klounada[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

klounada.exe
Size

5.5MB
MD5

616756248d85c819fd0830d660a7aaa0
SHA1

0ead8b67e103d9ec95486781c70c2b35aa9ee287
SHA256

1e2f5b51b09d3f0060700403f138e33cf4c085dde4fbb469c420e9fd840f04d3
SHA512

b50326bcdc988e947df2c01552266aeea6bd148832496b4c29328f8751268c9840f72433019ee94925151913aad77020e146567cc0cffc5ffe65905f3070b406
SSDEEP

98304:g2GmrHOupd2UnxrkWKnuIGQi0iEFZTbKEH/Zh9lkdKnZ7QOjXIEgTH:a1UxrxWuYFFhDYKnOObIEgT

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
klounada.exe

Files

klounada.exe
.exe windows:6 windows x86 arch:x86

89c8abd38fd3ffc06ee06d01f9b3cbbf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

ole32

CoCreateInstance

oleaut32

SysAllocString

user32

CloseClipboard
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

BitBlt

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 218KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ