644bc49915b74471625a8e331de9850a

Sharing

Copy URL Twitter E-mail

General

Target

644bc49915b74471625a8e331de9850a
Size

198KB
MD5

644bc49915b74471625a8e331de9850a
SHA1

727f3e4cfb04730cca493a8b9aa0a63f884d22b8
SHA256

c14247711e2cf747929b8b2c9198a8a56c347b0c5cc2ea85bf0ef25214fc94a8
SHA512

989830760aaf9b51a2dcb64e536ef15b8b61cefb3a49bee799a9507ab345cc3977eb40196839383574d85f806412f50ed277448d46e461c6bf7674f0ae9d7c88
SSDEEP

6144:6KaqWpU5saSPMzYwi8fF2qDH3WC+AgsrmuaOILNuo:gzpxaSuYE8qDHmSgsiu3ILN

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
644bc49915b74471625a8e331de9850a

Files

644bc49915b74471625a8e331de9850a
.dll windows:4 windows x86 arch:x86

52a669b075bad23a34ac992fd1664276

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

SHDeleteKeyW

msvcrt

memset
??2@YAPAXI@Z
??3@YAXPAX@Z
memcpy
__CxxFrameHandler
memmove
ceil
_ftol
strlen
strstr
strcpy
memcmp
_CxxThrowException
realloc
malloc
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
wcsncat
wcscat
_wcsnicmp
wcschr
_wcsupr
_snprintf
_errno
strcat
sprintf
strcmp
strncpy
strncmp
fopen
fputs
fclose
wcsncpy
wcsrchr
_except_handler3
free
mbstowcs
wcscpy
wcsstr
wcstombs
strchr
atoi
_strnicmp

kernel32

SetEvent
ResumeThread
CreateThread
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
ResetEvent
InterlockedExchange
CancelIo
Sleep
lstrlenW
MultiByteToWideChar
WaitForSingleObject
lstrcpyW
GetVersionExW
lstrcmpiA
DeleteFileW
DeleteFileA
ReadFile
GetFileSize
CreateFileW
lstrcatW
GetSystemDirectoryW
ReleaseMutex
OpenEventW
SetErrorMode
CreateMutexA
GetTickCount
SetUnhandledExceptionFilter
ExitProcess
FreeConsole
CopyFileW
GetProcAddress
LoadLibraryW
TerminateThread
MapViewOfFile
CreateFileMappingW
GetLastError
CreateDirectoryW
GetFileAttributesW
CreateProcessW
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileW
lstrcmpW
LocalReAlloc
FindFirstFileW
LocalAlloc
RemoveDirectoryW
SetFilePointer
WriteFile
MoveFileW
GetModuleFileNameW
SetLastError
GetLocalTime
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
HeapFree
HeapAlloc
GetProcessHeap
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
TerminateProcess
OpenProcess
GetCurrentProcess
lstrcmpiW
GetCurrentThreadId
CloseHandle
CreateEventW
UnmapViewOfFile
OutputDebugStringW
VirtualProtect
GetModuleFileNameA
ExitProcess

user32

IsWindow
CloseWindow
CreateWindowExW
OpenDesktopW
GetThreadDesktop
GetUserObjectInformationW
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
GetCursorInfo
GetCursorPos
ReleaseDC
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
SetCursorPos
WindowFromPoint
SetCapture
mouse_event
keybd_event
SystemParametersInfoW
SendMessageW
BlockInput
DestroyCursor
LoadCursorW
MessageBoxW
DispatchMessageW
TranslateMessage
GetMessageW
wsprintfW
GetWindowTextA
GetClassNameA
GetWindow
PostMessageW
GetTopWindow
GetDesktopWindow
SetProcessWindowStation
OpenWindowStationW
GetProcessWindowStation
CharNextW
GetWindowTextW
GetForegroundWindow
GetAsyncKeyState
GetKeyState
ExitWindowsEx
MapVirtualKeyW
MessageBoxA

gdi32

SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
CreateCompatibleBitmap
GetDIBits
BitBlt

advapi32

ControlService
DeleteService
CloseServiceHandle
RegOpenKeyExW
RegQueryValueW
RegisterServiceCtrlHandlerW
SetServiceStatus
RegOpenKeyW
RegQueryValueExW
RegCloseKey
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
GetTokenInformation
LookupAccountSidW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
QueryServiceStatus
OpenServiceW
OpenSCManagerW
RegSetValueExW
RegCreateKeyW
SetNamedSecurityInfoW
BuildExplicitAccessWithNameW
GetNamedSecurityInfoW
SetEntriesInAclW
CloseEventLog
ClearEventLogW
OpenEventLogW
RegCreateKeyExW
StartServiceW
FreeSid
RegSetKeySecurity
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
RegDeleteKeyW

shell32

ShellExecuteW
SHGetFileInfoA

winmm

waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveInAddBuffer
waveOutOpen
waveOutGetNumDevs
waveInStart
waveOutWrite
waveInStop
waveInReset
waveInUnprepareHeader
waveInClose
waveOutPrepareHeader
waveOutUnprepareHeader
waveOutClose
waveOutReset

ws2_32

WSASocketW
ioctlsocket
__WSAFDIsSet
setsockopt
recvfrom
sendto
listen
accept
getpeername
WSACleanup
WSAStartup
bind
inet_addr
getsockname
inet_ntoa
gethostname
send
select
closesocket
recv
ntohs
socket
gethostbyname
htons
WSAIoctl
connect

iphlpapi

GetAdaptersInfo

wininet

InternetOpenUrlA
InternetReadFile
InternetOpenA
InternetGetConnectedState
InternetOpenUrlW
InternetOpenW
InternetCloseHandle

avicap32

capCreateCaptureWindowW
capGetDriverDescriptionW

msvfw32

ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSendMessage
ICSeqCompressFrame
ICSeqCompressFrameStart

msvcp60

??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z

psapi

EnumProcessModules
GetModuleFileNameExW

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

Exports

Exports

End_DDDInfo
Get_DDDInfo
Run_DDDInfo
ServiceMain
aaa_DDDInfo
aaaa_DDDInfo
bbb_DDDInfo
bbbb_DDDInfo
ccc_DDDInfo
cccc_DDDInfo
eee_DDDInfo
fff_DDDInfo
ggg_DDDInfo
hhh_DDDInfo
iii_DDDInfo
kkk_DDDInfo
lll_DDDInfo
zzz_DDDInfo

Sections

.text
Size: - Virtual size: 90KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.trhtrh0
Size: - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 195KB - Virtual size: 195KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

52a669b075bad23a34ac992fd1664276

Headers

File Characteristics

Imports

shlwapi

msvcrt

kernel32

user32

gdi32

advapi32

shell32

winmm

ws2_32

iphlpapi

wininet

avicap32

msvfw32

msvcp60

psapi

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 90KB

.rdata Size: - Virtual size: 14KB

.data Size: - Virtual size: 24KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: - Virtual size: 5KB

.trhtrh0 Size: - Virtual size: 30KB

.vmp0 Size: - Virtual size: 4KB

.vmp1 Size: - Virtual size: 91KB

.vmp2 Size: 195KB - Virtual size: 195KB

.reloc Size: 512B - Virtual size: 104B

.text
Size: - Virtual size: 90KB

.rdata
Size: - Virtual size: 14KB

.data
Size: - Virtual size: 24KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: - Virtual size: 5KB

.trhtrh0
Size: - Virtual size: 30KB

.vmp0
Size: - Virtual size: 4KB

.vmp1
Size: - Virtual size: 91KB

.vmp2
Size: 195KB - Virtual size: 195KB

.reloc
Size: 512B - Virtual size: 104B