5482c0a29c457dbe3c0f0971f2f7eb7795ac4ffed26652f68813b73014f0b12d

Sharing

Copy URL Twitter E-mail

General

Target

5482c0a29c457dbe3c0f0971f2f7eb7795ac4ffed26652f68813b73014f0b12d
Size

3.8MB
MD5

b245134aacaedd394daf4f62f46eb937
SHA1

06fa19caddaea8cbf7ef89ac61ab030a1e8cf7aa
SHA256

5482c0a29c457dbe3c0f0971f2f7eb7795ac4ffed26652f68813b73014f0b12d
SHA512

16433b5a84cfcf7c4d6e98c2b6cd668d0103435ebd395e30774efaae98e642ad170be4b3c5d14d6d623b04af1bcb1a54641c4a30c7a3b55b45e71a122fea8318
SSDEEP

49152:6aWm5aB7OHvdCJ1NbXT0VNqHXG9D1GbWPPsGvUZv2C4l/z5LbNpVCos:WmG7OPOXrWZ1GbWPPsGvUQC4l1Lb7EJ

Score

10^/10

Malware Config

Signatures

Detects executables packed with VMProtect. 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_VMProtect

Files

5482c0a29c457dbe3c0f0971f2f7eb7795ac4ffed26652f68813b73014f0b12d
.dll windows:4 windows x86 arch:x86

5f79efa4f0204f1b802c0448693df861

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/01/2013, 00:00

Not After

16/02/2016, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Tencent Technology(Shenzhen) Company Limited,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

70:03:55:da:41:a3:10:d1:60:60:5f:ad:8f:74:f6:39:6d:63:67:b9
Signer

Actual PE Digest

70:03:55:da:41:a3:10:d1:60:60:5f:ad:8f:74:f6:39:6d:63:67:b9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\jenkins_Trunk\workspace\CEN_Hive_QQPCDownload_ForDCom\qqpcmgr_proj\bin\BinFinal\QQPCDownload.pdb

Imports

ws2_32

htons
ntohl
htonl

psapi

GetModuleFileNameExW
GetModuleInformation

kernel32

DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
CreateEventW
SetEvent
InterlockedCompareExchange
InterlockedExchange
WritePrivateProfileStringW
ExpandEnvironmentStringsW
FreeLibrary
GetLogicalDrives
GetDriveTypeW
CopyFileW
DeleteFileW
GetFileSize
ReadFile
WriteFile
MultiByteToWideChar
FindFirstFileW
FindClose
LocalFree
GetCurrentProcessId
IsBadWritePtr
GetSystemDirectoryW
InterlockedIncrement
RaiseException
GetCurrentThreadId
LoadLibraryExW
FlushInstructionCache
GetPrivateProfileStringW
CreateMutexW
GetPrivateProfileIntW
SetLastError
InterlockedDecrement
SetDllDirectoryW
GetCommandLineW
DuplicateHandle
TerminateThread
WaitForMultipleObjects
FreeResource
MapViewOfFile
GetCurrentThread
SystemTimeToFileTime
OutputDebugStringW
GetLocalTime
FindNextFileW
OpenMutexW
SetFilePointer
GetFullPathNameW
GetCPInfo
CreateFileMappingW
MapViewOfFileEx
OpenFileMappingW
UnmapViewOfFile
lstrlenA
SetUnhandledExceptionFilter
ReadProcessMemory
VirtualAllocEx
lstrcpynW
HeapAlloc
GetProcessHeap
InitializeCriticalSection
HeapFree
TerminateProcess
GetSystemTimeAsFileTime
CreateDirectoryW
SwitchToThread
CreateThread
GetTempPathW
MoveFileW
VirtualProtect
ResumeThread
GetExitCodeThread
GetModuleHandleExW
ReleaseMutex
Module32FirstW
Module32NextW
GetFileAttributesExW
IsBadReadPtr
GetTempFileNameW
WTSGetActiveConsoleSessionId
OpenEventW
FileTimeToSystemTime
GetModuleFileNameA
RemoveDirectoryW
GetFileAttributesW
GetSystemInfo
GetSystemDefaultLangID
VirtualQuery
LoadLibraryA
ResetEvent
InitializeCriticalSectionAndSpinCount
IsDebuggerPresent
GetQueuedCompletionStatus
CreateIoCompletionPort
PostQueuedCompletionStatus
GetCurrentDirectoryW
LocalFileTimeToFileTime
SetFileTime
VirtualProtectEx
GetThreadContext
SetThreadContext
CreateRemoteThread
VirtualFree
VirtualAlloc
GetACP
HeapSize
HeapReAlloc
HeapDestroy
GetVersionExA
FileTimeToLocalFileTime
ExitProcess
VirtualQueryEx
SuspendThread
GetStdHandle
RtlUnwind
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetModuleHandleA
GetOEMCP
GetTickCount
lstrlenW
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
WriteProcessMemory
IsValidCodePage
HeapCreate
GetConsoleCP
GetConsoleMode
GetCurrentDirectoryA
GetTimeZoneInformation
CompareStringA
CompareStringW
SetHandleCount
GetFileType
GetStartupInfoA
FlushFileBuffers
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
WideCharToMultiByte
FindResourceExW
LoadResource
LockResource
SizeofResource
LoadLibraryW
GetModuleFileNameW
FindResourceW
GetExitCodeProcess
WaitForSingleObject
GetLastError
CompareFileTime
GetProcessTimes
OpenProcess
Thread32Next
Thread32First
Sleep
SleepEx
CreateProcessW
GetModuleHandleW
GetProcAddress
GetVersionExW
Process32NextW
lstrcmpiW
DeviceIoControl
Process32FirstW
CreateToolhelp32Snapshot
GetThreadTimes
GetCurrentProcess
CloseHandle
OpenThread
CreateFileW
GetLocaleInfoA
GetThreadLocale
IsProcessorFeaturePresent
ExitThread
UnhandledExceptionFilter
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
GetLocaleInfoW
GetDriveTypeA
CreateFileA
SetEndOfFile
SetEnvironmentVariableA
MoveFileExW
GetCommandLineA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale

user32

GetLastInputInfo
MsgWaitForMultipleObjectsEx
CreateWindowExW
LoadCursorW
IsIconic
FindWindowA
RegisterClassExW
CallWindowProcW
DefWindowProcW
GetForegroundWindow
KillTimer
UnregisterClassW
SetTimer
PostQuitMessage
CallNextHookEx
RegisterWindowMessageW
UnregisterClassA
GetUserObjectInformationW
wsprintfW
GetDesktopWindow
EndDialog
GetWindowLongW
DialogBoxParamW
CharNextW
DestroyWindow
SetWindowLongW
IsWindow
PostMessageW
GetActiveWindow
MessageBoxW
SendMessageTimeoutW
PeekMessageW
MsgWaitForMultipleObjects
DispatchMessageW
SetThreadDesktop
CloseDesktop
CreateDesktopW
ShowWindow
CharUpperW
GetWindowThreadProcessId
FindWindowExW
FindWindowW
GetQueueStatus
WaitMessage
EnumWindows
GetClassInfoExW
SendMessageW
TranslateMessage

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RevertToSelf
GetUserNameW
ImpersonateLoggedOnUser
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
RegOpenKeyW
RegQueryInfoKeyW
StartServiceW
DeleteService
ChangeServiceConfig2W
CreateServiceW
CloseServiceHandle
QueryServiceStatus
OpenServiceW
OpenSCManagerW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
ConvertSidToStringSidW
LookupAccountNameW
RegQueryValueExA
RegOpenKeyExA
RegSetValueExW
RegCreateKeyExW
OpenProcessToken
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
IsValidSid

shell32

ShellExecuteW
ShellExecuteExW
SHGetFolderPathW
SHCreateDirectoryExW
SHGetSpecialFolderPathW

ole32

CoCreateInstance
CoUninitialize
CoCreateGuid
CoInitialize
CoTaskMemRealloc
CoGetInterfaceAndReleaseStream
CoFreeLibrary
CoLoadLibrary
CoTaskMemFree
CoTaskMemAlloc
StringFromGUID2
CoInitializeEx
CLSIDFromProgID
CoMarshalInterThreadInterfaceInStream

oleaut32

SysStringLen
SysAllocStringLen
VarUI4FromStr
SysFreeString
SysStringByteLen
SysAllocStringByteLen
SysAllocString
VarBstrCmp

shlwapi

PathFileExistsW
PathAppendW
PathAddBackslashW
PathCombineW
PathRemoveExtensionW
PathRemoveFileSpecW
PathAddExtensionW
PathQuoteSpacesW
PathUnquoteSpacesW
PathFindFileNameA
PathFindFileNameW

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

netapi32

Netbios
NetApiBufferFree
NetWkstaTransportEnum

wininet

InternetGetConnectedState
InternetCloseHandle
InternetOpenW
InternetOpenUrlW
HttpQueryInfoW
InternetReadFile

Exports

Exports

CreateTxdlController
EntryPoint
IsSupportNoReName
TxDl_AsyncStartDownload
TxDl_Finalize
TxDl_GetChildLaucherParam
TxDl_GetCurrentLaucherIndex
TxDl_GetLaucher
TxDl_InitDownloadEngine
TxDl_Initialize
TxDl_IsDownloading
TxDl_LoadRoutine
TxDl_Main
TxDl_NotifyQuit
TxDl_RegisterCompleteEvent
TxDl_ReleaseLaucher
Txdl_GetVersion

Sections

.text
Size: 472KB - Virtual size: 470KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 108KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ShareInj
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Downlaod
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

DLLShare
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

EventHoo
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 52KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5f79efa4f0204f1b802c0448693df861

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

70:03:55:da:41:a3:10:d1:60:60:5f:ad:8f:74:f6:39:6d:63:67:b9Signer

Headers

File Characteristics

PDB Paths

Imports

ws2_32

psapi

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

wtsapi32

version

netapi32

wininet

Exports

Exports

Sections

.text Size: 472KB - Virtual size: 470KB

.rdata Size: 108KB - Virtual size: 105KB

.data Size: 108KB - Virtual size: 116KB

ShareInj Size: 4KB - Virtual size: 1KB

Downlaod Size: 28KB - Virtual size: 24KB

DLLShare Size: 4KB - Virtual size: 1KB

EventHoo Size: 4KB - Virtual size: 1KB

.rsrc Size: 3.0MB - Virtual size: 3.0MB

.reloc Size: 52KB - Virtual size: 48KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

70:03:55:da:41:a3:10:d1:60:60:5f:ad:8f:74:f6:39:6d:63:67:b9
Signer

.text
Size: 472KB - Virtual size: 470KB

.rdata
Size: 108KB - Virtual size: 105KB

.data
Size: 108KB - Virtual size: 116KB

ShareInj
Size: 4KB - Virtual size: 1KB

Downlaod
Size: 28KB - Virtual size: 24KB

DLLShare
Size: 4KB - Virtual size: 1KB

EventHoo
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 3.0MB - Virtual size: 3.0MB

.reloc
Size: 52KB - Virtual size: 48KB