v7_fn_chair[.]exe

Resubmissions

10/12/2023, 17:54

231210-wharnsafe5 7

10/12/2023, 17:53

231210-wgpjfaafd4 7

Sharing

Copy URL Twitter E-mail

General

Target

v7_fn_chair.exe
Size

12.9MB
MD5

4af19e4dc1cf8088cd4d1dfc33400bff
SHA1

135f612b94409598afcc6e7e4f2d39e7289811f3
SHA256

63022be17bab8bd8c9df59cbb5bb2804374999e4a98b126c848de13fe07807e0
SHA512

98c1e962aa510cc6e6dcac720330b491c19d1748bf7decb707ca9decadff042ff2310aba6bd41f9f40da058b89e4e1a6d9538eae0edd9307066c8e8910fc76d5
SSDEEP

196608:g+ILeyy+UU/9ykuQGCG2QSX64YMo6B32c6RFGHpv5rB7VhqsGy8iMt:gtefgyjVvIaFMHpvFBxwC8iMt

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
v7_fn_chair.exe

Files

v7_fn_chair.exe
.exe windows:6 windows x64 arch:x64

b6a2df11aebb090a436044a5d8ecf2e8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegQueryValueExA
AdjustTokenPrivileges
RegGetValueA
RegCreateKeyExA
RegSetValueExA
OpenProcessToken
RegOpenKeyExA
RegCloseKey
LookupPrivilegeValueA

concrt140

?_Acquire@_NonReentrantBlockingLock@details@Concurrency@@QEAAXXZ
?_Release@_NonReentrantBlockingLock@details@Concurrency@@QEAAXXZ
??0_NonReentrantBlockingLock@details@Concurrency@@QEAA@XZ
??1_NonReentrantBlockingLock@details@Concurrency@@QEAA@XZ

crypt32

CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateContext
CryptUnprotectMemory

d3dcompiler_47

D3DCompile

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

kernel32

GetFirmwareEnvironmentVariableA
GetFirmwareType
InitializeCriticalSectionEx
DeleteCriticalSection
LocalFree
FreeLibrary
VerifyVersionInfoW
SetFileCompletionNotificationModes
CloseThreadpoolIo
CancelThreadpoolIo
StartThreadpoolIo
CreateThreadpoolIo
GetOverlappedResult
WriteFile
ReadFile
CreateFileW
FormatMessageW
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceFrequency
GetCurrentProcessId
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InitOnceComplete
InitOnceBeginInitialize
FormatMessageA
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
TerminateProcess
ExitProcess
GetCurrentProcess
WaitForSingleObject
GetLastError
CloseHandle
GetFileAttributesA
FindNextFileA
FindFirstFileA
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
GetCurrentThread
Sleep
GetUserDefaultLocaleName
LoadLibraryA
ExpandEnvironmentStringsA
GetProcAddress
GetModuleHandleA
GetCurrentThreadId
GetFileSizeEx
FindClose

msvcp140

??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Random_device@std@@YAIXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Mtx_init_in_situ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exceptions@std@@YAHXZ
??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
_Thrd_detach
_Cnd_do_broadcast_at_thread_exit
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Mtx_lock
_Mtx_unlock
_Cnd_init_in_situ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
_Cnd_wait
_Cnd_broadcast
?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z
?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_Xbad_function_call@std@@YAXXZ
?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_IsCurrentOriginSTA@_ContextCallback@details@Concurrency@@CA_NXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??0?$_Yarn@D@std@@QEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Winerror_map@std@@YAHH@Z
?classic@locale@std@@SAAEBV12@XZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?__ExceptionPtrCompare@@YA_NPEBX0@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?uncaught_exception@std@@YA_NXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z

shell32

ShellExecuteExA
ShellExecuteA

user32

DestroyWindow
CreateWindowExA
RegisterClassExA
UnregisterClassA
PostQuitMessage
DefWindowProcA
PeekMessageA
DispatchMessageA
TranslateMessage
LoadCursorA
ScreenToClient
ClientToScreen
GetCursorPos
UpdateWindow
SetCursorPos
GetClientRect
GetForegroundWindow
ReleaseCapture
SetCapture
GetCapture
GetKeyState
IsChild
TrackMouseEvent
EmptyClipboard
GetClipboardData
SetClipboardData
GetDesktopWindow
OpenClipboard
CloseClipboard
ShowWindow
LoadIconA
SetCursor

vcruntime140

__std_exception_copy
__std_exception_destroy
_CxxThrowException
memchr
memcmp
memcpy
memcpy
memset
strstr
__std_terminate
_purecall
__C_specific_handler
__current_exception
__current_exception_context

vcruntime140_1

__CxxFrameHandler4

winhttp

WinHttpSetStatusCallback
WinHttpQueryAuthSchemes
WinHttpSetCredentials
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpReceiveResponse
WinHttpQueryOption
WinHttpQueryDataAvailable
WinHttpWriteData
WinHttpReadData
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetOption
WinHttpCloseHandle
WinHttpOpen
WinHttpGetDefaultProxyConfiguration
WinHttpQueryHeaders
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser

ucrtbase

_i64tow_s
_ui64tow_s
wcstombs_s
atoi
_wcstod_l
wcstol
_i64toa_s
_ui64toa_s
_access_s
_access
remove
_mkdir
_lock_file
_unlock_file
free
_callnewh
malloc
realloc
_set_new_mode
_create_locale
__pctype_func
_configthreadlocale
_free_locale
ceilf
acosf
sinf
fmodf
cosf
__setusermatherr
sqrtf
_get_narrow_winmain_command_line
_initterm
_seh_filter_exe
_cexit
_configure_narrow_argv
_set_app_type
_initialize_narrow_environment
_initterm_e
_crt_atexit
_invalid_parameter_noinfo_noreturn
exit
abort
_register_thread_local_exe_atexit_callback
terminate
_c_exit
_errno
_Exit
_register_onexit_function
_initialize_onexit_table
_beginthreadex
__p__commode
__acrt_iob_func
_set_fmode
ferror
__stdio_common_vsnwprintf_s
fclose
fwrite
__stdio_common_vfprintf
__stdio_common_vswprintf_s
_get_stream_buffer_pointers
fflush
fgetc
fgetpos
__stdio_common_vsscanf
__stdio_common_vsprintf
ftell
fseek
_wfopen
fputc
fread
fsetpos
_fseeki64
__stdio_common_vsprintf_s
setvbuf
ungetc
feof
strncpy_s
isalpha
strncpy
isdigit
wcsnlen
strcat_s
strcpy_s
strnlen
iswspace
strcmp
strftime
_localtime64
_localtime64_s
_time64
qsort

bcrypt

BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptHashData
BCryptCreateHash
BCryptFinishHash

d3d11

D3D11CreateDeviceAndSwapChain

dwmapi

DwmExtendFrameIntoClientArea

Sections

.text
Size: 775KB - Virtual size: 776KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 201KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 440KB - Virtual size: 444KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 7.2MB - Virtual size: 7.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.SCY
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Resubmissions

Sharing

General

Malware Config

Signatures

Files

b6a2df11aebb090a436044a5d8ecf2e8

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

concrt140

crypt32

d3dcompiler_47

imm32

kernel32

msvcp140

shell32

user32

vcruntime140

vcruntime140_1

winhttp

ucrtbase

bcrypt

d3d11

dwmapi

Sections

.text Size: 775KB - Virtual size: 776KB

Size: 201KB - Virtual size: 216KB

Size: 440KB - Virtual size: 444KB

Size: 38KB - Virtual size: 40KB

Size: 512B - Virtual size: 4KB

Size: 6KB - Virtual size: 8KB

.imports Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 7.2MB - Virtual size: 7.2MB

.boot Size: 4.2MB - Virtual size: 4.2MB

.reloc Size: 512B - Virtual size: 4KB

.taggant Size: 8KB - Virtual size: 12KB

.SCY Size: 15KB - Virtual size: 16KB

.text
Size: 775KB - Virtual size: 776KB

.imports
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 7.2MB - Virtual size: 7.2MB

.boot
Size: 4.2MB - Virtual size: 4.2MB

.reloc
Size: 512B - Virtual size: 4KB

.taggant
Size: 8KB - Virtual size: 12KB

.SCY
Size: 15KB - Virtual size: 16KB