51470fdfee0eaa1820d38e6d44a69267[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

51470fdfee0eaa1820d38e6d44a69267.rar
Size

2.1MB
MD5

51470fdfee0eaa1820d38e6d44a69267
SHA1

f292a657044ab034ddd71d1eb2e46c58e62ba484
SHA256

ffa1071f9a8cab7df73c6c3bc742b303ba14f28a5e6c41c901f441cacf7bd1f9
SHA512

3eb54098b219f09a5ab108325906399dadd3800642bfade53a42ed13c53d47afd4b7d75c4f0fa97b83fdf20b4a525785d8c1e1f9f3984c180aa562638c9f850c
SSDEEP

49152:2BOMYmyHWG1QsDTVD4ML3vx4VWFFA8HQ4nAHk2LHLOb8i3mYbqj1Td:cOMoHWzIVVL3vx4Vy+4mk2LSJmgcd

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/小鬼外挂绿色版.exe	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/小鬼外挂绿色版.exe

Files

51470fdfee0eaa1820d38e6d44a69267.rar
.rar
about.url
.url
下载说明.txt
小鬼外挂绿色版.exe
.exe windows:4 windows x86 arch:x86

7ca81fbd28bdcc89c7b231a1dcd24df0

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_strdup
_stricmp
_strnicmp
strstr
printf
malloc
free
modf
strrchr
strtod
tolower
toupper
_ftol
atoi
strncpy
sprintf
strncmp

user32

LoadStringA
GetLastActivePopup
GetWindowPlacement
IsIconic
SystemParametersInfoA
RegisterWindowMessageA
SetWindowPos
SetForegroundWindow
GetForegroundWindow
GetMessagePos
DefWindowProcA
RemovePropA
GetPropA
SetPropA
GetClassLongA
DestroyWindow
GetDlgCtrlID
GetDlgItem
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
RegisterClassA
WinHelpA
UnregisterClassA
GetTopWindow
GetClientRect
AdjustWindowRectEx
GetFocus
GetSysColor
LoadIconA
ClientToScreen
GetDC
ReleaseDC
TabbedTextOutA
DrawTextA
CallNextHookEx
DestroyMenu
GetSysColorBrush
LoadCursorA
PtInRect
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetNextDlgTabItem
UnhookWindowsHookEx
CopyRect
GetCapture
GetKeyState
MessageBeep
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
SetFocus
PostQuitMessage
GetWindowLongA
SendMessageA
CreateWindowExA
IsWindowEnabled
EnableWindow
MapWindowPoints
GetParent
GetWindowRect
GetWindowTextLengthA
IsWindow
UpdateWindow
ShowWindow
MsgWaitForMultipleObjects
ChangeDisplaySettingsA
EnumDisplaySettingsA
MoveWindow
SetWindowsHookExA
GetSystemMetrics
CharUpperA
PostMessageA
InvalidateRect
GrayStringA
GetMessageTime
SetWindowTextA
SetWindowLongA
GetWindow
GetDesktopWindow
GetAsyncKeyState
CallWindowProcA
KillTimer
SetTimer
GetWindowThreadProcessId
GetClassNameA
GetWindowTextA
IsWindowVisible
EnumWindows
FindWindowExA
MessageBoxA
GetClassInfoA
MessageBoxA

kernel32

GetVersion
lstrcatA
FileTimeToSystemTime
GetTimeZoneInformation
SetLastError
InterlockedIncrement
InterlockedDecrement
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
LocalFree
GetLastError
lstrcpynA
EnterCriticalSection
lstrcpyA
LocalAlloc
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
GlobalUnlock
GlobalLock
FileTimeToLocalFileTime
DuplicateHandle
ReadFile
SetFilePointer
FlushFileBuffers
LockFile
CreateToolhelp32Snapshot
Module32First
SetErrorMode
GetStdHandle
Process32First
Process32Next
OpenProcess
TerminateProcess
lstrcpyn
CreateWaitableTimerA
SetWaitableTimer
GetModuleHandleA
LoadLibraryA
GetProcAddress
CreateIoCompletionPort
CreateThread
GetQueuedCompletionStatus
SetEvent
PostQueuedCompletionStatus
CreateEventA
ResetEvent
WaitForSingleObject
RtlFillMemory
RtlMoveMemory
GetCurrentProcess
ReadProcessMemory
FreeLibrary
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
WriteConsoleA
ReadConsoleA
WriteFile
CreateFileA
CreateProcessA
GetStartupInfoA
GetTickCount
Sleep
DeleteFileA
SetFileAttributesA
GetCommandLineA
LCMapStringA
TlsGetValue
LocalReAlloc
TlsSetValue
FillConsoleOutputAttribute
SetConsoleCursorPosition
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
SetConsoleCursorInfo
CloseHandle
UnlockFile
SetEndOfFile
FindClose
FindFirstFileA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GlobalFlags
GetProcessVersion
GetCPInfo
GetOEMCP
GetVolumeInformationA
GetFullPathNameA
lstrcmpiA
GetFileAttributesA
GetFileSize
GetFileTime
lstrcmpA
GetCurrentThreadId
TlsAlloc
GlobalFree
GlobalHandle
TlsFree
GlobalReAlloc
SetEnvironmentVariableA
CompareStringW
CompareStringA
IsBadCodePtr
IsBadWritePtr
VirtualAlloc
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
VirtualFree
HeapCreate
HeapDestroy
GetVersionExA
RtlUnwind
GetEnvironmentVariableA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
SetHandleCount
LCMapStringW
GetFileType
SetStdHandle
HeapSize
GlobalAlloc
GetACP
GetLocalTime
GetSystemTime
RaiseException
GetConsoleCursorInfo
LoadLibraryA
VirtualProtect
GetModuleFileNameA
ExitProcess

gdi32

GetStockObject
SelectObject
RestoreDC
SaveDC
SetMapMode
SetViewportOrgEx
SetViewportExtEx
DeleteObject
CreateFontA
OffsetViewportOrgEx
GetDeviceCaps
PtVisible
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
GetClipBox
SetTextColor
SetBkColor
GetObjectA
DeleteDC
CreateBitmap
Escape
ExtTextOutA
TextOutA
RectVisible

wininet

HttpQueryInfoA
InternetReadFile
HttpSendRequestA
InternetSetOptionA
HttpOpenRequestA
InternetCloseHandle
FtpRenameFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpPutFileA
InternetConnectA
InternetOpenA
FtpGetFileA
InternetFindNextFileA
FtpFindFirstFileA
InternetCrackUrlA
InternetCanonicalizeUrlA
FtpDeleteFileA

shell32

SHGetSpecialFolderLocation
ShellExecuteA
SHGetPathFromIDListA

rasapi32

RasGetEntryDialParamsA
RasEnumEntriesA
RasEnumConnectionsA
RasHangUpA
RasDialA
RasGetConnectStatusA

comdlg32

GetFileTitleA

winspool.drv

ClosePrinter
OpenPrinterA
DocumentPropertiesA

comctl32

ord17

wsock32

select
gethostname
WSACleanup
WSAStartup
closesocket
ioctlsocket
gethostbyname
WSASetLastError
socket
setsockopt
recv
send
htons
connect

Exports

Exports

��G��H�ʳ�� �4��]ы��"��%;��(��v�S=��6$�%̧Y�Ng��l5j��+=ʨ��rA��;��U�VW̮�&�&Ν�"Ǔ�oҌ��q&�a��u򬘆& ��5�.��<�di��l��N�@M!�� q��=+K�\� �e��z��//��`��4ENʛ>�fW��N� O!r�I&浣��bŕw�|��{T�?T��Rq�Bzc��~i��*�`7jm��1iRZ�M�WS��v�b�^F�U� ��i�x��R�F�_+४�65A��-H� E1��$�>~�B��~9�� +9��qT@�i�eX�$Au(� ��8��*��zP�H��+Y�`�Cc��`=��p>Hc�u�-Fteto��Em|)�E+��=��kpiD�Ic�w��hef0z��Q ��p��J��j�K��S��bz?��x>�ȃߍb��$M�2�aj��G��8Q�Ȩ��yȥ��&*��.�� Mu��>��D��8:�"��hOc�h8��iuȪG�uց�4��D�q��-ey�>�Z`]`��AEfB� ɞ�Am��V�t��u$��KK�19�`��?O��OAZ! ��x�O@Iw�#��6E��l��Ռ ZJ�JcE�z}�f"��=�6A��Ƚ}�O�l��kZ�)��<��`��TC�}s��9�!W��F��V�e�H�C�k�B�^�Ƿ�C)��|�7.��X�u5%DLTx�^ �fK�qr&o�w?�S��J��$�Va� ��S�� :�G��cN�3�36Iv�HaQ�ǹMA=U��ȃ�Y�/߆Y"��2��2Q��4I�%��M%�ֆ�`�� o �W��#x��8]9�͠�Ն�/��8�&k%i`��Xo|��4U1��M-�g��N�G��E�?�ft�&T��ًZ>DV�Ķ7�ֈ�%�� (\!בBmg�&�9��8��.�=)&�4��*�;d�T��<z��^M?�‘j0�D rN�ˮ�w�n��<��ޖ&�U��iL�ȡ� 5U�Ώ��h)�៝��o%��^4��^C��1?+e��J9�i@TQ:��i�c�?��'f��|�?�ޅ�lDTd��p`�F��O��@�R$��D��n��(��!��_Lc��<�.��Ђi� d�-I�jo �P��]<5�ȼ��b�7��@��i��y�<'��ݻ��J �u8'��e�K㣔p�/�6��5<� ��w��;��^�c�6=7K�� C��x�-�7 :l&F`��ۿ�|_�}z֗��:,��GNL��'}b�r�aR4<�1RMi� D��z]�d�-a�M��,�l�[2�ݲ��z��x,��"�+�u�a��hm��텩(!t|N@�Y��bTC!a��6#v��\r��χ��5Z�(�z� a��Yxr� �.ꫤ?��9Y(~��QD�i?j�`��ڶ�_/� ^��s��k��dTlb�u��af��p��_��2�*�M �:�α�#�3�H�5)�$-v!�Wt]�f�҂騫��?�bL�"�ߩNx#��dX��u*P*S��l��F1��8��5F��(�p��#4J\� 6��N�,��N~��{��zq��R��!�b�g=0T��a��>4<�o��I��_�A�w��N��"o�q�OA��`h��g qu��We˂~@�Ǆ~��hV끥'q�O��C�� r��)�Y��s�z�V�C��F�eئ��KnZ{<��~��"�ӫ ��=� ��1�d�M��JN��b�{�_��a��W�KViW^wz)�Z`s���U�ق�wV�~�Ф��v��fDhՂ�e^ȍ �J^ho�ޞ�W�h�C��/!S�� twi��P�g�0>��N�I�"G��ն��0�8�5Br��H^�-L�D</�~��93X��Չ��KF'��S�j6�٢Y�R�"�f�\ ��ڝ��7��l۷)�\��{?�-큲R�wi�j)D��`��z��8z`TL�-ü?��K��p��{Ȋy��#�/��H��5�B.{51��`<l�$��"i?�"aW��D��|��Ñ�֞��H��vl�;p5�48-O�N�I!?3B�(�]��ft;�7�F��^K�4&�]S��CA��Z:>�FX#�G��b�=�lɮBH�@D�� d��1w1*}'�s��I�r~��껻,/��H��6<�1�A!?�4�Jv��y7S�{�d��U�Ոј�&̅V�8��mдz��\'$�(�� ?��WqDވQ�Gh�U3��=�y�X��7��9��^>j}.��u^�ި��ԉ��"��g;~e�p٧z��c$��P��$��u'� �n��J��.k�!�;�э��,�Ot5�b��dp�^2��ͺ��^�! ժ��sfK�d�S�'G��rjm�a��5��Atq)}G\�x4-�v*$��CE��Jp�c�]�xJY��O �t,�Й��υ��D��tA�B�5%2[��'4Hh�G�W�p��d��yt�{�{��`��W7��0v�{��h2��P�c�*q��5ALՉg �ѯ�?ߴ��q��Y��J��bX��h�)�W�n�ZUw%��u�"]�G��d��@��L^-R��a�1�a��9Q�P�WKa_q��2U;y�^��|@`��xĪ��ԵF?l�E��l��ڛĩ[b��C�9��F�z�H��p��h��j�Ut�H��=i�

Sections

.text
Size: - Virtual size: 160KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE

.tls
Size: 4KB - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新云软件.url
.url

Sharing

General

Malware Config

Signatures

Files

7ca81fbd28bdcc89c7b231a1dcd24df0

Headers

File Characteristics

Imports

msvcrt

user32

kernel32

gdi32

wininet

shell32

rasapi32

comdlg32

winspool.drv

comctl32

wsock32

Exports

Exports

Sections

.text Size: - Virtual size: 160KB

.rdata Size: - Virtual size: 28KB

.data Size: - Virtual size: 2.1MB

.rsrc Size: 8KB - Virtual size: 4KB

.vmp0 Size: - Virtual size: 12KB

.tls Size: 4KB - Virtual size: 24B

.vmp1 Size: 2.2MB - Virtual size: 2.2MB

.reloc Size: 4KB - Virtual size: 136B

.text
Size: - Virtual size: 160KB

.rdata
Size: - Virtual size: 28KB

.data
Size: - Virtual size: 2.1MB

.rsrc
Size: 8KB - Virtual size: 4KB

.vmp0
Size: - Virtual size: 12KB

.tls
Size: 4KB - Virtual size: 24B

.vmp1
Size: 2.2MB - Virtual size: 2.2MB

.reloc
Size: 4KB - Virtual size: 136B