Bo2Pluto[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Bo2Pluto.zip
Size

4.5MB
MD5

0be457508c75985ddd4d9e19ea92fe58
SHA1

2f132f52623ba15dc58ab0c21012634e30a2ddb4
SHA256

366279ac229f11be994bd2954f70cc00ed2aa0880c6bbca2449b082915c31d0b
SHA512

e0281d7b45b4f681f951fe8270d0867bd7f8b9d26d5d0944f57ec9e0c681d76cc937d83dda8822c69a425c9496b0018c185080f89a26e9b02fdb7b5fefc265eb
SSDEEP

98304:dbfAOchO4K9g7xgqgHfh8J78+oQccWYXH/PAXm/smQZiWTWLvpyQ8p2gjsGTcXI:dbfAOchgIGqgH2JNXcoImUEWwvB8ouxb

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack002/BO2Pluto.exe	themida

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Bo2Pluto/BO2Pluto.dll
unpack002/BO2Pluto.exe

Files

Bo2Pluto.zip
.zip
Bo2Pluto/BO2Pluto.dll
.dll windows:6 windows x86 arch:x86

950528327c399fca08291fba8827c8b7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
FreeLibrary
QueryPerformanceCounter
GetTickCount64
GetModuleHandleA
Module32Next
OpenProcess
CreateToolhelp32Snapshot
Sleep
Process32Next
CloseHandle
CreateThread
CreateFileA
GetFileSizeEx
ReadFile
HeapAlloc
HeapFree
GlobalAlloc
WideCharToMultiByte
UnmapViewOfFile
CreateFileMappingA
MultiByteToWideChar
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GlobalUnlock
GlobalLock
MapViewOfFile
GlobalFree
WriteProcessMemory
ReadProcessMemory

user32

GetWindowThreadProcessId
FindWindowA
DispatchMessageA
DestroyWindow
GetSystemMetrics
ShowWindow
IsWindow
SetWindowLongA
SetClipboardData
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
TranslateMessage
PeekMessageA
UnregisterClassA
PostQuitMessage
RegisterClassExA
UpdateWindow
SetWindowDisplayAffinity
ScreenToClient
GetCapture
ClientToScreen
IsChild
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
GetKeyState
LoadCursorA
GetAsyncKeyState
SendInput
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
ReleaseCapture
GetClipboardData

shell32

SHGetFolderPathW

msvcp140

?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
??Bid@locale@std@@QAEIXZ
?always_noconv@codecvt_base@std@@QBE_NXZ
_Thrd_sleep
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
_Thrd_detach
_Xtime_get_ticks
_Query_perf_counter
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Xlength_error@std@@YAXPBD@Z
?_Xbad_function_call@std@@YAXXZ
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@H@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z

dwmapi

DwmExtendFrameIntoClientArea

d3d9

Direct3DCreate9

xinput1_4

ord2

imm32

ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

vcruntime140

memset
memchr
_setjmp3
__current_exception
__current_exception_context
_CxxThrowException
_except_handler4_common
__std_type_info_destroy_list
memmove
strrchr
strstr
__std_terminate
__std_type_info_hash
__std_exception_copy
__std_exception_destroy
__CxxFrameHandler3
longjmp
memcpy

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_initialize_narrow_environment
_cexit
_initterm
_initterm_e
_seh_filter_dll
_invalid_parameter_noinfo_noreturn
_errno
_configure_narrow_argv
_beginthreadex
terminate

api-ms-win-crt-math-l1-1-0

_libm_sse2_sin_precise
ceil
floor
_libm_sse2_cos_precise
_libm_sse2_sqrt_precise
_libm_sse2_pow_precise
_dsign
_libm_sse2_acos_precise
fmaxf
_dclass
_CIfmod
_CIatan2

api-ms-win-crt-stdio-l1-1-0

fwrite
__stdio_common_vfprintf
ftell
_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
setvbuf
__acrt_iob_func
fflush
fgetc
fputc
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fgetpos
fclose
fseek

api-ms-win-crt-string-l1-1-0

strncpy
strncmp
_stricmp

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-convert-l1-1-0

strtol
strtoll
strtod
atof
strtoull

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-locale-l1-1-0

localeconv

Sections

.text
Size: 719KB - Virtual size: 719KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Bo2Pluto/BO2Pluto.zip
.zip
BO2Pluto.exe
.exe windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

Size: 376KB - Virtual size: 719KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 611KB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 72KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 15KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

950528327c399fca08291fba8827c8b7

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shell32

msvcp140

dwmapi

d3d9

xinput1_4

imm32

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 719KB - Virtual size: 719KB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 6KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 19KB - Virtual size: 19KB

Headers

DLL Characteristics

File Characteristics

Sections

Size: 376KB - Virtual size: 719KB

Size: 611KB - Virtual size: 1.1MB

Size: 72KB - Virtual size: 75KB

Size: 512B - Virtual size: 480B

Size: 15KB - Virtual size: 19KB

.idata Size: 1KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: - Virtual size: 4.1MB

.boot Size: 2.5MB - Virtual size: 2.5MB

.reloc Size: 16B - Virtual size: 4KB

.text
Size: 719KB - Virtual size: 719KB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 6KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 19KB - Virtual size: 19KB

.idata
Size: 1KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 4.1MB

.boot
Size: 2.5MB - Virtual size: 2.5MB

.reloc
Size: 16B - Virtual size: 4KB