General
-
Target
loader_patched_by_cypher.exe
-
Size
8.6MB
-
MD5
c71b1d59edf0689bc03a41f7d7c91843
-
SHA1
66e7c50307168b279d3d2acac9caeecad5283f52
-
SHA256
d552d463a5bdc43885b1cf4d86b9ed98c80fc877416729b84cf5d4986bec94c2
-
SHA512
4954b97c5c330b9abf2ca87bbf77f76a8075cdb6008ee1610473f7872858827b58dce0cfb53f61a913781e8a9d6ab254da46308e5a734fc6b83559605973a698
-
SSDEEP
196608:QPnlJvkC3OOXDLzFgyBRZahPDBlPreVr:Cnz3OcDLzFgy4hPDBt4
Malware Config
Signatures
-
resource yara_rule sample themida -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource loader_patched_by_cypher.exe
Files
-
loader_patched_by_cypher.exe.exe windows:6 windows x64 arch:x64
0f549e076f8290ea9ffb561a4fd15f7f
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
advapi32
CryptReleaseContext
RegCreateKeyW
RegDeleteTreeW
RegCloseKey
RegSetKeyValueW
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
AddAccessAllowedAce
OpenProcessToken
RegOpenKeyW
crypt32
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertCloseStore
CertOpenStore
d3dcompiler_47
D3DCompile
imm32
ImmSetCandidateWindow
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
kernel32
CreateFileA
GetFileSizeEx
MapViewOfFile
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
ReleaseSRWLockExclusive
CreateFileMappingW
WakeAllConditionVariable
SleepConditionVariableSRW
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
GetModuleHandleW
VirtualProtect
GetModuleFileNameA
VerifyVersionInfoA
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
GetTempPathW
GetCurrentProcessId
CloseHandle
GetCurrentThreadId
CreateFileW
VirtualAlloc
DeviceIoControl
VirtualFree
CreateThread
Process32FirstW
Process32NextW
Sleep
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
LocalFree
FormatMessageA
SetLastError
DeleteCriticalSection
QueryFullProcessImageNameW
GetCurrentProcess
UnmapViewOfFile
UnhandledExceptionFilter
AcquireSRWLockExclusive
msvcp140
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
_Mtx_lock
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Mtx_unlock
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??7ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?uncaught_exceptions@std@@YAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?good@ios_base@std@@QEBA_NXZ
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
normaliz
IdnToAscii
psapi
GetModuleInformation
rpcrt4
UuidCreate
RpcStringFreeA
UuidToStringA
shell32
ShellExecuteA
user32
GetClientRect
SetCursor
LoadCursorW
GetForegroundWindow
SetCursorPos
ClientToScreen
ScreenToClient
GetCursorPos
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
GetKeyboardLayout
MessageBoxA
DestroyWindow
CreateWindowExW
UnregisterClassW
DispatchMessageW
PeekMessageW
GetKeyState
userenv
UnloadUserProfile
vcruntime140
memcmp
__std_terminate
strstr
__current_exception_context
__current_exception
__C_specific_handler
strrchr
memset
memcpy
strchr
memcpy
memchr
_CxxThrowException
wcsstr
__std_exception_copy
__std_exception_destroy
vcruntime140_1
__CxxFrameHandler4
wldap32
ldap_initA
ldap_sslinitA
ber_free
ldap_memfreeA
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_get_dnA
ldap_value_freeW
ldap_err2stringA
ldap_get_values_lenA
ldap_next_attributeA
ldap_first_attributeA
ldap_next_entry
ldap_first_entry
ws2_32
htons
htonl
gethostname
sendto
recvfrom
FreeAddrInfoW
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
WSACleanup
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
ucrtbase
strtoul
_strtoui64
_strtoi64
strtol
atoi
strtod
_unlock_file
_access
_wremove
_stat64
_lock_file
_fstat64
_unlink
free
realloc
malloc
_set_new_mode
_callnewh
calloc
_configthreadlocale
localeconv
tanf
sqrtf
fmodf
pow
cosf
_dclass
__setusermatherr
ceilf
sinf
acosf
asin
atan2
_errno
exit
system
_beginthreadex
terminate
_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
strerror
__sys_nerr
__p___argc
_invalid_parameter_noinfo
_Exit
_resetstkoflw
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_getpid
_initialize_narrow_environment
_configure_narrow_argv
__acrt_iob_func
fflush
fgetpos
_lseeki64
fclose
fseek
__stdio_common_vfprintf
fwrite
fgetc
setvbuf
feof
_wfopen
fputs
fopen
__stdio_common_vsprintf
fread
_set_fmode
__stdio_common_vsscanf
ungetc
fsetpos
_fseeki64
_get_stream_buffer_pointers
fputc
__p__commode
_write
_read
ftell
_popen
_pclose
_close
_open
fgets
__stdio_common_vsprintf_s
strspn
isupper
_mbsdup
strncmp
strcspn
strcmp
strpbrk
_stricmp
strncpy
tolower
_gmtime64
_time64
srand
qsort
rand
d3d11
D3D11CreateDeviceAndSwapChain
ntdll
RtlInitUnicodeString
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtQuerySystemInformation
Sections
.text Size: 714KB - Virtual size: 716KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Size: 178KB - Virtual size: 188KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 15KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 29KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.imports Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.themida Size: 4.5MB - Virtual size: 4.5MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.boot Size: 3.2MB - Virtual size: 3.2MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
.SCY Size: 13KB - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE