LS[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

LS.zip
Size

87.0MB
MD5

3c43e2715a1d022102a3f48599872f0e
SHA1

3dfde25f01e2779b5534783ba5315c21213f384e
SHA256

06facc14817d842d2d67c7ecc33fe4013cd5be7aa73efaebf75806b5b42bca80
SHA512

7547b32187189ebeb04622611683a8fc907f267e07696278008d9173bed4186d25c4ae433000712eb4b10c372a4a33bdd3f475f798fcc8d8571fe1e0715ef9da
SSDEEP

1572864:tShstEZiZ94yZRBP9dsdzmAA0dZ1b2nXM6z0IoDQ5KLhtKPM:Wsqi94y/Bl0zhb2n8K0hDQ5CvKPM

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/LS/LSsys.dll	vmprotect
static1/unpack001/LS/LSsys64.dll	vmprotect

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/LS.exe
unpack001/LS/LSload.exe
unpack001/LS/LSsys.dll
unpack001/LS/LSsys64.dll

Files

LS.zip
.zip
GS/Config/MenuComponent.save
GS/Europe/AA.dll
GS/Resource/fonts/fa-regular-400.ttf
GS/Resource/fonts/notosans-bold.vfont
GS/Resource/fonts/notosanskr-bold.vfont
GS/Resource/fonts/notosanskr-regular.vfont
GS/Resource/fonts/notosanssc-bold.vfont
GS/Resource/fonts/notosanssc-regular.vfont
GS/tier3/Ezreal/module.lua
GS/tier3/example-TwistedFate/logic.lua
GS/tier3/example-TwistedFate/menu.lua
GS/tier3/example-TwistedFate/module.lua
LS.exe
.exe windows:6 windows x86 arch:x86

cc5c46eb0c8ceba0687dc2f02c708139

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

mpr

WNetEnumResourceW

winmm

timeGetTime

shlwapi

SHCreateStreamOnFileW

winspool.drv

DocumentPropertiesW

comctl32

ImageList_GetImageInfo

shell32

ExtractIconW

user32

CopyImage
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

version

GetFileVersionInfoSizeW

oleaut32

SafeArrayPutElement

advapi32

CloseServiceHandle

netapi32

NetWkstaGetInfo

msvcrt

wcstombs

imagehlp

SymSetSearchPath

kernel32

GetVersion
GetVersionExW
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

ole32

OleRegEnumVerbs

gdi32

AddFontMemResourceEx

wtsapi32

WTSSendMessageW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: - Virtual size: 6.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 33KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 150B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 84B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 93B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 500KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 5.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.debug
Size: - Virtual size: 23.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp2
Size: - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp3
Size: 14.9MB - Virtual size: 14.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 104KB - Virtual size: 5.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LS/LS.dll
LS/LS_Process.dll
LS/LSload.exe
.exe windows:6 windows x64 arch:x64

494b10563366928c27bfe59b350083e7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mpr

WNetEnumResourceW
WNetGetUniversalNameW
WNetCloseEnum
WNetOpenEnumW

kernel32

RtlUnwindEx
QueryDosDeviceW
GetACP
LocalFree
CloseHandle
VirtualProtect
QueryPerformanceFrequency
IsDebuggerPresent
FindNextFileW
VirtualFree
GetFullPathNameW
ExitProcess
HeapAlloc
GetCPInfoExW
WriteProcessMemory
RtlUnwind
GetCPInfo
EnumSystemLocalesW
GetStdHandle
FileTimeToLocalFileTime
GetModuleHandleW
FreeLibrary
TryEnterCriticalSection
HeapDestroy
FileTimeToDosDateTime
ReadFile
CreateRemoteThread
GetLastError
GetModuleFileNameW
SetLastError
CreateThread
CompareStringW
MapViewOfFile
LoadLibraryA
ResetEvent
GetVolumeInformationW
GetDriveTypeW
GetVersion
RaiseException
FormatMessageW
OpenProcess
SwitchToThread
GetExitCodeThread
GetCurrentThread
GetFileAttributesExW
LoadLibraryExW
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
SuspendThread
GetTickCount
WritePrivateProfileStringW
GetFileSize
GetStartupInfoW
GetFileAttributesW
InitializeCriticalSection
GetThreadPriority
GetCurrentProcess
SetThreadPriority
VirtualAlloc
GetSystemInfo
GetCommandLineW
GetTempPathW
LeaveCriticalSection
GetProcAddress
ResumeThread
VirtualAllocEx
GetLogicalDriveStringsW
GetVersionExW
VerifyVersionInfoW
GetModuleHandleA
HeapCreate
LCMapStringW
GetDiskFreeSpaceW
VerSetConditionMask
FindFirstFileW
GetUserDefaultUILanguage
UnmapViewOfFile
lstrlenW
QueryPerformanceCounter
SetEndOfFile
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
CreateFileW
GetLocaleInfoW
DeleteFileW
GetLocalTime
WaitForSingleObject
WriteFile
CreateFileMappingW
ExitThread
DeleteCriticalSection
GetDateFormatW
TlsGetValue
SetErrorMode
IsValidLocale
TlsSetValue
VirtualFreeEx
CreateDirectoryW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
RemoveDirectoryW
CreateEventW
GetPrivateProfileStringW
SetThreadLocale
GetThreadLocale

ole32

CoInitialize
CoUninitialize

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CharUpperBuffW
CharNextW
MsgWaitForMultipleObjects
CharLowerBuffW
LoadStringW
CharUpperW
PeekMessageW
GetSystemMetrics
MessageBoxW

oleaut32

SysFreeString
VariantClear
VariantInit
GetErrorInfo
SysReAllocStringLen
SafeArrayCreate
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
VariantCopy
VariantChangeType

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

RegQueryValueExW
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegOpenKeyExW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 51KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 584B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 109B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.FLf
Size: - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.$a}
Size: - Virtual size: 9.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sy,
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.#B:
Size: 11.3MB - Virtual size: 11.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LS/LSsys.dll
.dll windows:6 windows x64 arch:x64

ba67347f8194905bfc7334a2ffac5a58

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mpr

WNetEnumResourceW
WNetGetUniversalNameW
WNetCloseEnum
WNetOpenEnumW

kernel32

RtlUnwindEx
QueryDosDeviceW
GetACP
CloseHandle
LocalFree
VirtualProtect
TlsAlloc
QueryPerformanceFrequency
IsDebuggerPresent
FindNextFileW
VirtualFree
GetFullPathNameW
ExitProcess
HeapAlloc
GetCPInfoExW
RtlUnwind
GetCPInfo
EnumSystemLocalesW
GetStdHandle
FileTimeToLocalFileTime
GetModuleHandleW
FreeLibrary
TryEnterCriticalSection
HeapDestroy
FileTimeToDosDateTime
ReadFile
GetLastError
GetModuleFileNameW
SetLastError
CreateThread
CompareStringW
MapViewOfFile
LoadLibraryA
ResetEvent
GetVolumeInformationW
GetVersion
GetDriveTypeW
RaiseException
FormatMessageW
SwitchToThread
GetExitCodeThread
GetCurrentThread
GetFileAttributesExW
LoadLibraryExW
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
SuspendThread
GetTickCount
GetFileSize
GetStartupInfoW
GetFileAttributesW
InitializeCriticalSection
GetThreadPriority
GetCurrentProcess
SetThreadPriority
VirtualAlloc
GetSystemInfo
GetCommandLineW
GetTempPathW
LeaveCriticalSection
GetProcAddress
ResumeThread
GetLogicalDriveStringsW
GetVersionExW
VerifyVersionInfoW
GetModuleHandleA
FreeLibraryAndExitThread
HeapCreate
LCMapStringW
VerSetConditionMask
GetDiskFreeSpaceW
FindFirstFileW
GetUserDefaultUILanguage
TlsFree
UnmapViewOfFile
lstrlenW
SetEndOfFile
QueryPerformanceCounter
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
CreateFileW
GetLocaleInfoW
DeleteFileW
GetLocalTime
WaitForSingleObject
WriteFile
CreateFileMappingW
ExitThread
DeleteCriticalSection
TlsGetValue
GetDateFormatW
SetErrorMode
IsValidLocale
TlsSetValue
CreateDirectoryW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
RemoveDirectoryW
CreateEventW
SetThreadLocale
GetThreadLocale
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

ole32

CoInitialize
CoUninitialize

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CharUpperBuffW
CharNextW
MsgWaitForMultipleObjects
CharLowerBuffW
LoadStringW
CharUpperW
PeekMessageW
GetSystemMetrics
MessageBoxW
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

oleaut32

SysFreeString
VariantClear
VariantInit
GetErrorInfo
SysReAllocStringLen
SafeArrayCreate
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
VariantCopy
VariantChangeType

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

wtsapi32

WTSSendMessageW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 51KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 154B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LS/LSsys64.dll
.dll windows:6 windows x64 arch:x64

2f04db20d311bf5cab71a6094791fd28

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mpr

WNetEnumResourceW
WNetGetUniversalNameW
WNetCloseEnum
WNetOpenEnumW

kernel32

RtlUnwindEx
QueryDosDeviceW
GetACP
CloseHandle
LocalFree
VirtualProtect
TlsAlloc
QueryPerformanceFrequency
IsDebuggerPresent
FindNextFileW
VirtualFree
GetFullPathNameW
ExitProcess
HeapAlloc
GetCPInfoExW
RtlUnwind
GetCPInfo
EnumSystemLocalesW
GetStdHandle
FileTimeToLocalFileTime
GetModuleHandleW
FreeLibrary
TryEnterCriticalSection
HeapDestroy
FileTimeToDosDateTime
ReadFile
GetLastError
GetModuleFileNameW
SetLastError
CreateThread
CompareStringW
MapViewOfFile
LoadLibraryA
ResetEvent
GetVolumeInformationW
GetVersion
GetDriveTypeW
RaiseException
FormatMessageW
SwitchToThread
GetExitCodeThread
GetCurrentThread
GetFileAttributesExW
LoadLibraryExW
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
SuspendThread
GetTickCount
WritePrivateProfileStringW
GetFileSize
GetStartupInfoW
GetFileAttributesW
InitializeCriticalSection
GetThreadPriority
GetCurrentProcess
SetThreadPriority
VirtualAlloc
GetSystemInfo
GetCommandLineW
GetTempPathW
LeaveCriticalSection
GetProcAddress
ResumeThread
GetLogicalDriveStringsW
GetVersionExW
VerifyVersionInfoW
HeapCreate
LCMapStringW
VerSetConditionMask
GetDiskFreeSpaceW
FindFirstFileW
GetUserDefaultUILanguage
TlsFree
UnmapViewOfFile
lstrlenW
QueryPerformanceCounter
SetEndOfFile
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
CreateFileW
GetLocaleInfoW
DeleteFileW
GetLocalTime
WaitForSingleObject
WriteFile
CreateFileMappingW
ExitThread
DeleteCriticalSection
TlsGetValue
GetDateFormatW
SetErrorMode
IsValidLocale
TlsSetValue
CreateDirectoryW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
RemoveDirectoryW
CreateEventW
GetPrivateProfileStringW
SetThreadLocale
GetThreadLocale
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

ole32

CoInitialize
CoUninitialize

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CharUpperBuffW
MessageBoxExW
CharNextW
MsgWaitForMultipleObjects
CharLowerBuffW
LoadStringW
CharUpperW
PeekMessageW
GetSystemMetrics
MessageBoxW
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

oleaut32

SysFreeString
VariantClear
VariantInit
GetErrorInfo
SysReAllocStringLen
SafeArrayCreate
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
VariantCopy
VariantChangeType

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

RegQueryValueExW
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegOpenKeyExW

wtsapi32

WTSSendMessageW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 163KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 51KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 153B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: 80KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp1
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LS_Settings.ini

Sharing

General

Malware Config

Signatures

Files

cc5c46eb0c8ceba0687dc2f02c708139

Headers

File Characteristics

Imports

mpr

winmm

shlwapi

winspool.drv

comctl32

shell32

user32

version

oleaut32

advapi32

netapi32

msvcrt

imagehlp

kernel32

ole32

gdi32

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 6.7MB

.itext Size: - Virtual size: 26KB

.data Size: - Virtual size: 124KB

.bss Size: - Virtual size: 33KB

.idata Size: - Virtual size: 17KB

.didata Size: - Virtual size: 3KB

.edata Size: - Virtual size: 150B

.tls Size: - Virtual size: 84B

.rdata Size: - Virtual size: 93B

.vmp0 Size: - Virtual size: 500KB

.vmp1 Size: - Virtual size: 5.2MB

.debug Size: - Virtual size: 23.5MB

.vmp2 Size: - Virtual size: 1.1MB

.vmp3 Size: 14.9MB - Virtual size: 14.9MB

.rsrc Size: 104KB - Virtual size: 5.2MB

494b10563366928c27bfe59b350083e7

Headers

File Characteristics

Imports

mpr

kernel32

ole32

version

user32

oleaut32

netapi32

advapi32

Exports

Exports

Sections

.text Size: - Virtual size: 1.6MB

.data Size: - Virtual size: 162KB

.bss Size: - Virtual size: 51KB

.idata Size: - Virtual size: 5KB

.didata Size: - Virtual size: 768B

.edata Size: - Virtual size: 152B

.tls Size: - Virtual size: 584B

.rdata Size: - Virtual size: 109B

.FLf Size: - Virtual size: 80KB

.pdata Size: - Virtual size: 96KB

.$a} Size: - Virtual size: 9.9MB

.sy, Size: 2KB - Virtual size: 1KB

.#B: Size: 11.3MB - Virtual size: 11.3MB

.rsrc Size: 1KB - Virtual size: 17KB

ba67347f8194905bfc7334a2ffac5a58

Headers

File Characteristics

Imports

mpr

kernel32

ole32

.text
Size: - Virtual size: 6.7MB

.itext
Size: - Virtual size: 26KB

.data
Size: - Virtual size: 124KB

.bss
Size: - Virtual size: 33KB

.idata
Size: - Virtual size: 17KB

.didata
Size: - Virtual size: 3KB

.edata
Size: - Virtual size: 150B

.tls
Size: - Virtual size: 84B

.rdata
Size: - Virtual size: 93B

.vmp0
Size: - Virtual size: 500KB

.vmp1
Size: - Virtual size: 5.2MB

.debug
Size: - Virtual size: 23.5MB

.vmp2
Size: - Virtual size: 1.1MB

.vmp3
Size: 14.9MB - Virtual size: 14.9MB

.rsrc
Size: 104KB - Virtual size: 5.2MB

.text
Size: - Virtual size: 1.6MB

.data
Size: - Virtual size: 162KB

.bss
Size: - Virtual size: 51KB

.idata
Size: - Virtual size: 5KB

.didata
Size: - Virtual size: 768B

.edata
Size: - Virtual size: 152B

.tls
Size: - Virtual size: 584B

.rdata
Size: - Virtual size: 109B

.FLf
Size: - Virtual size: 80KB

.pdata
Size: - Virtual size: 96KB

.$a}
Size: - Virtual size: 9.9MB

.sy,
Size: 2KB - Virtual size: 1KB

.#B:
Size: 11.3MB - Virtual size: 11.3MB

.rsrc
Size: 1KB - Virtual size: 17KB

.text
Size: - Virtual size: 1.6MB

.data
Size: - Virtual size: 156KB

.bss
Size: - Virtual size: 51KB

.idata
Size: - Virtual size: 5KB

.didata
Size: - Virtual size: 768B

.edata
Size: - Virtual size: 154B

.rdata
Size: - Virtual size: 69B

.vmp0
Size: - Virtual size: 76KB

.pdata
Size: - Virtual size: 92KB

.vmp1
Size: - Virtual size: 2.4MB

.vmp2
Size: 4.5MB - Virtual size: 4.5MB

.reloc
Size: 512B - Virtual size: 168B

.rsrc
Size: 3KB - Virtual size: 17KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 163KB - Virtual size: 162KB

.bss
Size: - Virtual size: 51KB

.idata
Size: 6KB - Virtual size: 5KB

.didata
Size: 1024B - Virtual size: 768B

.edata
Size: 512B - Virtual size: 153B

.rdata
Size: 512B - Virtual size: 69B

.vmp0
Size: 80KB - Virtual size: 80KB

.pdata
Size: 96KB - Virtual size: 96KB

.vmp1
Size: 2.4MB - Virtual size: 2.4MB

.vmp2
Size: 2.1MB - Virtual size: 2.1MB

.reloc
Size: 81KB - Virtual size: 81KB

.rsrc
Size: 18KB - Virtual size: 17KB