VMX_Public[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

VMX_Public.zip
Size

5.8MB
MD5

dec7bfbe3ea1a75abda3e2393570a69c
SHA1

b9c2b11c66e28cc88abfab0d462a3df6117ba47d
SHA256

24e71915869e28fcd54d1e02de8ad7ebec1c06205dc69de347e96c693bf795a0
SHA512

d9d6df20ce52bdeaa04e701792cf29dccce513d41ed5edb2dd9daaf0ba3792d8ccaac1704e119a4479c8c57b27352f89044bb8ea587b71a6eb8b7ed2efb792e6
SSDEEP

98304:IJoIPRDAM1++AIYdnD3VVamS4qamtL8fznyBAwgMA9hCrWHOhgOBOOQ4Mwh9jmEf:IJoIPRTrUTamS4XTCzXWpOBOOQ69H8Wn

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/VMX Public/Open me after.exe	themida

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/VMX Public/Open me after.exe
unpack001/VMX Public/run me before.exe

Files

VMX_Public.zip
.zip
VMX Public/Instructions.txt
VMX Public/Open me after.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 395KB - Virtual size: 836KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 70KB - Virtual size: 166KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1.8MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 18KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 194B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 275B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
VMX Public/run me before.exe
.exe windows:6 windows x64 arch:x64

3e5b3d81e870b56cf04c6b01bd03265e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LeaveCriticalSection
EnterCriticalSection
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
VerifyVersionInfoA
QueryPerformanceCounter
GetTickCount
MoveFileExA
FormatMessageA
MultiByteToWideChar
GetEnvironmentVariableA
GetFileType
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
WideCharToMultiByte
GetLocaleInfoEx
HeapDestroy
FindFirstFileW
GetFileAttributesExW
LocalFree
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateThread
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
WaitForSingleObjectEx
HeapAlloc
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
VirtualQuery
GetFileSize
CloseHandle
DeleteFileA
GetLastError
ReadFile
GlobalAddAtomA
Sleep
GetModuleHandleA
CreateFileW
TerminateProcess
WriteFile
GetStdHandle
GetCurrentProcess
SetConsoleTextAttribute
VirtualProtect
FindClose
OutputDebugStringW

user32

MessageBoxA
BlockInput

msvcp140

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?good@ios_base@std@@QEBA_NXZ
?fail@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Xtime_get_ticks
_Thrd_detach
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$ctype@D@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
VerSetConditionMask
RtlCaptureContext
NtLoadDriver
NtUnmapViewOfSection
RtlAdjustPrivilege
NtDeviceIoControlFile
NtCreateSection
RtlInitUnicodeString
RtlCreateRegistryKey
NtUnloadDriver
NtQuerySystemInformation
RtlAllocateHeap
RtlWriteRegistryValue
NtMapViewOfSection
NtCreateFile
RtlFreeHeap
NtClose
RtlReleaseRelativeName
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlGetFullPathName_UEx

urlmon

URLDownloadToFileA

psapi

GetModuleInformation

normaliz

IdnToAscii

wldap32

ord143
ord217
ord46
ord301
ord200
ord60
ord30
ord35
ord33
ord211
ord32
ord45
ord50
ord41
ord22
ord26
ord79
ord27

crypt32

CertOpenStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertCloseStore

ws2_32

WSASetLastError
WSAIoctl
WSAStartup
setsockopt
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
recvfrom
ntohs
sendto
gethostname
ntohl
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
socket
WSACleanup

shlwapi

SHDeleteKeyW

rpcrt4

UuidToStringA
RpcStringFreeA
UuidCreate

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
strstr
__std_terminate
_CxxThrowException
memcmp
__std_exception_copy
memcpy
memmove
memset
strchr
strrchr
__C_specific_handler
__current_exception_context
__current_exception
memchr

api-ms-win-crt-stdio-l1-1-0

_lseeki64
fclose
__stdio_common_vswprintf
fgetc
ftell
fseek
feof
_write
__stdio_common_vsscanf
fputs
fopen
_set_fmode
fwrite
fgetpos
__acrt_iob_func
__stdio_common_vfprintf
setvbuf
fflush
__p__commode
fputc
_popen
__stdio_common_vsprintf
_read
_pclose
fgets
ungetc
fsetpos
_open
_get_stream_buffer_pointers
_close
_fseeki64
fread

api-ms-win-crt-string-l1-1-0

_strdup
strncpy
wcscpy_s
isupper
strspn
strncmp
_stricmp
strpbrk
wcscat_s
tolower
strcmp
strcspn

api-ms-win-crt-runtime-l1-1-0

_errno
_invalid_parameter_noinfo_noreturn
terminate
strerror
_exit
_initterm_e
__p___argc
system
__sys_nerr
_beginthreadex
_invalid_parameter_noinfo
_initterm
_get_initial_narrow_environment
exit
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_register_thread_local_exe_atexit_callback
abort
_c_exit
__p___argv
_resetstkoflw
_getpid

api-ms-win-crt-time-l1-1-0

_localtime64_s
_gmtime64
_time64
_mktime64
_difftime64

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
realloc
_set_new_mode
calloc
free

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
_fstat64
_stat64
_access
_unlink

api-ms-win-crt-convert-l1-1-0

strtol
atoi
strtoul
strtoull
strtoll
strtod

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-math-l1-1-0

_dclass
__setusermatherr

advapi32

CryptGenRandom
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
OpenProcessToken

shell32

ShellExecuteA

Sections

.text
Size: 482KB - Virtual size: 482KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 113KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

Size: 395KB - Virtual size: 836KB

Size: 70KB - Virtual size: 166KB

Size: 1.8MB - Virtual size: 1.9MB

Size: 18KB - Virtual size: 30KB

Size: 194B - Virtual size: 464B

Size: 275B - Virtual size: 488B

Size: 1KB - Virtual size: 2KB

.imports Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: - Virtual size: 5.7MB

.boot Size: 3.3MB - Virtual size: 3.3MB

.reloc Size: 16B - Virtual size: 4KB

3e5b3d81e870b56cf04c6b01bd03265e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

msvcp140

ntdll

urlmon

psapi

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

advapi32

shell32

Sections

.text Size: 482KB - Virtual size: 482KB

.rdata Size: 113KB - Virtual size: 112KB

.data Size: 28KB - Virtual size: 32KB

.pdata Size: 19KB - Virtual size: 19KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1KB - Virtual size: 1KB

.imports
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 5.7MB

.boot
Size: 3.3MB - Virtual size: 3.3MB

.reloc
Size: 16B - Virtual size: 4KB

.text
Size: 482KB - Virtual size: 482KB

.rdata
Size: 113KB - Virtual size: 112KB

.data
Size: 28KB - Virtual size: 32KB

.pdata
Size: 19KB - Virtual size: 19KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1KB - Virtual size: 1KB