General
-
Target
unpacked_GmloXpl6ivdM9LxS.exe
-
Size
10.2MB
-
MD5
8aef2f52835aa2fd1e5343db07f744e8
-
SHA1
3fd698fb051d567993f4a3e897801caa23a94599
-
SHA256
dc26ca4e9223075b9de45adc61d697a07b3771a726418bb823bdadf996d1f0ea
-
SHA512
47e4b29537d222d4d7155cbe213855fcb4e34ecc0821fdfb4a49a08fc0e10c17b933eb86c7a031af5593b44aa5b80b39cdf2c3c07d9b245d3102bfdfa0adc219
-
SSDEEP
98304:fMnBkMv0h0sSEcC4wSBsfcaE/rN8kEWuHI6WhzQMdrRCNyG54UA1T2vuz:EmMv0hjSfVskaE/r+keH94zddQkpQuz
Malware Config
Signatures
-
resource yara_rule sample themida -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpacked_GmloXpl6ivdM9LxS.exe
Files
-
unpacked_GmloXpl6ivdM9LxS.exe.exe windows:6 windows x64 arch:x64
dd34e6d6a466c53938e482c599374329
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
advapi32
OpenProcessToken
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
CryptEncrypt
CryptImportKey
AddAccessAllowedAce
crypt32
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
kernel32
VerSetConditionMask
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
VerifyVersionInfoA
QueryPerformanceCounter
GetTickCount
MoveFileExA
WaitForSingleObjectEx
MultiByteToWideChar
GetEnvironmentVariableA
FormatMessageA
ReadFile
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
SetLastError
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
Sleep
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
HeapDestroy
GetLastError
GetConsoleWindow
CreateProcessW
CloseHandle
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
OpenProcess
CreateFileW
WaitForSingleObject
TerminateProcess
WriteFile
GetStdHandle
SetConsoleTitleA
GetFileType
SetConsoleTextAttribute
msvcp140
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??Bid@locale@std@@QEAA_KXZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?uncaught_exception@std@@YA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
_Thrd_detach
_Query_perf_counter
_Cnd_do_broadcast_at_thread_exit
?_Xlength_error@std@@YAXPEBD@Z
?id@?$ctype@D@std@@2V0locale@2@A
?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
normaliz
IdnToAscii
psapi
GetModuleInformation
rpcrt4
UuidToStringA
RpcStringFreeA
UuidCreate
shell32
ShellExecuteA
user32
MessageBoxA
MoveWindow
GetClientRect
userenv
UnloadUserProfile
vcruntime140
strstr
strrchr
strchr
memset
__C_specific_handler
__current_exception
memcmp
memchr
_CxxThrowException
__std_terminate
__std_exception_copy
__std_exception_destroy
memcpy
__current_exception_context
memcpy
vcruntime140_1
__CxxFrameHandler4
winhttp
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpOpen
WinHttpReadData
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpConnect
wldap32
ldap_get_dnA
ldap_memfreeA
ber_free
ldap_next_attributeA
ldap_value_freeW
ldap_next_entry
ldap_first_entry
ldap_msgfree
ldap_search_sA
ldap_first_attributeA
ldap_initA
ldap_sslinitA
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_get_values_lenA
ldap_err2stringA
ws2_32
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
FreeAddrInfoW
recvfrom
sendto
gethostname
htonl
socket
setsockopt
htons
htons
getsockopt
getsockname
getpeername
connect
WSAGetLastError
send
recv
closesocket
WSASetLastError
WSAIoctl
bind
ucrtbase
_strtoui64
_strtoi64
strtol
strtoul
atoi
strtod
_access
_stat64
_fstat64
_unlink
_callnewh
malloc
free
_set_new_mode
realloc
calloc
localeconv
_configthreadlocale
__setusermatherr
_dclass
strerror
abort
exit
_beginthreadex
_resetstkoflw
_invalid_parameter_noinfo
terminate
__sys_nerr
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_invalid_parameter_noinfo_noreturn
_Exit
_initterm_e
_initterm
_get_initial_narrow_environment
_getpid
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_errno
_popen
__p__commode
__stdio_common_vsprintf
_lseeki64
_pclose
fgets
__acrt_iob_func
fflush
fread
fwrite
ftell
_read
fseek
feof
_open
_close
__stdio_common_vsscanf
fputs
fopen
fclose
fputc
_write
_set_fmode
strspn
strncmp
strpbrk
strcspn
strcmp
tolower
isupper
strncpy
_mbsdup
_gmtime64
_time64
qsort
Sections
.text Size: 430KB - Virtual size: 432KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Size: 96KB - Virtual size: 104KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 2KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 17KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 1KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.idata Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.themida Size: 6.1MB - Virtual size: 6.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.boot Size: 3.6MB - Virtual size: 3.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
.SCY Size: 11KB - Virtual size: 12KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE