unpacked_FlashyEfi[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

unpacked_FlashyEfi.exe
Size

12.0MB
MD5

28972538ace9976dea1cdc7d39a7f2f5
SHA1

cc83d990fc3f9508326e62c95fbe3945b4f98f49
SHA256

585162cee04b52f897d3012dd12c746eb8561ed386908bba3d291704c09a8c90
SHA512

48d0da18e4175854e89d2cb1207722787588842b2ca1076e1ac474db61987c4e2c4a0df35e22fa59dbd6cc30a587d81eb6d2f3879bc59bf312d9b74912ac7475
SSDEEP

196608:v/oMT1K/9uroQ0ZXABzD25bxNhIk32gpYUe:oMT1K1CUABzi5bxNak3/3

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_FlashyEfi.exe

Files

unpacked_FlashyEfi.exe
.exe windows:6 windows x64 arch:x64

42988b329f3ef6eb33e6e86986106209

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
CryptAcquireContextA

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertFindCertificateInStore
CertGetCertificateChain
CertFreeCertificateContext
CryptStringToBinaryA
CertFreeCertificateChainEngine
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertCreateCertificateChainEngine
CertGetNameStringA
CryptQueryObject
CertFindExtension

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext
ImmSetCandidateWindow

kernel32

GetTickCount
GetPrivateProfileStringA
GetPrivateProfileIntA
OutputDebugStringW
GetConsoleWindow
Beep
WritePrivateProfileStringA
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetCurrentProcess
SetPriorityClass
CreateEventA
GetProcessHeap
HeapAlloc
CloseHandle
CreateFileA
GetLastError
InitializeCriticalSectionEx
DeleteCriticalSection
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
SetLastError
FormatMessageA
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
GetFileSizeEx
CreateFileMappingA
WaitForMultipleObjects
DeviceIoControl
HeapFree
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnWire
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
Sleep
GetCurrentProcessId
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetProcAddress
LoadLibraryW
VirtualAlloc
VirtualFree

msvcp140

?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bid@locale@std@@QEAA_KXZ
??Bios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_frequency
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Xtime_get_ticks
_Thrd_detach
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
?id@?$ctype@D@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z

normaliz

IdnToAscii

user32

LoadCursorW
SetCursor
GetClientRect
ClientToScreen
SetCursorPos
OpenClipboard
ScreenToClient
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetCursorPos
GetWindow
DestroyWindow
SetWindowLongPtrW
GetSystemMetrics
ShowWindow
GetAsyncKeyState
MessageBoxA
SetMenu
SendInput
GetKeyState
GetForegroundWindow

vcruntime140

__std_terminate
__intrinsic_setjmp
__C_specific_handler
__current_exception_context
__current_exception
longjmp
strrchr
memset
memcpy
memcpy
memcmp
memchr
_CxxThrowException
strchr
strstr
__std_exception_copy
__std_exception_destroy

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_value_free_len
ldap_get_values_lenA
ldap_next_attributeA
ldap_first_attributeA
ldap_next_entry
ldap_first_entry
ldap_err2stringA
ldap_msgfree
ldap_bind_sA
ldap_simple_bind_sA
ldap_memfreeA
ber_free
ldap_set_optionA
ldap_unbind_s
ldap_sslinitA
ldap_initA
ldap_search_sA
ldap_get_dnA

ws2_32

getaddrinfo
FreeAddrInfoW
recvfrom
sendto
WSAGetLastError
send
htonl
recv
__WSAFDIsSet
closesocket
select
bind
connect
ioctlsocket
getpeername
listen
getsockname
getsockopt
htons
accept
WSACleanup
htons
htonl
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
gethostname

ucrtbase

strtoul
strtod
_strtoi64
strtol
atoi
atof
_strtoui64
_fstat64
_stat64
_access
_unlink
malloc
calloc
free
_set_new_mode
_callnewh
realloc
_configthreadlocale
localeconv
tanf
sinf
sqrtf
powf
pow
logf
log
fmodf
cosf
ceilf
atan2f
atan2
asin
acosf
_dclass
__setusermatherr
_invalid_parameter_noinfo_noreturn
__sys_nerr
exit
_beginthreadex
_errno
terminate
system
_getpid
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_Exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
strerror
_pclose
__p__commode
ftell
__acrt_iob_func
fflush
fclose
fseek
__stdio_common_vfprintf
_open
fwrite
_wfopen
__stdio_common_vsprintf_s
fread
_lseeki64
__stdio_common_vsscanf
_read
feof
fgets
fputs
fopen
_write
_close
fputc
__stdio_common_vsprintf
_set_fmode
_popen
toupper
strpbrk
strncmp
strcmp
strcspn
strspn
isupper
strncpy
tolower
_stricmp
_wcsicmp
_mbsdup
_time64
_gmtime64
rand
qsort

d3d9

Direct3DCreate9Ex

d3dx9_43

D3DXCreateTextureFromFileInMemoryEx

ntdll

NtSetSystemEnvironmentValueEx
RtlInitUnicodeString

Exports

Exports

interception_create_context
interception_destroy_context
interception_get_filter
interception_get_hardware_id
interception_get_precedence
interception_is_invalid
interception_is_keyboard
interception_is_mouse
interception_receive
interception_send
interception_set_filter
interception_set_precedence
interception_wait
interception_wait_with_timeout

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 290KB - Virtual size: 300KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 810KB - Virtual size: 816KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.edata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

42988b329f3ef6eb33e6e86986106209

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

imm32

kernel32

msvcp140

normaliz

user32

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d9

d3dx9_43

ntdll

Exports

Exports

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

Size: 290KB - Virtual size: 300KB

Size: 810KB - Virtual size: 816KB

Size: 52KB - Virtual size: 52KB

Size: 512B - Virtual size: 4KB

Size: 5KB - Virtual size: 8KB

.edata Size: 1024B - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 6.1MB - Virtual size: 6.1MB

.boot Size: 3.6MB - Virtual size: 3.6MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 11KB - Virtual size: 12KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.edata
Size: 1024B - Virtual size: 4KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 6.1MB - Virtual size: 6.1MB

.boot
Size: 3.6MB - Virtual size: 3.6MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 11KB - Virtual size: 12KB