41584af811ae303e63ce7fe7d0cd72a5

Sharing

Copy URL Twitter E-mail

General

Target

41584af811ae303e63ce7fe7d0cd72a5
Size

71KB
MD5

41584af811ae303e63ce7fe7d0cd72a5
SHA1

f216a825bbb3ae2cd1c5d9b12e1b562f4367ed8e
SHA256

e6bbfc4fdff2f40bb8b55e47cc6fb59ea9ee42e4caa60b80ad9d5ced4399d3f7
SHA512

84575bd749983a9d6a36764ef031619a7ef1f05e95236f525e7599fb6751dcb3864064a464e6f5d6a11651412f1d4dd43263a2125caaea311fdb3111ebde9bff
SSDEEP

1536:Wt/ADw67CVr43LOLckzATn68kpswxMWp0NMftI1luQRowV:M7oEwqwkz18EFWmlEluQRPV

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/[S][M]Executive/segara.dll	vmprotect

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/[S][M]Executive/[S][M]Executive vis.exe
unpack001/[S][M]Executive/segara.dll

Files

41584af811ae303e63ce7fe7d0cd72a5
.rar
[S][M]Executive/[S][M]Executive vis.exe
.exe windows:4 windows x86 arch:x86

5c391519f09e9976ac90164f8b4ff37f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

_CIcos
_adj_fptan
__vbaVarVargNofree
__vbaFreeVar
__vbaLenBstr
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
_adj_fprem1
__vbaRecAnsiToUni
__vbaCopyBytes
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaExitProc
__vbaObjSet
__vbaOnError
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaStrFixstr
_CIsin
ord631
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
DllFunctionCall
__vbaRedimPreserve
_adj_fpatan
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaInStrVar
__vbaStrVarVal
__vbaI2Var
_CIlog
__vbaErrorOverflow
__vbaR8Str
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaVarDup
__vbaStrToAnsi
__vbaFpI4
ord616
_CIatan
__vbaCastObj
__vbaStrMove
__vbaStrVarCopy
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
[S][M]Executive/segara.dll
.dll windows:4 windows x86 arch:x86

69a86f973deda08b1926d8e9c941662f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

AddAtomA
CreateThread
DisableThreadLibraryCalls
ExitProcess
FindAtomA
GetAtomNameA
GetCurrentProcess
GetModuleFileNameA
GetModuleHandleA
ReadProcessMemory
Sleep
VirtualProtect
LoadLibraryA
VirtualProtect
GetModuleFileNameA
ExitProcess

msvcrt

__dllonexit
_errno
_iob
abort
fflush
fprintf
free
malloc
memcpy
strstr

user32

GetAsyncKeyState
MessageBeep
MessageBoxA
MessageBoxA

Exports

Exports

�P��#aإfl}S��~�mN�mz\��gM��-��"��;� �/eCۿ��e��;��y�_9'7In��Q+O�ba�� ?J=l��O/��N"ʷ_8=�퓚N�M�(�.�Y��Ĺ��<��{��A��bz��6�=��6^:��>��3RFݳ-�{�V��s;V5��*P ��D��$��ڔO�4� ��ݴ��Gz�f��%C��+ZS�b�`�I�%� R��d��ϓVD2e|м�3g8�]�k��jK� { �I(��è��z��h��#�>��s�^c��[ /;�8*�24Jz� ��(�ۈkD�f�b��l�J��V�㦽L{��]�`ӎ�!��7),�Uֻ�0�̦Z�m�ycƘ��^��0L��D9��M>go�`�Dyb{��-*��]I��dv��Bk` _<%<�=�c�FME��7i�kb!�0��/g�$an�1uL��P|Q�F��A[�ke��p��XBD[��JD��<'��ӂP$)��7�#Q��b��t�"!��T�莪�-hq�݁<��=��}��O�Bڶv�˂^،NR=uT{YLl��m��X��4r8:��L�H,h5�n�J"�PZp�R�6Dpk{Kpק��E .b-�-39^�q��3nG�ʯ�ԡ{�-��U�HN�fJ恭�&Ob�>��\e��"�tT��״��G��P5c��)s�n!�w̄r��,��諒��C�Z��su3�}�0\��n��kK\��T��,�� Z jH�N�^�"�¯��?�O]�y��6A�2�Txp�\A.�}E��L�D8��`|�ߓ��/6�s�4�[)��i��Ϸ�^��t^o2�j�N��"UWW��ƖW`5z�+��76=��O1��to�#J�;��}�'�dkҽ��Ϫ��d��U�"�4�{)i��T03~N��N��ګ�4O��uڳ@ M�C�՜GF;�&?i�Y_� �<��|�#��:4��r��v�N5(�t��̄��4��ϋW)��k��:��b�Z}o��+�$��{wr�8��;��CM��;O��/��z�p��IJQ�r�{�֍y�/k�|\��ʔ>�Vc��J��>j'7��B��R~}�0��:��GT`%�;��o0�b|[oF��N/��57��kPʯ��o�:ǰe�ǒ�n��#TYz4t�)%�>��s�0ͯ�A�U-�q J�^�勺qE^J~��c�~��5�G��x�6:��k�cd�^�Jߥ"$KX�X��ؑx�xm��Z6�J��l�0��B� V$UbВ'9�G�r�~��0��`��4��&��n6[ ��3˼t��k�� H!R)72)�ۦ��r��9m�pzjQ)$��>��X�m�q�,}9��?��l.աd�� +{��Z��~��6��FM��NM윻|��<w��Wo�}/��T=?��R�;��i��Q�;�z�a��З��9��4�~H��K)��䦍ȡ��08]̈��?��9>�#��a��JA�4��#��H�j��xPD;@8a�>�h��ӕ�(k\��K��j�o�5��P{�ҧU*}�Z(�(*� eϴ��%UdBl�J.�;��}��i<?� }�e��G�^��av`�J�@8�� ~N�R��e� �.%��Z"�$��5��r-B��7=4�<c��:�k�h�� o��.��QF{zmMwϔ��<t��~ �=�L�"zm��P��&h�O��H�d�հ��`�pkk�jen�箬0�Ҳ~�v�ΣJ��%Y�A��t�� ]*� ��L�ئcv��b�`�2go�#��"?��D� ��(1`�x�0�pU`��^�A� ˫��5� �cI�|��4��?�ppAt�VT X�44��"��A��$�3�y��!��kp��?�\@k$�p�g��]�F��#L�G!�7i�I!��u�,zLo�[Ŏ��]��aFNbo��8A��F�F��9�F��6'��gx�;�|�g� �_��"�H�\yɻ��R*��+��A�bNWh S �"�_c�2RX��v��+͑�a��q[읥��Z��|B�R�9A�(�œm'R��Qޠ4m(�)��{:� 5��F�'��t�Y%>�0p�^\X# ��Iݿu��2�Y y�V�2��Ix;��J�ĉ�u�4�w�]Â��\�&��{� v��"S�w�j��IF�|hPiX��'K��5P��G�i��n��GZYF�歲�2W��?�¬�J*}��}�B��E��rC��[��KJ��Ju֒�J�[W-��4~!�>s�F�rFlP�c��=�r5��q黫�qH�'{%5��@�X��Z�5��OOj��[@Q�ɳ�d"�D��8�j�>, ��b7��M��9S��i*�C��-��)rr��k�_��X��z��o��w��$��H��T8χE�s��A�0�Z>a��H�%b�1�sq�c�+�@I64��o�I��c�sh��B��2̹��T��ؓ�v�弐��P��Ti?��{�oK��A�)��X_��Ce�}B��m!�N��TBYV�O��= ��te��A��T� �IՂ�y!* �l��C��5��b��GD>ߓPٳR=+�Y��8/��#��⾻�� |� �fk��*z�+6�<�EF!��}�C.�e�թGܒ�e�Y��5|�Qx9�0��^(� �%ib3-��Q�Tr�A1�s��Z��DnO��+o�D��$:�q� ]�Tl��lP��&>��Г�o!��WA��8?��.>��H

Sections

.text
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 192B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 844B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 296B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5c391519f09e9976ac90164f8b4ff37f

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 52KB - Virtual size: 51KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 16KB - Virtual size: 13KB

69a86f973deda08b1926d8e9c941662f

Headers

File Characteristics

Imports

kernel32

msvcrt

user32

Exports

Exports

Sections

.text Size: - Virtual size: 3KB

.data Size: - Virtual size: 48B

.rdata Size: - Virtual size: 592B

.bss Size: - Virtual size: 192B

.idata Size: - Virtual size: 844B

.vmp0 Size: - Virtual size: 296B

.vmp1 Size: - Virtual size: 16KB

.tls Size: 512B - Virtual size: 24B

.vmp2 Size: 59KB - Virtual size: 58KB

.reloc Size: 512B - Virtual size: 204B

.text
Size: 52KB - Virtual size: 51KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 16KB - Virtual size: 13KB

.text
Size: - Virtual size: 3KB

.data
Size: - Virtual size: 48B

.rdata
Size: - Virtual size: 592B

.bss
Size: - Virtual size: 192B

.idata
Size: - Virtual size: 844B

.vmp0
Size: - Virtual size: 296B

.vmp1
Size: - Virtual size: 16KB

.tls
Size: 512B - Virtual size: 24B

.vmp2
Size: 59KB - Virtual size: 58KB

.reloc
Size: 512B - Virtual size: 204B