420[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

420.dll
Size

3.0MB
MD5

e6490ae318c92336a3b01a6fe56e7d54
SHA1

5340ad3f5aa980168a37e3569377978c17a62e43
SHA256

a955b6f9cbb45cd1f607f64910b604bd0bd277d4c31e7c6cc650c164a2be673e
SHA512

aa2de579e9c0f6b420a4d1d9e452f5337a3f20e2c5505a74c67e78de6d6b44b2f363ff6267e19c3d8c2e4fdebf07a78ab7d693dbacaebd27fb1fa9198e8e4baf
SSDEEP

49152:r3A0OjdhbI7SNM8b03y2bF9MWaW6ptvTX6CtD3uNH2tYqS8zdy3xqWxojrO:E9dqmCk8b8bWSIYQkj

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
420.dll

Files

420.dll
.dll windows:6 windows x64 arch:x64

178b45e2af3d53b3bb30d5fd5725f36a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
Process32NextW
GetStdHandle
FillConsoleOutputCharacterW
FillConsoleOutputAttribute
SetConsoleCursorPosition
SetConsoleTextAttribute
GetConsoleCursorInfo
SetConsoleCursorInfo
TerminateThread
Sleep
CreateThread
AllocConsole
SetConsoleTitleW
TerminateProcess
OpenProcess
QueryFullProcessImageNameA
IsDebuggerPresent
Process32FirstW
CreateToolhelp32Snapshot
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsProcessorFeaturePresent
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetProcAddress
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GetConsoleWindow
GetCurrentProcessId
GetTempPathW
MultiByteToWideChar
InitializeSListHead
GetConsoleScreenBufferInfo
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

SetFocus
SetForegroundWindow
SetActiveWindow
EnumWindows
MoveWindow
FindWindowA
GetCursorInfo
GetForegroundWindow
GetClassNameW
PostMessageW
WindowFromPoint
GetCursorPos
GetAsyncKeyState
GetKeyState
GetWindowThreadProcessId
GetWindowRect
GetWindowLongW
ShowWindow
SetWindowLongW
GetDesktopWindow
ShowScrollBar
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegEnumValueW
RegQueryInfoKeyW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyA
RegDeleteKeyValueA

msvcp140

?_Xlength_error@std@@YAXPEBD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uncaught_exceptions@std@@YAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
__std_type_info_destroy_list
memset
_CxxThrowException
__C_specific_handler
__std_type_info_compare
_purecall
__std_exception_destroy
__std_exception_copy
__std_terminate
memcpy
memmove
memchr

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
_crt_atexit
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_cexit
_initterm
_execute_onexit_table
_invalid_parameter_noinfo_noreturn
_initterm_e
_errno
_initialize_onexit_table
abort
system

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-stdio-l1-1-0

freopen
__stdio_common_vfprintf
__acrt_iob_func

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh

Sections

.text
Size: - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 233B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

178b45e2af3d53b3bb30d5fd5725f36a

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: - Virtual size: 105KB

.rdata Size: - Virtual size: 20KB

.data Size: - Virtual size: 30KB

.pdata Size: - Virtual size: 4KB

.vmp0 Size: - Virtual size: 1.4MB

.vmp1 Size: 3.0MB - Virtual size: 3.0MB

.reloc Size: 512B - Virtual size: 208B

.rsrc Size: 512B - Virtual size: 233B

.text
Size: - Virtual size: 105KB

.rdata
Size: - Virtual size: 20KB

.data
Size: - Virtual size: 30KB

.pdata
Size: - Virtual size: 4KB

.vmp0
Size: - Virtual size: 1.4MB

.vmp1
Size: 3.0MB - Virtual size: 3.0MB

.reloc
Size: 512B - Virtual size: 208B

.rsrc
Size: 512B - Virtual size: 233B