unpacked_iaoldncsv[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

unpacked_iaoldncsv.exe
Size

12.2MB
MD5

4cb1a6f71c38688c09018f19a880c6db
SHA1

ea6ac3376214d247e5db31fc27e445c2e7fd9b27
SHA256

fb37882260626562aaca7abb8ea1f385db333bb738e10df9902ed678a8da037d
SHA512

e71033b14c2069477e6a79fbb5b689354098c8d73a770103bd065d92d2b128cab9264524bb9f5b9f8f9e7b0f4e8653d85e1ed621e924f1a218df088c6f3c9058
SSDEEP

196608:xf2Ndd2H/KRMbpCPgwFRkhNX9qhNfC6ieTIvCVEqt1:xGdd2H/KRMbwu9yFC65TIvo

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_iaoldncsv.exe

Files

unpacked_iaoldncsv.exe
.exe windows:6 windows x64 arch:x64

05c2607547f684dc347a3a9ba7376588

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptExportKey
CryptGetUserKey
CryptDecrypt
CryptSignHashW
CryptEnumProvidersW
RegEnumKeyExA
RegOpenKeyW
RegCreateKeyW
DeleteService
OpenSCManagerA
RegQueryValueExW
RegGetValueW
RegOpenKeyExW
FreeSid
OpenProcessToken
RegEnumKeyExW
SetNamedSecurityInfoW
RegCreateKeyExW
SetEntriesInAclW
AllocateAndInitializeSid
RegDeleteKeyW
RegCloseKey
AdjustTokenPrivileges
LookupPrivilegeValueW
RegOpenKeyA
RegDeleteKeyA
LookupPrivilegeValueA
CryptGetProvParam
CryptSetHashParam
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptAcquireContextW
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
OpenServiceW
ChangeServiceConfigW
ControlService
OpenSCManagerW
CloseServiceHandle
RegOpenKeyExA
RegQueryInfoKeyW
RegSetValueExW
RegDeleteTreeW
RegDeleteKeyExW
DeregisterEventSource
RegisterEventSourceW
ReportEventW

comdlg32

GetOpenFileNameA

crypt32

CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertGetCRLContextProperty
CertDuplicateCertificateContext
CertFreeCertificateChain
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
PFXImportCertStore
CryptStringToBinaryA
CertAddCertificateContextToStore
CryptDecodeObjectEx
CertGetCertificateChain

d3dcompiler_43

D3DCompile

gdi32

CreateDIBSection

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext
ImmReleaseContext

iphlpapi

GetIpAddrTable
GetIfEntry

kernel32

GetCPInfo
CompareStringEx
LCMapStringEx
EncodePointer
TryEnterCriticalSection
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
GetFileSizeEx
GetACP
GetSystemTimeAsFileTime
GetEnvironmentVariableW
VerifyVersionInfoW
WaitForMultipleObjects
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
GetFileType
GetStdHandle
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitOnceInitialize
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
GetVersionExW
GetCurrentThreadId
LoadLibraryW
SetFilePointer
GetLogicalDrives
ReadFile
SystemTimeToFileTime
DeleteFileW
GetFileAttributesW
GetExitCodeProcess
GetModuleHandleW
TerminateThread
SetEvent
CreateEventW
ResumeThread
VirtualFreeEx
CreateRemoteThread
SetComputerNameExA
VirtualAllocEx
VirtualProtectEx
CreateFileA
GetFileAttributesA
GetTickCount64
OpenProcess
WriteProcessMemory
IsBadReadPtr
FreeLibrary
GetProcessHeap
ExitProcess
GlobalSize
GetLogicalDriveStringsW
QueryDosDeviceW
DeleteCriticalSection
DecodePointer
RaiseException
InitializeCriticalSectionEx
GetPrivateProfileStringA
FormatMessageA
GetFileSize
WritePrivateProfileStringA
DeleteFileA
LocalAlloc
FindClose
HeapAlloc
GetNativeSystemInfo
VirtualAlloc
VirtualFree
SetLastError
HeapFree
HeapSize
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
FindNextFileW
FindFirstFileW
GetSystemWindowsDirectoryW
Process32NextW
FormatMessageW
PeekNamedPipe
VirtualProtect
GetSystemTime
GetCurrentProcessId
OutputDebugStringW
GetModuleFileNameW
WriteFile
GetModuleFileNameA
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetFullPathNameW
GetCurrentDirectoryW
SetEndOfFile
GetFileAttributesExW
SetStdHandle
GetTimeZoneInformation
HeapReAlloc
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleOutputCP
SetFilePointerEx
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetFileInformationByHandle
GetDriveTypeW
SetConsoleCtrlHandler
FreeLibraryAndExitThread
ExitThread
WriteConsoleW
GetModuleHandleExW
LoadLibraryExW
VirtualQuery
CreateProcessW
GetWindowsDirectoryW
SetFileAttributesA
GetModuleHandleA
Sleep
LoadLibraryA
GetProcAddress
MultiByteToWideChar
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
LocalFree
CreateThread
CloseHandle
K32GetDeviceDriverBaseNameW
GetLastError
GetTempPathA
CreateFileW
WaitForSingleObject
TerminateProcess
DeviceIoControl
lstrlenW
GetCurrentProcess
K32EnumDeviceDrivers
QueryPerformanceCounter
QueryPerformanceFrequency
GetLocaleInfoA
GlobalUnlock
WideCharToMultiByte
GlobalLock
K32GetDeviceDriverBaseNameA
LoadLibraryExA
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
GetStringTypeW
VerSetConditionMask

netapi32

NetUserGetLocalGroups
NetUserDel

normaliz

IdnToAscii

setupapi

SetupDiChangeState
SetupDiGetDeviceRegistryPropertyA
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiSetClassInstallParamsW

shell32

ShellExecuteA
SHGetFolderPathA
SHFileOperationA
ShellExecuteW

shlwapi

SHCreateMemStream
PathFileExistsW
PathFileExistsA
PathGetDriveNumberW
PathBuildRootW

user32

TranslateMessage
LoadIconW
GetMessageExtraInfo
GetDC
RegisterClassW
PeekMessageW
DispatchMessageW
RegisterClassExW
UnregisterClassW
CreateWindowExW
DestroyWindow
DefWindowProcW
FindWindowW
GetKeyboardLayoutList
wvsprintfA
GetProcessWindowStation
GetUserObjectInformationW
GetCursorPos
SystemParametersInfoW
SetCursor
LoadCursorW
GetForegroundWindow
ScreenToClient
GetCapture
MessageBoxA
ClientToScreen
wvsprintfW
GetMonitorInfoW
MessageBoxW
SetWindowPos
MonitorFromPoint
GetKeyState
CloseWindow
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
ReleaseDC
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCapture
GetKeyboardLayout
TrackMouseEvent
GetWindowThreadProcessId
GetMessageW
SetWindowLongPtrW
SendMessageW
GetWindowLongPtrW
ShowWindow
IsWindow
SetTimer
ValidateRect
SetFocus
PostThreadMessageW
KillTimer
SetForegroundWindow
GetAsyncKeyState

wintrust

WinVerifyTrust

wldap32

ldap_initA
ldap_sslinitA
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_err2stringA
ldap_first_entry
ldap_next_entry
ldap_first_attributeA
ldap_next_attributeA
ldap_get_values_lenA
ldap_get_dnA
ldap_memfreeA
ber_free
ldap_value_freeW

ws2_32

setsockopt
getnameinfo
sendto
htons
recvfrom
inet_ntoa
htons
socket
inet_addr
WSAStartup
select
WSAGetLastError
__WSAFDIsSet
WSACleanup
send
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAResetEvent
WSAWaitForMultipleEvents
closesocket
gethostbyname
recv
bind
shutdown
gethostname
FreeAddrInfoW
getaddrinfo
listen
accept
getservbyname
getservbyport
gethostbyaddr
htonl
ioctlsocket
WSAIoctl
WSASetLastError
getsockopt
getsockname
getpeername
connect

bthprops.cpl

BluetoothFindNextRadio
BluetoothGetRadioInfo
BluetoothFindRadioClose
BluetoothFindFirstRadio

gdiplus

GdipAlloc
GdipCloneImage
GdiplusStartup
GdipGetPropertyItemSize
GdipSetStringFormatAlign
GdipGetImageWidth
GdipDeleteFont
GdipLoadImageFromStreamICM
GdipFree
GdipLoadImageFromStream
GdipDisposeImage
GdipDeleteStringFormat
GdiplusShutdown
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipCreateStringFormat
GdipDeleteFontFamily
GdipGetImageHeight
GdipCreateFontFamilyFromName
GdipImageGetFrameDimensionsCount
GdipDeleteBrush
GdipGetPropertyItem
GdipDrawImageRectI
GdipCreateFont
GdipCreateSolidFill
GdipCreateFromHWND
GdipGetGenericFontFamilySansSerif
GdipDrawString
GdipImageSelectActiveFrame
GdipImageGetFrameDimensionsList
GdipCreateFromHDC
GdipImageGetFrameCount
GdipDeleteGraphics

ntdll

RtlUnwindEx
NtClose
RtlImageNtHeader
RtlInitUnicodeString
NtQuerySystemInformation
RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
RtlNtStatusToDosError
RtlRandom
NtOpenFile
RtlPcToFileHeader
RtlUnwind

ole32

CoInitialize

combase

CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
GetHGlobalFromStream

wlanapi

WlanOpenHandle
WlanScan
WlanGetNetworkBssList
WlanEnumInterfaces
WlanCloseHandle

Sections

.text
Size: 3.9MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 860KB - Virtual size: 896KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 340KB - Virtual size: 384KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 107KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 129KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 35KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 64KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 129KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 2.3MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 64KB

IMAGE_SCN_MEM_READ

.SCY
Size: 13KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

05c2607547f684dc347a3a9ba7376588

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

comdlg32

crypt32

d3dcompiler_43

gdi32

imm32

iphlpapi

kernel32

netapi32

normaliz

setupapi

shell32

shlwapi

user32

wintrust

wldap32

ws2_32

bthprops.cpl

gdiplus

ntdll

ole32

combase

wlanapi

Sections

.text Size: 3.9MB - Virtual size: 4.0MB

Size: 860KB - Virtual size: 896KB

Size: 340KB - Virtual size: 384KB

Size: 107KB - Virtual size: 128KB

Size: 512B - Virtual size: 64KB

Size: 129KB - Virtual size: 192KB

Size: 35KB - Virtual size: 64KB

.idata Size: 1KB - Virtual size: 64KB

.tls Size: 512B - Virtual size: 64KB

.rsrc Size: 129KB - Virtual size: 192KB

.themida Size: 4.3MB - Virtual size: 4.3MB

.boot Size: 2.3MB - Virtual size: 2.4MB

.reloc Size: 512B - Virtual size: 64KB

.SCY Size: 13KB - Virtual size: 64KB

.text
Size: 3.9MB - Virtual size: 4.0MB

.idata
Size: 1KB - Virtual size: 64KB

.tls
Size: 512B - Virtual size: 64KB

.rsrc
Size: 129KB - Virtual size: 192KB

.themida
Size: 4.3MB - Virtual size: 4.3MB

.boot
Size: 2.3MB - Virtual size: 2.4MB

.reloc
Size: 512B - Virtual size: 64KB

.SCY
Size: 13KB - Virtual size: 64KB