Zchairs Fully patched[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

Zchairs Fully patched.exe
Size

11.0MB
MD5

b98542fb3bcb15a62b3d17c0def49329
SHA1

635eef3c1af558d461d6be3dde90622306956538
SHA256

9546700fdb4c1911a1a40b8359f2438d174d21d499887ef8cad63d39763759c1
SHA512

e6cee644feb57970c736ebd6c94e4198f44dd50be4b3bdde49522c53a0eb241973e6f30e5b7f4366db9de4e28d17c6ab5c4d890376becfa6f0bd5b911e274e4c
SSDEEP

196608:fn2/gyfWA3OnTHTTmx2aOHzKTo/lc2gg:v2/3WMOnTHTxRHz7G6

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Zchairs Fully patched.exe

Files

Zchairs Fully patched.exe
.exe windows:6 windows x64 arch:x64

a62329cee410c2105f7f01418ab34039

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

GetTokenInformation
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
OpenProcessToken
IsValidSid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CopySid
CryptHashData
GetLengthSid

crypt32

CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertFindExtension
CertAddCertificateContextToStore
CertGetNameStringA
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CryptDecodeObjectEx
PFXImportCertStore

gdi32

GetDeviceCaps

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext

kernel32

LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
DeleteCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
GetModuleHandleW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetConsoleWindow
SetConsoleTextAttribute
SetConsoleCursorPosition
GetConsoleScreenBufferInfo
GetModuleFileNameA
CreateThread
GetCurrentProcess
Sleep
SetLastError
GetLastError
CloseHandle
Beep
CheckRemoteDebuggerPresent
IsDebuggerPresent
SetFileAttributesA
GetStdHandle
VerifyVersionInfoW
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
FormatMessageA
GlobalAlloc
GetFileSizeEx

msvcp140

?_Random_device@std@@YAIXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?width@ios_base@std@@QEAA_J_J@Z
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?good@ios_base@std@@QEBA_NXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ

normaliz

IdnToAscii

psapi

GetModuleInformation

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

shell32

ShellExecuteA

user32

SetCursorPos
SetCursor
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
DefWindowProcA
UnregisterClassA
RegisterClassExA
CreateWindowExA
IsChild
DestroyWindow
ShowWindow
SetLayeredWindowAttributes
SetWindowPos
IsIconic
BringWindowToTop
SetFocus
GetKeyState
GetCapture
SetCapture
ReleaseCapture
GetForegroundWindow
SetForegroundWindow
GetDC
GetCursorPos
ReleaseDC
SetWindowTextW
GetClientRect
ClientToScreen
ScreenToClient
WindowFromPoint
GetWindowLongW
SetWindowLongA
SetWindowLongW
LoadCursorA
MonitorFromWindow
GetMonitorInfoA
EnumDisplayMonitors
TranslateMessage
AdjustWindowRectEx
DispatchMessageA
PeekMessageA
BlockInput
FindWindowA
PostQuitMessage
GetSystemMetrics
UpdateWindow
GetWindowRect
MessageBoxA
GetDesktopWindow

userenv

UnloadUserProfile

vcruntime140

__std_exception_copy
__std_exception_destroy
_CxxThrowException
__C_specific_handler
__current_exception
__current_exception_context
__std_terminate
strstr
strrchr
memcmp
strchr
memset
memcpy
memcpy
memchr

vcruntime140_1

__CxxFrameHandler4

wldap32

ber_free
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_err2stringA
ldap_first_entry
ldap_next_entry
ldap_first_attributeA
ldap_next_attributeA
ldap_get_values_lenA
ldap_value_freeW
ldap_get_dnA
ldap_memfreeA
ldap_initA
ldap_sslinitA

ws2_32

htonl
gethostname
sendto
FreeAddrInfoW
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
htons
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
recvfrom

ucrtbase

_strtoui64
strtod
_strtoi64
strtol
atoi
strtoul
_unlink
_access
_stat64
_fstat64
malloc
free
_set_new_mode
calloc
_callnewh
realloc
_configthreadlocale
localeconv
cosf
fmodf
_dclass
__setusermatherr
pow
ceilf
acosf
sqrtf
sinf
sqrt
_getpid
_invalid_parameter_noinfo_noreturn
_c_exit
exit
_wassert
system
_errno
_Exit
terminate
abort
_initterm_e
_initterm
_get_narrow_winmain_command_line
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
_cexit
_resetstkoflw
_invalid_parameter_noinfo
_crt_atexit
__sys_nerr
strerror
_register_onexit_function
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_beginthreadex
_wfopen
_popen
_pclose
__stdio_common_vsscanf
_close
fwrite
__acrt_iob_func
ftell
_write
fseek
_read
_set_fmode
__stdio_common_vsprintf
__p__commode
_lseeki64
fgets
fread
fflush
fclose
feof
fputs
fopen
fputc
_open
strcpy_s
tolower
strpbrk
strcmp
strncpy
strcspn
_mbsdup
isupper
strspn
strncmp
_time64
_gmtime64
rand
srand
qsort

d3d9

Direct3DCreate9

Sections

.text
Size: 767KB - Virtual size: 768KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 599KB - Virtual size: 608KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a62329cee410c2105f7f01418ab34039

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

gdi32

imm32

kernel32

msvcp140

normaliz

psapi

rpcrt4

shell32

user32

userenv

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d9

Sections

.text Size: 767KB - Virtual size: 768KB

Size: 599KB - Virtual size: 608KB

Size: 3KB - Virtual size: 8KB

Size: 33KB - Virtual size: 36KB

Size: 512B - Virtual size: 4KB

Size: 1KB - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 6.1MB - Virtual size: 6.1MB

.boot Size: 3.6MB - Virtual size: 3.6MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 12KB - Virtual size: 16KB

.text
Size: 767KB - Virtual size: 768KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 6.1MB - Virtual size: 6.1MB

.boot
Size: 3.6MB - Virtual size: 3.6MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 12KB - Virtual size: 16KB