ORBIT_LOADER[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ORBIT_LOADER.exe
Size

5.2MB
MD5

ab8ea4e8d3ec08f836a35ce25fd10148
SHA1

f459d4004f694eec36c7ade7cf299cf5dab106df
SHA256

81c663919ce3e73d308b36ca891c020b24fdc554f38c6bfabeaacf75774d91fe
SHA512

9a57db2b6749862b42f1d1589765911ba42835d8165e17224af2b75e7252c15a59845a465e35f041f3d74a68602969120d8a829e250e6f8a1170dac6372f559b
SSDEEP

98304:gAdadD3IL5UcY7GlU3iI2IKGK3pPGmAOLkOfAchCjtOGBdGe84BHRIbBkC3:gaoD3xRqlpIDKGK3pGmmOa1mn4BHNC3

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ORBIT_LOADER.exe

Files

ORBIT_LOADER.exe
.exe windows:6 windows x64 arch:x64

815e94d0657e8eca86942d5c01943d99

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleHandleA
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

MessageBoxA

advapi32

GetUserNameA

shell32

ShellExecuteA

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z

normaliz

IdnToAscii

wldap32

ord217

crypt32

CertFreeCertificateChainEngine

ws2_32

WSACleanup

rpcrt4

UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func

api-ms-win-crt-runtime-l1-1-0

_crt_atexit

api-ms-win-crt-heap-l1-1-0

free

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_stat64

api-ms-win-crt-convert-l1-1-0

strtod

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-string-l1-1-0

isupper

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-math-l1-1-0

__setusermatherr

Exports

Exports

?mGetExportedFunctionOffset@mProcessFunctions@@YAKAEBQEAUHINSTANCE__@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?mGetHandle@mProcessFunctions@@YAPEAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ProcessAccess@1@@Z
?mGetModuleAddress@mProcessFunctions@@YA_KAEBQEAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?mGetModuleAddress@mProcessFunctions@@YA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z
?mGetModuleBitness@mProcessFunctions@@YA?AW4Bitness@1@AEBQEAUHINSTANCE__@@@Z
?mGetModuleHandle@mProcessFunctions@@YAPEAUHINSTANCE__@@AEBQEAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?mGetModuleHandle@mProcessFunctions@@YAPEAUHINSTANCE__@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z
?mGetPID@mProcessFunctions@@YAKAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?mGetPatternAddress@mMemoryFunctions@@YAKPEBD0AEBQEAXQEAUHINSTANCE__@@@Z
?mInjectDLL@mMemoryFunctions@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z
?mReadMemory@mMemoryFunctions@@YAPEBXAEBQEAXAEB_K1@Z
?mReadMemory@mMemoryFunctions@@YAPEBXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEB_K1@Z
?mValidateHandle@mProcessFunctions@@YA_NAEAPEAX@Z
?mWriteMemory@mMemoryFunctions@@YA_NAEBQEAXAEB_KAEBQEBX1@Z
?mWriteMemory@mMemoryFunctions@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEB_KAEBQEBX1@Z

Sections

Size: - Virtual size: 510KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.exports
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.imports
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.f=;
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nut
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.j!A
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.0Vn
Size: 5.2MB - Virtual size: 5.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

815e94d0657e8eca86942d5c01943d99

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

msvcp140

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

Size: - Virtual size: 510KB

Size: - Virtual size: 115KB

Size: - Virtual size: 6KB

Size: - Virtual size: 19KB

Size: - Virtual size: 488B

Size: - Virtual size: 1KB

.exports Size: - Virtual size: 4KB

.imports Size: - Virtual size: 4KB

.tls Size: - Virtual size: 4KB

.f=; Size: - Virtual size: 4KB

.themida Size: - Virtual size: 5.7MB

.nut Size: - Virtual size: 1.3MB

.j!A Size: 2KB - Virtual size: 2KB

.0Vn Size: 5.2MB - Virtual size: 5.2MB

.reloc Size: 5KB - Virtual size: 5KB

.rsrc Size: 512B - Virtual size: 480B

.exports
Size: - Virtual size: 4KB

.imports
Size: - Virtual size: 4KB

.tls
Size: - Virtual size: 4KB

.f=;
Size: - Virtual size: 4KB

.themida
Size: - Virtual size: 5.7MB

.nut
Size: - Virtual size: 1.3MB

.j!A
Size: 2KB - Virtual size: 2KB

.0Vn
Size: 5.2MB - Virtual size: 5.2MB

.reloc
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 512B - Virtual size: 480B