ethic_by_acedia[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ethic_by_acedia.exe
Size

11.3MB
MD5

a5f3e363ca5c5a349c26e36ec0936d3c
SHA1

cfd33838f852b5d980bcc999f4d5528301767460
SHA256

c49bf183f14eaf9a640ad5dc23b273dfd0181d03e8c996b456ee0f2cf99f493f
SHA512

f339331ffe8e94076d471ad2b2cd7ad0228c84599af05252e3d2017b3416b251841f0defaf645b38956d6618130f86c8f1d2e2426cf2c1b92edb881969501e53
SSDEEP

196608:p4dxACcjn79aN/wrgq7DXLhuuMcATcRo1U8Xj9UX7FCJzsS:p4dxACcj79sNKguMPxXRi7I

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ethic_by_acedia.exe

Files

ethic_by_acedia.exe
.exe windows:6 windows x64 arch:x64

1c2f7b04b4b4590e24bb81a988046301

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptGetHashParam
RegQueryValueExA
RegCloseKey
OpenProcessToken
RegSetValueExA
RegDeleteKeyA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCreateKeyA
GetUserNameW
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
RegOpenKeyExA
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertFreeCertificateChain
CertOpenStore

d3dcompiler_47

D3DCompile

gdi32

CreateSolidBrush

imm32

ImmReleaseContext
ImmSetCandidateWindow
ImmGetContext
ImmSetCompositionWindow

kernel32

Sleep
GetConsoleWindow
VirtualFree
VirtualAlloc
Process32First
CreateToolhelp32Snapshot
Process32Next
lstrcmpiA
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
LoadLibraryA
QueryPerformanceFrequency
VerSetConditionMask
QueryPerformanceCounter
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
InitializeCriticalSectionEx
DeleteCriticalSection
ExitProcess
CreateFileMappingW
GetModuleHandleW
QueryFullProcessImageNameW
CloseHandle
LocalFree
EnterCriticalSection
DeviceIoControl
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
IsDebuggerPresent
SetFileInformationByHandle
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetLocaleInfoEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetStdHandle
SetConsoleTitleA
SetConsoleTextAttribute
FormatMessageA
FreeLibrary
GetProcAddress
GetLastError
MapViewOfFile
CreateFileW
LoadLibraryExA
GetModuleFileNameA
LeaveCriticalSection
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
SleepConditionVariableSRW
WakeAllConditionVariable
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetFileInformationByHandleEx
GetCurrentProcessId
MoveFileExA
CreateThread
CreateFileA
GetModuleHandleA
UnmapViewOfFile
TerminateProcess
GetCurrentProcess
VirtualProtect
GetTempPathW
AreFileApisANSI
SetLastError

msvcp140

?_Incref@facet@locale@std@@UEAAXXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??0facet@locale@std@@IEAA@_K@Z
??1?$codecvt@DDU_Mbstatet@@@std@@MEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
_Query_perf_frequency
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_counter
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
_Thrd_join
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Thrd_detach
?id@?$ctype@D@std@@2V0locale@2@A
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Strxfrm
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$collate@D@std@@2V0locale@2@A
_Strcoll
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

normaliz

IdnToAscii

psapi

GetModuleInformation

rpcrt4

RpcStringFreeA
UuidCreate
UuidToStringA

shell32

ShellExecuteA
SHGetFolderPathW

user32

TranslateMessage
LoadIconA
PeekMessageA
SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
MoveWindow
SetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
ShowWindow
ScreenToClient
GetAsyncKeyState
GetForegroundWindow
GetMonitorInfoA
GetWindowLongA
SetWindowLongA
GetSystemMetrics
UnregisterClassA
PostQuitMessage
RegisterClassExA
UpdateWindow
GetKeyState
LoadCursorA
FindWindowA
GetCursorPos
SendInput
GetWindowRect
SetWindowPos
SetWindowDisplayAffinity
DestroyWindow
DispatchMessageA
MonitorFromWindow
GetCapture
ClientToScreen
TrackMouseEvent
SetCapture
SetCursor
GetClientRect
SetProcessDPIAware
ReleaseCapture
MessageBoxA

userenv

UnloadUserProfile

vcruntime140

__std_exception_copy
__std_terminate
strstr
strchr
longjmp
strrchr
__C_specific_handler
_CxxThrowException
memchr
memcmp
memcpy
memcpy
memset
__current_exception
__current_exception_context
__intrinsic_setjmp
__std_exception_destroy

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_set_optionA
ldap_simple_bind_sA
ldap_sslinitA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_initA
ldap_err2stringA
ldap_first_entry
ldap_next_entry
ldap_first_attributeA
ldap_next_attributeA
ldap_get_values_lenA
ldap_value_free_len
ldap_get_dnA
ldap_unbind_s
ldap_memfreeA
ber_free

ws2_32

sendto
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
gethostname
htonl
FreeAddrInfoW
getsockopt
getaddrinfo
htons
htons
setsockopt
select
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
recvfrom

ucrtbase

_strtoui64
strtol
strtoul
atoi
_strtoi64
strtod
atof
getenv
_unlock_file
_lock_file
_access
_unlink
_stat64
rename
remove
_fstat64
_callnewh
calloc
_set_new_mode
malloc
free
realloc
___lc_codepage_func
localeconv
setlocale
_configthreadlocale
tan
ceil
_dclass
atan2f
atan2
asin
fmod
fmodf
cos
acos
log
log10
cosf
pow
ldexp
exp
powf
sin
sinf
sqrt
ceilf
acosf
frexp
sqrtf
floor
_dsign
__setusermatherr
_seh_filter_exe
_get_initial_narrow_environment
_initterm
_initterm_e
abort
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_cexit
_errno
system
_beginthreadex
terminate
_crt_atexit
strerror
_Exit
_Exit
_register_onexit_function
quick_exit
exit
_set_app_type
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_initialize_narrow_environment
_configure_narrow_argv
__sys_nerr
_invalid_parameter_noinfo
_getpid
_resetstkoflw
__stdio_common_vfprintf
_lseeki64
fgets
__acrt_iob_func
_set_fmode
fputs
ftell
_open
clearerr
__stdio_common_vsscanf
_wfopen
freopen
fseek
_close
_pclose
_write
_read
_get_stream_buffer_pointers
fsetpos
fgetpos
fgetc
ferror
fopen
fputc
tmpfile
setvbuf
_popen
ungetc
fwrite
_ftelli64
_fseeki64
fread
fflush
tmpnam
__stdio_common_vsprintf
fclose
getc
feof
__p__commode
_mbsdup
strpbrk
isgraph
isupper
tolower
isspace
iscntrl
ispunct
islower
strcoll
isxdigit
_stricmp
strncmp
strcspn
isdigit
strspn
isalpha
isalnum
toupper
strcmp
strncpy
_mktime64
_difftime64
_gmtime64
_localtime64
_time64
strftime
clock
rand
qsort

d3d11

D3D11CreateDeviceAndSwapChain

dbghelp

ImageRvaToVa
ImageDirectoryEntryToData
ImageNtHeader

dwmapi

DwmExtendFrameIntoClientArea

ntdll

RtlVirtualUnwind
RtlInitAnsiString
RtlCaptureContext
RtlLookupFunctionEntry
RtlAnsiStringToUnicodeString
NtQuerySystemInformation

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 220KB - Virtual size: 232KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 302KB - Virtual size: 340KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 46KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

1c2f7b04b4b4590e24bb81a988046301

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

d3dcompiler_47

gdi32

imm32

kernel32

msvcp140

normaliz

psapi

rpcrt4

shell32

user32

userenv

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d11

dbghelp

dwmapi

ntdll

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

Size: 220KB - Virtual size: 232KB

Size: 302KB - Virtual size: 340KB

Size: 46KB - Virtual size: 48KB

Size: 512B - Virtual size: 4KB

Size: 3KB - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 6.1MB - Virtual size: 6.1MB

.boot Size: 3.6MB - Virtual size: 3.6MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 17KB - Virtual size: 20KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 6.1MB - Virtual size: 6.1MB

.boot
Size: 3.6MB - Virtual size: 3.6MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 17KB - Virtual size: 20KB