BLTools v2[.]9 [PRO][.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

BLTools v2.9 [PRO].exe
Size

7.1MB
MD5

bef86c9792f7f8bc658ca1d1bce63c60
SHA1

d7d3fe3ae1e950cd4192d46a0bf6505ec3858689
SHA256

2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb
SHA512

6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7
SSDEEP

98304:LinmCgeyQbyt5fTQ7lN7jGb5XQueha05FK7Km53t/VXCRjwsRMJnq2ISUMRlEGy:L0/UVQ7D+b56ha07K7KettcVFcIG

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

sample vmprotect
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

BLTools v2.9 [PRO].exe

resource	yara_rule
sample	vmprotect

resource
BLTools v2.9 [PRO].exe

Files

BLTools v2.9 [PRO].exe
.exe windows:6 windows x64 arch:x64

2df38a1ae5759eca19cd2d1b1cc4e208

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

secur32

DecryptMessage
AcceptSecurityContext
EncryptMessage
ApplyControlToken
DeleteSecurityContext
FreeContextBuffer
QueryContextAttributesW
InitializeSecurityContextW
AcquireCredentialsHandleA
LsaFreeReturnBuffer
LsaGetLogonSessionData
FreeCredentialsHandle
LsaEnumerateLogonSessions

kernel32

GetModuleHandleA
GetCurrentThread
TryAcquireSRWLockExclusive
GetStdHandle
GetConsoleMode
WaitForSingleObject
MultiByteToWideChar
WriteConsoleW
SetLastError
QueryPerformanceFrequency
FormatMessageW
GetCurrentProcess
GetEnvironmentVariableW
GetTempPathW
CreateFileW
SetFileInformationByHandle
GetFullPathNameW
SetFilePointerEx
FindNextFileW
CreateDirectoryW
FindFirstFileW
FindClose
CreateThread
ExitProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetProcessHeap
HeapAlloc
GetCurrentDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
GetCurrentProcessId
CreateMutexA
WaitForSingleObjectEx
LoadLibraryA
ReleaseMutex
RtlVirtualUnwind
AcquireSRWLockShared
ReleaseSRWLockShared
DuplicateHandle
CopyFileExW
SetHandleInformation
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
DeviceIoControl
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
LocalFree
GetSystemInfo
VirtualQueryEx
OpenProcess
GlobalMemoryStatusEx
GetQueuedCompletionStatusEx
GetTickCount
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
Sleep
GetSystemDirectoryA
GetEnvironmentVariableA
WideCharToMultiByte
VerSetConditionMask
VerifyVersionInfoW
MoveFileExA
CreateFileA
GetFileSizeEx
ReadFile
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
GetCurrentThreadId
WakeConditionVariable
SetFileCompletionNotificationModes
CreateIoCompletionPort
CancelIoEx
PostQueuedCompletionStatus
SleepConditionVariableSRW
SwitchToThread
GetModuleHandleW
HeapReAlloc
HeapFree
SetThreadStackGuarantee
AddVectoredExceptionHandler
DeleteFileW
GetFileInformationByHandleEx
FreeLibrary
GetProcAddress
LoadLibraryExW
GetComputerNameExW
GetLogicalDrives
GetTickCount64
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetUserPreferredUILanguages
ReleaseSRWLockExclusive
GetLastError
GetFileInformationByHandle
AcquireSRWLockExclusive
WakeAllConditionVariable
CloseHandle
IsDebuggerPresent
ReadProcessMemory
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

advapi32

SystemFunction036
GetLengthSid
CopySid
OpenProcessToken
GetTokenInformation
LookupAccountSidW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
GetUserNameW
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
IsValidSid

ws2_32

WSACloseEvent
recv
getpeername
shutdown
getsockopt
ioctlsocket
WSACleanup
WSAStartup
freeaddrinfo
getaddrinfo
WSAEnumNetworkEvents
WSASocketW
WSAIoctl
WSASend
setsockopt
WSAEventSelect
recvfrom
WSAGetLastError
closesocket
send
getsockname
WSACreateEvent
WSAResetEvent
WSASetLastError
WSAWaitForMultipleEvents
htons
socket
ntohs
listen
htonl
accept
select
__WSAFDIsSet
bind
connect
WSARecv
WSAGetOverlappedResult

crypt32

CryptDecodeObjectEx
PFXImportCertStore
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertCloseStore
CertDuplicateStore
CertDuplicateCertificateContext
CertFreeCertificateChain
CertDuplicateCertificateChain
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertOpenStore
CryptStringToBinaryA
CryptUnprotectData
CertFindCertificateInStore
CertFindExtension

oleaut32

SysAllocString
SafeArrayGetUBound
SafeArrayGetLBound
VariantClear
SysFreeString
SafeArrayUnaccessData
SysAllocStringLen
SafeArrayAccessData

pdh

PdhCollectQueryData
PdhOpenQueryA
PdhGetFormattedCounterValue
PdhRemoveCounter
PdhAddEnglishCounterW
PdhCloseQuery

iphlpapi

GetIfTable2
GetIfEntry2
FreeMibTable
GetAdaptersAddresses

netapi32

NetUserGetLocalGroups
NetUserGetInfo
NetApiBufferFree
NetUserEnum

user32

GetMonitorInfoW
EnumDisplayMonitors
EnumDisplaySettingsExW
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

DeleteDC
CreateDCW
CreateCompatibleDC
DeleteObject
SelectObject
SetStretchBltMode
StretchBlt
GetDIBits
GetObjectW
GetDeviceCaps
CreateCompatibleBitmap

ole32

CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoCreateInstance
CoTaskMemFree

bcrypt

BCryptGenRandom

shell32

CommandLineToArgvW
SHGetKnownFolderPath

ntdll

NtReadFile
NtWriteFile
RtlNtStatusToDosError
NtCreateFile
RtlGetVersion
NtQueryInformationProcess
NtQuerySystemInformation

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo

vcruntime140

memset
__CxxFrameHandler3
memmove
memcmp
strchr
strrchr
strstr
memchr
__C_specific_handler
__current_exception
__current_exception_context
memcpy

api-ms-win-crt-string-l1-1-0

strcmp
_strdup
strncpy
strcpy
wcslen
isupper
strpbrk
tolower
strncmp
strlen
strspn
strcspn

api-ms-win-crt-heap-l1-1-0

calloc
malloc
realloc
free
_msize
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

_cexit
_initialize_onexit_table
__p___argc
__sys_errlist
_exit
exit
_register_onexit_function
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_c_exit
__sys_nerr
_set_app_type
_seh_filter_exe
_endthreadex
_register_thread_local_exe_atexit_callback
_errno
_wassert
abort
_crt_atexit
terminate
_configure_narrow_argv
_beginthreadex
_initterm_e
__p___argv

api-ms-win-crt-convert-l1-1-0

strtoll
strtol
atoi
strtoul
wcstombs

api-ms-win-crt-stdio-l1-1-0

_open
_lseeki64
fopen
fflush
fgets
feof
_read
__stdio_common_vsscanf
ftell
_set_fmode
__p__commode
fclose
__acrt_iob_func
fread
fseek
_close
fputs
_write
fwrite
fputc
__stdio_common_vsprintf

api-ms-win-crt-time-l1-1-0

_time64
strftime
_gmtime64
_localtime64_s

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_access
_unlink
_stat64
_fstat64

api-ms-win-crt-math-l1-1-0

_dclass
log
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

wtsapi32

WTSSendMessageW

Exports

Exports

!��I��e*��o{��c�I'ն1��ͭH�Q��1p�\��S��J�2��{�'�=@�v��Ǎۧ.rz�$��)��>�_�kӷ��iC;{KLY��f_��yd��r��#�ϵ4ۗA��r��J�t1ad��|�x�)��!�^�3��.��c(�PwWf��>�7��^��5��:]=V��SmCV��ɹ��D40 Sa9i��)��R��K'Y� �t�C��ۛ�ou(�+�p� �HfT�0�.�'6+�Oy��#��83��m�Pt\��M�R�|_��ֲʜw"*��p�/�C��?f�͐�߬��6�p2�Z�T��!�̑�f�}\@>P7�>B�l�ܚSB\��y-�@G�\��߼��$$�*5��fE�6+h�� d��_T��-Sl3��rA�tɧX��唆#{��AQe�8�x�j�^O�.�#��_��Hw^*�h U�(��J��fD��&d>7�5r��d8��T�ܺL�GR.�;�E6��1_Z��<�/�Gv�"�-X�$��C��g ��`�N^h��T]3*��PDf�k��"0蹶��J�W�l�� Uo��R |��G鶮xJ�!��Ǆ�B�{S�� :'սt��>�ZFM^��O��9m��Wް�9 ��A��՞��8᾿D�=��j�3Ħ��^\��w��P�2�'�tk0�$Jgũ?Izĸ��^X�32�]w�`<VɁV_uҖ�8��4.=SR��7Lqtr��Tm��3L�ص��Y/��7��9��oLO9tx��ꛅ��F.�'�:��U|/�aM�&�!G�)�J&�7��֝~WTTp8t�Y�"4)�BL� ��5�ן;\n!%�eGn�,%��自.�ѕ5�AA�M�ސ8�:��3��b�둍� �&-Iׄ2��G�3�,��s�V��Ǝ��_��n<b%fN�UƦ�s�g�6RV֬�1܊�4�{[C�I�]|��1� �W�@K��#g+�:�%��(�F�|ײ�Ş;��Y��d+!��N�j��)y�VUͤÙh� =:�8~sщKX�%>w��;_p�]��=�s��Bi �r��&�� 7Rml��qC��(��qp�I��#��* �R:��N�1]-��zG��'��۫"�?qo��&�o�=��7S�t'�x_��*�^ҧqy�Ǚ�v �� ̔��g+#��~��QJ��y�+��`L<o��s��O"/��<��fO�﷙'��)�� &�#��M�ꁤK�h�e7��h��a̞��X��p(��sv�܃ �% �v>�_ߐ@��G*.gFą��m� ��<@+��s��AW��B�Ҽ��.T"5��o�_X<H5&k\��iv�� H��Qʀ�|fEXǡ~� ��\��m$�G�1;u�z��0�y7��vT|�NL}�j��o �%E�-�l�Pt�ק>� ��z��G��;�O��r��\P��\�&�)ې��KǕ<K>P�4��ͮ-OTso��n&fE�q��Q��B��y!^��e� r+��ʝ�>��|�D)�"��>_��<�מnk`��Jr\�Z�e�w��P�t� `Uw�Ք.b]��T��k��g �x�C��yu��8��0�j1ĭ��p�r��&/��i�w��g ͆��H�Y]��a۫P�"��-,T��V�(/(b&"��P#V��[{�( �U��4��'d i\��M ��PcA�>�g�,w!A�>y� ��C��J��,�F��,�*�?gs�۬AY��W�+&�[���\"s�|+Q3��%��O�$�H�N��:H(��URSAl�n��4T�� %�u� �|E��E8��jtĞ�P��u��ji-Ҧ]pk >�Z<��dĵ .l�6Ԇb��h��s�@��,��.J�|��S)��y)"V ��=��i��7F4Ni�B+l~�L��`��v[�� ʰ4��N_��Z<Ʃǻ��]�i�u��C�qg�n�q��-�wc�?H�3��e0�2$#��C�R=��gO��B�Cy=:�ԔRI�!��5�kE��~r�ЛC-.��!ܩj��XGD��>��Ҧ��TV>I�L��T�N�#�t�C� ��!竀'�P`7`�5��e��K��]L��"��N�"Vt�|�p�+�"́��b�յk�J}9N��B�#(��v��V��ha�q*��D��(ܱ��Yq��j��Aq�jKh=>lt��a/�oj�R8�k�,�0��o�C��A<G6�6_Z�,��!�ys��_�G6#^Ma�(�+�f��Qp�C7�>\c��<��"��[��7Ĩ�d#�� M�$��-��G�� ~GKI�6c��s�Եʾ��j/LA�'ԏ�(�5H�Hy�D�� ǣ��Zrn�d��8�3Ylzݥ��sPP�oIN͕C��/��L�&��y0`�O��N��'�H��^�#��Q$��ᰜ#��U٨ �Z�I}��Q��u��*�;��~�7��V�kԲFD>pv�<az �T@9a(V2�H_2r,��V27��1E�e��W��y�)��8�ex�΅Bu�-2+v�b�e��z�ґɐ�crq�/�<xKb�铌��șO`]Cj��l��OIV��D*�4��."]Ǉ��<��aA��Qu�{��"��k��⺷��5g�W�j��X�B�< $��ϧ"A1�G�0p��XRƭ�G�p.�q��㼬�O�Cg��}��Aȥ��Bt��x�GCaw8&a�]{

Sections

.text
Size: - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 7.1MB - Virtual size: 7.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2df38a1ae5759eca19cd2d1b1cc4e208

Headers

DLL Characteristics

File Characteristics

Imports

secur32

kernel32

advapi32

ws2_32

crypt32

oleaut32

pdh

iphlpapi

netapi32

user32

gdi32

ole32

bcrypt

shell32

ntdll

powrprof

psapi

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 2.9MB

.rdata Size: - Virtual size: 1.2MB

.data Size: - Virtual size: 30KB

.pdata Size: - Virtual size: 88KB

.vmp0 Size: - Virtual size: 3.5MB

.vmp1 Size: 7.1MB - Virtual size: 7.1MB

.reloc Size: 512B - Virtual size: 224B

.text
Size: - Virtual size: 2.9MB

.rdata
Size: - Virtual size: 1.2MB

.data
Size: - Virtual size: 30KB

.pdata
Size: - Virtual size: 88KB

.vmp0
Size: - Virtual size: 3.5MB

.vmp1
Size: 7.1MB - Virtual size: 7.1MB

.reloc
Size: 512B - Virtual size: 224B