setup[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

setup.exe
Size

5.5MB
MD5

307e3cfb3ea7892a173b0abfdcb1fc9b
SHA1

f9d055cbf4c5375de2b92aeec8d5f6e3041b2983
SHA256

c9e78021f3c4a309be624c1dc094c1c7e24c0b6be51a1d26526a986b8e68bdf8
SHA512

2a499d196dc3bcdf9dcdd8b5da5942ff1596e5e858145aaa113830fbec75edb480a567af3f003ae7ea1812da65244ea7ec5e57a9dccbfb133225b8d79c7d4483
SSDEEP

98304:Q6pSwl52KNHX4gc7ziuN13pwJ8WFSeSegUaPKqX0wGXq2CuZAKgI+OqbvLU1X69:Q6pS+52Kx4/viuBpwJ8WFSqgHX5ShZm/

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
setup.exe

Files

setup.exe
.exe windows:6 windows x86 arch:x86

89c8abd38fd3ffc06ee06d01f9b3cbbf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

ole32

CoCreateInstance

oleaut32

SysAllocString

user32

CloseClipboard
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

BitBlt

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 220KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ