aSteal[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

aSteal.exe
Size

1.4MB
MD5

8e142cdeba8276ca13670aa7bffcaf36
SHA1

09aee6be807f173003ab7b7c54e80f7bd8cd0bb1
SHA256

1ce98cbc86735535a87f28be87431c25d68a2331544d2b2c8d1e67ebc3e4f07e
SHA512

41e68ddc741ba9b04befc4e41bea64d6b6a834c236222f0b43f23511046350a11ae261fa494497798004d64bd8bcc82ac3033816a730a314f1d2d5e01ba0c948
SSDEEP

24576:VEDVUKQvecZ4FGO+YAv07x7jrOUJFDF+YX1aqQT8k9Agkkvz3CLuzVveYwkynxUQ:VEhEHOpppfRJP+Yk38Dez3CCJGqm

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
aSteal.exe

Files

aSteal.exe
.exe windows:5 windows x86 arch:x86

60eb0fc4cdb737204cdfd5ba753c677e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetSystemTimeAsFileTime
GetModuleFileNameW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

advapi32

RegCreateKeyExA

user32

CharUpperBuffW

Sections

.text
Size: - Virtual size: 170KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ