Horizon_dump_SCY[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Horizon_dump_SCY.exe
Size

9.9MB
MD5

dddcf37878d966deb9d48097e6cbedf9
SHA1

daf7fe887e392949150b8b3abc0bf2cb67c46775
SHA256

6f6cd6ae5c3ecc8961e3ca75e404191f99b2686c4883735779880734a5d72ed4
SHA512

439a9fec72a853c3bfca3cd71f70700b68ebb4dc4e1251a7ebce9301e5aeaa894af1b7b99e0b1efbfb1808b50ceb24e70f23644ced97629412111e1b2a144966
SSDEEP

98304:sZmXtkXK/gu2cpzSgYVgG+8hRJtiV7Je0RhOpzI3eZUpO2G8lO3wB50XpKpUpykS:hkXpurzrYK8H2VVekltOinUpyHV

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Horizon_dump_SCY.exe

Files

Horizon_dump_SCY.exe
.exe windows:6 windows x64 arch:x64

078cf76bb9a934cc44956b711a376601

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptGetHashParam
OpenProcessToken
CryptImportKey
CryptDestroyHash
SetSecurityInfo
IsValidSid

crypt32

CertCloseStore
CertGetCertificateChain
CertFreeCertificateChainEngine

kernel32

FindFirstFileW
GetFullPathNameW
GetTempPathW
UnhandledExceptionFilter
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
LeaveCriticalSection
EnterCriticalSection
GetModuleHandleW

msvcp140

_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?good@ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@D@std@@2V0locale@2@A
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Strxfrm
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$collate@D@std@@2V0locale@2@A
_Strcoll
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?is@?$ctype@G@std@@QEBA_NFG@Z
??1?$codecvt@DDU_Mbstatet@@@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
_Cnd_do_broadcast_at_thread_exit
?_Xout_of_range@std@@YAXPEBD@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Xbad_function_call@std@@YAXXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_alloc@std@@YAXXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
_Thrd_join
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A

normaliz

IdnToAscii

user32

mouse_event
TranslateMessage
GetForegroundWindow
GetCapture
DispatchMessageA

vcruntime140

strchr
_CxxThrowException
__std_terminate
__std_exception_copy
__std_exception_destroy
memchr
strstr
__C_specific_handler
memcpy
memmove
memset
strrchr
__current_exception
__current_exception_context
memcmp

wldap32

ldap_initA
ldap_sslinitA
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_err2stringA
ldap_first_entry
ldap_next_entry
ldap_first_attributeA
ldap_next_attributeA
ldap_get_values_lenA
ldap_value_freeW
ldap_get_dnA
ldap_memfreeA
ber_free

ws2_32

htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
htonl
closesocket
gethostname
htons
setsockopt
socket
WSASetLastError
sendto
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
recvfrom
select

ucrtbase

atof
atoi
strtol
_strtoi64
strtod
strtoul
_strtoui64
_set_new_mode
_callnewh
realloc
malloc
calloc
free
_dclass
sinf
sqrtf
__setusermatherr
acosf
ceilf
cosf
fmodf
_Exit
_c_exit
fopen
fflush
fputc
_lseeki64
_write
_pclose
fwrite
feof
fsetpos
fread
fseek
strncpy
strcmp
strncmp
tolower
strcspn
strspn
_stricmp
strpbrk
_mbsdup
isupper

dbghelp

ImageDirectoryEntryToData

Sections

Size: 778KB - Virtual size: 780KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 179KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 5.7MB - Virtual size: 5.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 10KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

078cf76bb9a934cc44956b711a376601

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

kernel32

msvcp140

normaliz

user32

vcruntime140

wldap32

ws2_32

ucrtbase

dbghelp

Sections

Size: 778KB - Virtual size: 780KB

Size: 179KB - Virtual size: 192KB

Size: 7KB - Virtual size: 8KB

Size: 32KB - Virtual size: 36KB

Size: 512B - Virtual size: 4KB

Size: 2KB - Virtual size: 4KB

.imports Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 5.7MB - Virtual size: 5.7MB

.boot Size: 3.2MB - Virtual size: 3.2MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 10KB - Virtual size: 12KB

.imports
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 5.7MB - Virtual size: 5.7MB

.boot
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 10KB - Virtual size: 12KB