Loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Loader.exe
Size

25.7MB
MD5

be83d304a33f55c1155bc6358e22ed47
SHA1

557f4cf3f604ed8120d42b04e1be1aeff05890de
SHA256

53fd9b4d813c0d5a16a603a360324264df4dd60323aaf7ef068ef3e89fb461ce
SHA512

b1113e41942f70517ab47059608c2acc7a54faf06945b822311549e009edcea5bc78f159ebdf3b4026f03d68b34efb7b2820ea36bc1b877d6afeb0f1b23fded8
SSDEEP

786432:cC9veAdCeM8Di3eaIB14+apjM2fkMANV35Coy/1yr36ZF:H9vvvM8u3eZ1C9M2fkJd5tytF

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

a6dc4ded159b11db7da9e298f58dda02

Code Sign

f1:10:2f:ec:fe:34:ae:9f
Certificate

Issuer

CN=SPNxDiaGuard

Not Before

25/02/2024, 05:00

Not After

25/02/2029, 05:00

Subject

CN=SPNxDiaGuard

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

68:86:7d:04:e3:33:9d:e1:ed:a6:62:1c:e4:a9:46:b2:21:25:59:44:45:d9:d3:92:a6:e6:7d:81:2f:35:b5:0a
Signer

Actual PE Digest

68:86:7d:04:e3:33:9d:e1:ed:a6:62:1c:e4:a9:46:b2:21:25:59:44:45:d9:d3:92:a6:e6:7d:81:2f:35:b5:0a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

DeviceIoControl
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
GetModuleHandleA
LoadLibraryA
GetProcAddress

user32

MoveWindow

advapi32

CopySid

ole32

StringFromGUID2

msvcp140

??7ios_base@std@@QEBA_NXZ

ntdll

NtDeviceIoControlFile

dbghelp

SymCleanup

urlmon

URLDownloadToFileA

shlwapi

PathRemoveFileSpecA

wintrust

WinVerifyTrust

normaliz

IdnToAscii

wldap32

ord41

crypt32

CryptMsgClose

ws2_32

sendto

rpcrt4

UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140

strchr

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv

api-ms-win-crt-string-l1-1-0

wcscpy_s

api-ms-win-crt-heap-l1-1-0

realloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-convert-l1-1-0

strtoul

api-ms-win-crt-environment-l1-1-0

_dupenv_s

api-ms-win-crt-filesystem-l1-1-0

_wremove

api-ms-win-crt-stdio-l1-1-0

_get_stream_buffer_pointers

api-ms-win-crt-time-l1-1-0

strftime

api-ms-win-crt-multibyte-l1-1-0

_mbsstr

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

shell32

ShellExecuteA

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.SPN
Size: - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.Ethera
Size: - Virtual size: 3B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.ASPack
Size: - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vxl
Size: - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.enigma1
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.enigma2
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp2
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.boot
Size: - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.arch
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.srdata
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.xpdata
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.xtls
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.dsstext
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.4.k
Size: - Virtual size: 25.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.>`q
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

."\G
Size: 25.7MB - Virtual size: 25.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a6dc4ded159b11db7da9e298f58dda02

Code Sign

f1:10:2f:ec:fe:34:ae:9fCertificate

Extended Key Usages

Key Usages

68:86:7d:04:e3:33:9d:e1:ed:a6:62:1c:e4:a9:46:b2:21:25:59:44:45:d9:d3:92:a6:e6:7d:81:2f:35:b5:0aSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

msvcp140

ntdll

dbghelp

urlmon

shlwapi

wintrust

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

shell32

Sections

.text Size: - Virtual size: 1.6MB

.rdata Size: - Virtual size: 179KB

.data Size: - Virtual size: 38KB

.pdata Size: - Virtual size: 24KB

.SPN Size: - Virtual size: 1B

.Ethera Size: - Virtual size: 3B

.themida Size: - Virtual size: 16B

.ASPack Size: - Virtual size: 1B

.vxl Size: - Virtual size: 1B

.enigma1 Size: - Virtual size: 16B

.enigma2 Size: - Virtual size: 16B

.vmp0 Size: - Virtual size: 16B

.vmp1 Size: - Virtual size: 16B

.vmp2 Size: - Virtual size: 16B

.boot Size: - Virtual size: 2B

.tls Size: - Virtual size: 1B

.arch Size: - Virtual size: 8B

.srdata Size: - Virtual size: 8B

.xdata Size: - Virtual size: 8B

.xpdata Size: - Virtual size: 8B

.xtls Size: - Virtual size: 8B

.dsstext Size: - Virtual size: 8B

.4.k Size: - Virtual size: 25.1MB

.>`q Size: 6KB - Virtual size: 5KB

."\G Size: 25.7MB - Virtual size: 25.7MB

.rsrc Size: 512B - Virtual size: 480B

f1:10:2f:ec:fe:34:ae:9f
Certificate

68:86:7d:04:e3:33:9d:e1:ed:a6:62:1c:e4:a9:46:b2:21:25:59:44:45:d9:d3:92:a6:e6:7d:81:2f:35:b5:0a
Signer

.text
Size: - Virtual size: 1.6MB

.rdata
Size: - Virtual size: 179KB

.data
Size: - Virtual size: 38KB

.pdata
Size: - Virtual size: 24KB

.SPN
Size: - Virtual size: 1B

.Ethera
Size: - Virtual size: 3B

.themida
Size: - Virtual size: 16B

.ASPack
Size: - Virtual size: 1B

.vxl
Size: - Virtual size: 1B

.enigma1
Size: - Virtual size: 16B

.enigma2
Size: - Virtual size: 16B

.vmp0
Size: - Virtual size: 16B

.vmp1
Size: - Virtual size: 16B

.vmp2
Size: - Virtual size: 16B

.boot
Size: - Virtual size: 2B

.tls
Size: - Virtual size: 1B

.arch
Size: - Virtual size: 8B

.srdata
Size: - Virtual size: 8B

.xdata
Size: - Virtual size: 8B

.xpdata
Size: - Virtual size: 8B

.xtls
Size: - Virtual size: 8B

.dsstext
Size: - Virtual size: 8B

.4.k
Size: - Virtual size: 25.1MB

.>`q
Size: 6KB - Virtual size: 5KB

."\G
Size: 25.7MB - Virtual size: 25.7MB

.rsrc
Size: 512B - Virtual size: 480B