc_hook
__sanitizer_print_stack_trace
__sanitizer_report_error_summary
__sanitizer_set_death_callback
__sanitizer_set_report_fd
__sanitizer_set_report_path
__tsan_default_options
__tsan_go_atomic32_compare_exchange
__tsan_go_atomic32_exchange
__tsan_go_atomic32_fetch_add
__tsan_go_atomic32_load
__tsan_go_atomic32_store
__tsan_go_atomic64_compare_exchange
__tsan_go_atomic64_exchange
__tsan_go_atomic64_fetch_add
__tsan_go_atomic64_load
__tsan_go_atomic64_store
__tsan_on_report
__tsan_test_only_on_fork
_cgo_dummy_export

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 15.7MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
信息收集模板.scr.vir
.exe windows:6 windows x64

ec2908a203a9fcced1b070e8db1923a7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleFileNameA
VirtualAlloc
WaitForSingleObject
GetFileAttributesA
CreateThread
GetCurrentDirectoryW
GlobalMemoryStatusEx
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlCaptureContext

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xlength_error@std@@YAXPEBD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?good@ios_base@std@@QEBA_NXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
memmove
_CxxThrowException
__C_specific_handler
__std_terminate
__std_exception_copy
__std_exception_destroy
memcpy
memset

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
_set_fmode
__p__commode
__stdio_common_vfprintf

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
_crt_atexit
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_c_exit
_seh_filter_exe
_cexit
_exit
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
__p___argv
_set_app_type
__p___argc
terminate
_invalid_parameter_noinfo_noreturn
system

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
malloc
free

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
公司资料.exe.vir
.exe windows:6 windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 677KB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 214KB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 700KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 34KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 22KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 7KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 169KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
安全检查资产上报收集表-20231103-___xlsx.scr.vir
.exe windows:6 windows x64

42e7514dba1f196bf70852cf303d000c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleFileNameA
GetFileAttributesA
LoadLibraryW
GlobalMemoryStatusEx
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
GetModuleHandleW
SetUnhandledExceptionFilter

msvcp140

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memmove
memcpy
memset
__current_exception_context
__current_exception
_CxxThrowException
__C_specific_handler
__std_terminate
__std_exception_copy
__std_exception_destroy

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode
__stdio_common_vfprintf
__acrt_iob_func

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
__p___argc
_exit
_register_thread_local_exe_atexit_callback
__p___argv
_c_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
terminate
_set_app_type
_seh_filter_exe
_invalid_parameter_noinfo_noreturn
system
exit

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc
_set_new_mode

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-string-l1-1-0

strcmp

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 696B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
提交材料.exe.vir
.exe windows:6 windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 677KB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 214KB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 700KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 34KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 22KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 7KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 169KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
李志-账号密码记录-解压密码-20231116.exe.vir
.exe windows:6 windows x64

3bec48b52c00f36b3f35434846086bee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

gdi32

ChoosePixelFormat
CreateBitmap
CreateDCW
CreateDIBSection
CreateRectRgn
DeleteDC
DeleteObject
DescribePixelFormat
GetDeviceCaps
GetDeviceGammaRamp
SetDeviceGammaRamp
SetPixelFormat
SwapBuffers

kernel32

AddAtomA
AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileA
CreateIoCompletionPort
CreateMutexA
CreateSemaphoreA
CreateThread
CreateWaitableTimerExW
DeleteAtom
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
ExitProcess
FindAtomA
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetAtomNameA
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStringsW
GetHandleInformation
GetLastError
GetModuleHandleExW
GetModuleHandleW
GetProcAddress
GetProcessAffinityMask
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
InitializeCriticalSection
IsDBCSLeadByteEx
IsDebuggerPresent
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LocalFree
MultiByteToWideChar
OpenProcess
OutputDebugStringA
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReleaseMutex
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
SetConsoleCtrlHandler
SetErrorMode
SetEvent
SetLastError
SetProcessAffinityMask
SetProcessPriorityBoost
SetThreadContext
SetThreadExecutionState
SetThreadPriority
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SuspendThread
SwitchToThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VerSetConditionMask
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthread
_beginthreadex
_cexit
_commode
_endthreadex
_errno
_fmode
_initterm
_memccpy
_onexit
_setjmp
_strdup
_ultoa
_wassert
abort
calloc
exit
fprintf
fputc
free
fwrite
getc
islower
isspace
isupper
isxdigit
localeconv
longjmp
malloc
memcpy
memmove
memset
printf
qsort
realloc
signal
strcmp
strcpy
strcspn
strerror
strlen
strncmp
strncpy
strspn
strstr
strtok
strtol
strtoul
tolower
ungetc
vfprintf
wcscmp
wcscpy
wcslen

opengl32

wglGetProcAddress

shell32

DragAcceptFiles
DragFinish
DragQueryFileW
DragQueryPoint

user32

AdjustWindowRectEx
BringWindowToTop
ChangeDisplaySettingsExW
ClientToScreen
ClipCursor
CloseClipboard
CreateIconIndirect
CreateWindowExW
DefWindowProcW
DestroyIcon
DestroyWindow
DispatchMessageW
EmptyClipboard
EnumDisplayDevicesW
EnumDisplayMonitors
EnumDisplaySettingsExW
EnumDisplaySettingsW
FlashWindow
GetActiveWindow
GetClassLongPtrW
GetClientRect
GetClipboardData
GetCursorPos
GetDC
GetKeyState
GetLayeredWindowAttributes
GetMessageTime
GetMonitorInfoW
GetPropW
GetRawInputData
GetRawInputDeviceInfoA
GetRawInputDeviceList
GetSystemMetrics
GetWindowLongW
GetWindowPlacement
GetWindowRect
IsIconic
IsWindowVisible
IsZoomed
LoadCursorW
LoadImageW
MapVirtualKeyW
MonitorFromWindow
MoveWindow
MsgWaitForMultipleObjects
OffsetRect
OpenClipboard
PeekMessageW
PostMessageW
PtInRect
RegisterClassExW
RegisterDeviceNotificationW
RegisterRawInputDevices
ReleaseCapture
ReleaseDC
RemovePropW
ScreenToClient
SendMessageW
SetCapture
SetClipboardData
SetCursor
SetCursorPos
SetFocus
SetForegroundWindow
SetLayeredWindowAttributes
SetPropW
SetRect
SetWindowLongW
SetWindowPlacement
SetWindowPos
SetWindowTextW
ShowWindow
SystemParametersInfoW
ToUnicode
TrackMouseEvent
TranslateMessage
UnregisterClassW
UnregisterDeviceNotification
WaitMessage
WindowFromPoint

Exports

Exports

_cgo_dummy_export
glowDebugCallback_glcore32
goCharCB
goCharModsCB
goCursorEnterCB
goCursorPosCB
goDropCB
goErrorCB
goFramebufferSizeCB
goJoystickCB
goKeyCB
goMonitorCB
goMouseButtonCB
goScrollCB
goWindowCloseCB
goWindowContentScaleCB
goWindowFocusCB
goWindowIconifyCB
goWindowMaximizeCB
goWindowPosCB
goWindowRefreshCB
goWindowSizeCB

Sections

.text
Size: 5.1MB - Virtual size: 5.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 4.8MB - Virtual size: 4.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 417KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 605B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
陈力-病例.exe.vir
.exe windows:6 windows x64

d8929aaf89748ffdb39f2949bd0f2cba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlVirtualUnwind
RtlUnwindEx
NtQuerySystemInformation
RtlLookupFunctionEntry
RtlCaptureContext
NtProtectVirtualMemory
NtWriteVirtualMemory
NtAllocateVirtualMemory
NtQueryInformationProcess
RtlGetVersion
RtlPcToFileHeader

advapi32

CopySid
LookupAccountSidW
GetLengthSid
IsValidSid
SystemFunction036
OpenProcessToken
GetTokenInformation

iphlpapi

FreeMibTable
GetIfEntry2
GetAdaptersAddresses
GetIfTable2

kernel32

FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
ExitProcess
Sleep
GetModuleHandleA
GetProcAddress
VirtualProtect
VirtualFree
TerminateProcess
GetCurrentProcess
K32GetModuleInformation
CreateFileA
CreateFileMappingW
MapViewOfFile
CloseHandle
FreeLibrary
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetCurrentProcessId
GetTickCount64
GlobalMemoryStatusEx
GetLogicalDrives
GetDiskFreeSpaceExW
GetProcessTimes
GetProcessHeap
HeapFree
GetLastError
HeapAlloc
OpenProcess
LocalFree
GetSystemTimes
GetProcessIoCounters
VirtualQueryEx
ReadProcessMemory
CreateFileW
GetSystemInfo
GetDriveTypeW
GetVolumeInformationW
DeviceIoControl
SleepConditionVariableSRW
EnumSystemGeoID
FreeEnvironmentStringsW
ReleaseMutex
FindClose
ReleaseSRWLockShared
AddVectoredExceptionHandler
SetThreadStackGuarantee
SwitchToThread
GetCurrentThread
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
SetEnvironmentVariableW
GetCommandLineW
FlushFileBuffers
SetFilePointerEx
GetStdHandle
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
QueryPerformanceCounter
HeapReAlloc
AcquireSRWLockShared
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
FindNextFileW
GetConsoleMode
GetFileType
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
GetCommandLineA
MultiByteToWideChar
WriteConsoleW
WideCharToMultiByte
CreateThread
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
GetModuleHandleExW
WriteFile
LoadLibraryExW
TlsFree
TlsAlloc
InitializeCriticalSectionAndSpinCount
GetConsoleOutputCP
HeapSize
GetStringTypeW
SetStdHandle
GetCPInfo
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
EncodePointer
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
RaiseException
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetCurrentThreadId
LCMapStringW

netapi32

NetUserEnum
NetUserGetInfo
NetUserGetLocalGroups
NetApiBufferFree

ole32

CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket
CoUninitialize

oleaut32

SysAllocString
SysFreeString
VariantClear

pdh

PdhAddEnglishCounterW
PdhCloseQuery
PdhRemoveCounter
PdhGetFormattedCounterValue
PdhCollectQueryData
PdhOpenQueryA

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo

secur32

LsaEnumerateLogonSessions
LsaGetLogonSessionData
LsaFreeReturnBuffer

shell32

CommandLineToArgvW

user32

GetCursorPos

bcrypt

BCryptGenRandom

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

Size: 677KB - Virtual size: 1.6MB

Size: 214KB - Virtual size: 1.8MB

Size: 4KB - Virtual size: 700KB

Size: 34KB - Virtual size: 98KB

Size: 512B - Virtual size: 348B

Size: 22KB - Virtual size: 169KB

Size: 7KB - Virtual size: 35KB

.idata Size: 512B - Virtual size: 4KB

.rsrc Size: 169KB - Virtual size: 169KB

.themida Size: - Virtual size: 3.1MB

.boot Size: 1.7MB - Virtual size: 1.7MB

67375d033e34a8ce017a42bfac07388e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

api-ms-win-core-synch-l1-2-0

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.data Size: 80KB - Virtual size: 79KB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.pdata Size: 28KB - Virtual size: 27KB

.xdata Size: 10KB - Virtual size: 10KB

.bss Size: - Virtual size: 15.7MB

.edata Size: 1KB - Virtual size: 1KB

.idata Size: 5KB - Virtual size: 5KB

.CRT Size: 512B - Virtual size: 112B

.tls Size: 512B - Virtual size: 16B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 14KB - Virtual size: 14KB

ec2908a203a9fcced1b070e8db1923a7

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 15KB - Virtual size: 16KB

.pdata Size: 1024B - Virtual size: 768B

.idata Size: 4KB - Virtual size: 3KB

.rsrc Size: 29KB - Virtual size: 28KB

.reloc Size: 512B - Virtual size: 88B

Headers

DLL Characteristics

File Characteristics

Sections

Size: 677KB - Virtual size: 1.6MB

Size: 214KB - Virtual size: 1.8MB

Size: 4KB - Virtual size: 700KB

Size: 34KB - Virtual size: 98KB

Size: 512B - Virtual size: 348B

Size: 22KB - Virtual size: 169KB

Size: 7KB - Virtual size: 35KB

.idata Size: 512B - Virtual size: 4KB

.rsrc Size: 169KB - Virtual size: 169KB

.themida Size: - Virtual size: 3.1MB

.boot Size: 1.7MB - Virtual size: 1.7MB

42e7514dba1f196bf70852cf303d000c

Headers

.idata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 169KB - Virtual size: 169KB

.themida
Size: - Virtual size: 3.1MB

.boot
Size: 1.7MB - Virtual size: 1.7MB

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 80KB - Virtual size: 79KB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.pdata
Size: 28KB - Virtual size: 27KB

.xdata
Size: 10KB - Virtual size: 10KB

.bss
Size: - Virtual size: 15.7MB

.edata
Size: 1KB - Virtual size: 1KB

.idata
Size: 5KB - Virtual size: 5KB

.CRT
Size: 512B - Virtual size: 112B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 14KB

.text
Size: 15KB - Virtual size: 16KB

.pdata
Size: 1024B - Virtual size: 768B

.idata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 29KB - Virtual size: 28KB

.reloc
Size: 512B - Virtual size: 88B

.idata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 169KB - Virtual size: 169KB

.themida
Size: - Virtual size: 3.1MB

.boot
Size: 1.7MB - Virtual size: 1.7MB

.text
Size: 12KB - Virtual size: 12KB

.pdata
Size: 1024B - Virtual size: 696B

.idata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 29KB - Virtual size: 28KB

.reloc
Size: 512B - Virtual size: 80B

.idata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 169KB - Virtual size: 169KB

.themida
Size: - Virtual size: 3.1MB

.boot
Size: 1.7MB - Virtual size: 1.7MB

.text
Size: 5.1MB - Virtual size: 5.1MB

.data
Size: 3.2MB - Virtual size: 3.2MB

.rdata
Size: 4.8MB - Virtual size: 4.8MB

.pdata
Size: 25KB - Virtual size: 25KB

.xdata
Size: 15KB - Virtual size: 15KB

.bss
Size: - Virtual size: 417KB

.edata
Size: 1024B - Virtual size: 605B

.idata
Size: 10KB - Virtual size: 9KB

.CRT
Size: 512B - Virtual size: 112B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 68KB - Virtual size: 68KB

.reloc
Size: 94KB - Virtual size: 93KB