Setup[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Setup.exe
Size

4.6MB
MD5

862c7e9cf539af2260d1104a9873d228
SHA1

851ec5e5bce6458f36756b2250c5573bd97927fc
SHA256

a631ccfd88b9daa48e6d1a70fc6bed57caed44e415caa52f8d329d61221a4b9d
SHA512

735d9f7890fbc30e08ddf1b9d2c883eefe0931fdcc8b54c3f6e9b717fd07557fc3bb4499a3fae97aa63464e8d6e16f8d4c374c29e05006d58e9e8b85307f27c3
SSDEEP

98304:tCbg3U71Ca89eJn3Ka8fVRT4i0CAv7KYAAxst1c9l5PuF4qNe:gbKU7S03gLul7K6xsvcHgqV

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Files

Setup.exe
.exe windows:5 windows x86 arch:x86

da4e91b3a297ec0bc536dd4d8016af1b

Code Sign

1b:97:95:8a:61:90:30:4e:a6:f0:83:46:8c:0d:0b:a0
Certificate

Issuer

CN=ActiveReports RDF document API,OU=Active,O=GrapeCity Inc. All rights reserved,L=%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%,ST=CH,C=CH

Not Before

10-12-2023 16:10

Not After

26-09-2025 00:00

Subject

CN=ActiveReports RDF document API,OU=Active,O=GrapeCity Inc. All rights reserved,L=%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%%-±×-%,ST=CH,C=CH

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03-05-2023 00:00

Not After

02-08-2034 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-05-2019 00:00

Not After

18-01-2038 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

49:7b:3d:6d:24:09:b5:56:f0:d9:64:7f:52:84:70:a0:40:59:4a:7f:1f:cc:65:98:b4:28:d7:5d:93:55:f1:c7
Signer

Actual PE Digest

49:7b:3d:6d:24:09:b5:56:f0:d9:64:7f:52:84:70:a0:40:59:4a:7f:1f:cc:65:98:b4:28:d7:5d:93:55:f1:c7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
HeapAlloc
HeapFree
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

msvcrt

__CxxFrameHandler3

user32

CharToOemA

advapi32

RegGetValueA

ole32

CoInitializeSecurity

oleaut32

VariantClear

shlwapi

ord155

Sections

Size: - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.EXEæ§
Size: - Virtual size: 210KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.EXEæ§
Size: - Virtual size: 775KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.EXEæ§
Size: 512B - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.EXEæ§
Size: 4.4MB - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 154KB - Virtual size: 210KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

da4e91b3a297ec0bc536dd4d8016af1b

Code Sign

1b:97:95:8a:61:90:30:4e:a6:f0:83:46:8c:0d:0b:a0Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

49:7b:3d:6d:24:09:b5:56:f0:d9:64:7f:52:84:70:a0:40:59:4a:7f:1f:cc:65:98:b4:28:d7:5d:93:55:f1:c7Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

user32

advapi32

ole32

oleaut32

shlwapi

Sections

Size: - Virtual size: 94KB

Size: - Virtual size: 36KB

Size: - Virtual size: 2.1MB

.EXEæ§ Size: - Virtual size: 210KB

Size: - Virtual size: 17KB

.idata Size: - Virtual size: 4KB

.themida Size: - Virtual size: 3.9MB

.boot Size: - Virtual size: 2.1MB

.EXEæ§ Size: - Virtual size: 775KB

.EXEæ§ Size: 512B - Virtual size: 476B

.EXEæ§ Size: 4.4MB - Virtual size: 4.4MB

.reloc Size: 7KB - Virtual size: 6KB

.rsrc Size: 154KB - Virtual size: 210KB

1b:97:95:8a:61:90:30:4e:a6:f0:83:46:8c:0d:0b:a0
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

49:7b:3d:6d:24:09:b5:56:f0:d9:64:7f:52:84:70:a0:40:59:4a:7f:1f:cc:65:98:b4:28:d7:5d:93:55:f1:c7
Signer

.EXEæ§
Size: - Virtual size: 210KB

.idata
Size: - Virtual size: 4KB

.themida
Size: - Virtual size: 3.9MB

.boot
Size: - Virtual size: 2.1MB

.EXEæ§
Size: - Virtual size: 775KB

.EXEæ§
Size: 512B - Virtual size: 476B

.EXEæ§
Size: 4.4MB - Virtual size: 4.4MB

.reloc
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 154KB - Virtual size: 210KB