B3MnqOW2MK[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

B3MnqOW2MK.exe
Size

42.7MB
MD5

4aa50e79071b087fca84997d2de8941f
SHA1

50208247c05040d60a385383529c426724fb1c51
SHA256

50c6236a50e3dec3e2ba441380a888325aff1b9ee82219c5c8847806d9fb6b7f
SHA512

8ea423e3082b2ac8cdd2696b65329530f2ffac8d756e3527a6ad11018721ae1b0e4081ce9581eaad7ccb500729a756c71de347576e9f7a2488b9974265100996
SSDEEP

786432:dPwt537pzVTBzDM4oLK38qpcYOPYhoaXo+YswwbM15M2A:qt17lVTJoeUYcaXo+tFbW55

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
B3MnqOW2MK.exe

Files

B3MnqOW2MK.exe
.exe windows:6 windows x64 arch:x64

b0a83e8392ad4f90d8f231b0d3aa3b2e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSACleanup

ole32

CoInitialize

kernel32

GetSystemTimeAsFileTime

user32

GetProcessWindowStation

advapi32

CryptEnumProvidersW

oleaut32

SysFreeString

shlwapi

SHDeleteKeyW

vcruntime140

memcpy

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

strcmp

api-ms-win-crt-stdio-l1-1-0

_open

api-ms-win-crt-math-l1-1-0

ceilf

api-ms-win-crt-heap-l1-1-0

free

api-ms-win-crt-locale-l1-1-0

___mb_cur_max_func

api-ms-win-crt-convert-l1-1-0

strtoul

api-ms-win-crt-conio-l1-1-0

_getch

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_fstat64

api-ms-win-crt-environment-l1-1-0

getenv

crypt32

CertOpenSystemStoreW

ntdll

RtlVirtualUnwind

wldap32

ord143

normaliz

IdnToAscii

Exports

Exports

??0Assembler@asmjit@@QEAA@PEAURuntime@1@@Z
??0CodeGen@asmjit@@QEAA@PEAURuntime@1@@Z
??0HostRuntime@asmjit@@QEAA@XZ
??0JitRuntime@asmjit@@QEAA@XZ
??0Runtime@asmjit@@QEAA@XZ
??0StaticRuntime@asmjit@@QEAA@PEAX_K@Z
??0VMemMgr@asmjit@@QEAA@PEAX@Z
??0X86Assembler@asmjit@@QEAA@PEAURuntime@1@I@Z
??0Zone@asmjit@@QEAA@_K@Z
??1Assembler@asmjit@@UEAA@XZ
??1CodeGen@asmjit@@UEAA@XZ
??1HostRuntime@asmjit@@UEAA@XZ
??1JitRuntime@asmjit@@UEAA@XZ
??1Runtime@asmjit@@UEAA@XZ
??1StaticRuntime@asmjit@@UEAA@XZ
??1VMemMgr@asmjit@@QEAA@XZ
??1X86Assembler@asmjit@@UEAA@XZ
??1Zone@asmjit@@QEAA@XZ
??_FVMemMgr@asmjit@@QEAAXXZ
?_alloc@Zone@asmjit@@QEAAPEAX_K@Z
?_emit@X86Assembler@asmjit@@UEAAIIAEBUOperand@2@000@Z
?_grow@Assembler@asmjit@@QEAAI_K@Z
?_grow@PodVectorBase@asmjit@@IEAAI_K0@Z
?_newLabel@Assembler@asmjit@@QEAAIPEAULabel@2@@Z
?_newLabelLink@Assembler@asmjit@@QEAAPEAULabelLink@2@XZ
?_nullData@PodVectorBase@asmjit@@2UPodVectorData@2@B
?_registerIndexedLabels@Assembler@asmjit@@QEAAI_K@Z
?_relocCode@X86Assembler@asmjit@@UEBA_KPEAX_K@Z
?_reserve@Assembler@asmjit@@QEAAI_K@Z
?_reserve@PodVectorBase@asmjit@@IEAAI_K0@Z
?_x86CondToCmovcc@asmjit@@3QBIB
?_x86CondToJcc@asmjit@@3QBIB
?_x86CondToSetcc@asmjit@@3QBIB
?_x86InstExtendedInfo@asmjit@@3QBUX86InstExtendedInfo@1@B
?_x86InstInfo@asmjit@@3QBUX86InstInfo@1@B
?_x86ReverseCond@asmjit@@3QBIB
?add@JitRuntime@asmjit@@UEAAIPEAPEAXPEAUAssembler@2@@Z
?add@StaticRuntime@asmjit@@UEAAIPEAPEAXPEAUAssembler@2@@Z
?align@X86Assembler@asmjit@@UEAAIII@Z
?alloc@VMemMgr@asmjit@@QEAAPEAX_KI@Z
?alloc@VMemUtil@asmjit@@SAPEAX_KPEA_KI@Z
?allocProcessMemory@VMemUtil@asmjit@@SAPEAXPEAX_KPEA_KI@Z
?allocZeroed@Zone@asmjit@@QEAAPEAX_K@Z
?bind@Assembler@asmjit@@UEAAIAEBULabel@2@@Z
?callCpuId@X86CpuUtil@asmjit@@SAXIIPEATX86CpuId@2@@Z
?detect@X86CpuUtil@asmjit@@SAXPEAUX86CpuInfo@2@@Z
?detectHwThreadsCount@CpuInfo@asmjit@@SAIXZ
?dup@Zone@asmjit@@QEAAPEAXPEBX_K@Z
?embed@Assembler@asmjit@@UEAAIPEBXI@Z
?embedLabel@X86Assembler@asmjit@@QEAAIAEBULabel@2@@Z
?emit@Assembler@asmjit@@QEAAII@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@00@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@00H@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@00_K@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@0@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@0H@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@0_K@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@H@Z
?emit@Assembler@asmjit@@QEAAIIAEBUOperand@2@_K@Z
?emit@Assembler@asmjit@@QEAAIIH@Z
?emit@Assembler@asmjit@@QEAAII_K@Z
?flush@HostRuntime@asmjit@@UEAAXPEAX_K@Z
?getCpuInfo@HostRuntime@asmjit@@UEAAPEBUCpuInfo@2@XZ
?getHost@CpuInfo@asmjit@@SAPEBU12@XZ
?getPageGranularity@VMemUtil@asmjit@@SA_KXZ
?getPageSize@VMemUtil@asmjit@@SA_KXZ
?getStackAlignment@HostRuntime@asmjit@@UEAAIXZ
?make@Assembler@asmjit@@UEAAPEAXXZ
?noOperand@asmjit@@3UOperand@1@B
?ptr_abs@x86@asmjit@@YA?AUX86Mem@2@_KAEBUX86Reg@2@IHI@Z
?ptr_abs@x86@asmjit@@YA?AUX86Mem@2@_KHI@Z
?release@JitRuntime@asmjit@@UEAAIPEAX@Z
?release@StaticRuntime@asmjit@@UEAAIPEAX@Z
?release@VMemMgr@asmjit@@QEAAIPEAX@Z
?release@VMemUtil@asmjit@@SAIPEAX_K@Z
?releaseProcessMemory@VMemUtil@asmjit@@SAIPEAX0_K@Z
?relocCode@Assembler@asmjit@@QEBA_KPEAX_K@Z
?reset@Assembler@asmjit@@QEAAX_N@Z
?reset@PodVectorBase@asmjit@@QEAAX_N@Z
?reset@VMemMgr@asmjit@@QEAAXXZ
?reset@Zone@asmjit@@QEAAX_N@Z
?sdup@Zone@asmjit@@QEAAPEADPEBD@Z
?setArch@X86Assembler@asmjit@@QEAAII@Z
?setError@CodeGen@asmjit@@QEAAIIPEBD@Z
?setErrorHandler@CodeGen@asmjit@@QEAAIPEAUErrorHandler@2@@Z
?sformat@Zone@asmjit@@QEAAPEADPEBDZZ
?shrink@VMemMgr@asmjit@@QEAAIPEAX_K@Z
?x86RegData@asmjit@@3UX86RegData@1@B

Sections

.text
Size: - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 4B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reacto
Size: - Virtual size: 4B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.upx0
Size: - Virtual size: 4B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.upx1
Size: - Virtual size: 4B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.upx2
Size: - Virtual size: 4B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.enigma
Size: - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 912KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.aspack
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mpress
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pecompa
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.0nP
Size: - Virtual size: 27.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.FY,
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pfR
Size: 42.6MB - Virtual size: 42.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 101KB - Virtual size: 101KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b0a83e8392ad4f90d8f231b0d3aa3b2e

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

ole32

kernel32

user32

advapi32

oleaut32

shlwapi

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-conio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

crypt32

ntdll

wldap32

normaliz

Exports

Exports

Sections

.text Size: - Virtual size: 3.7MB

.themida Size: - Virtual size: 4B

.reacto Size: - Virtual size: 4B

.upx0 Size: - Virtual size: 4B

.upx1 Size: - Virtual size: 4B

.upx2 Size: - Virtual size: 4B

.enigma Size: - Virtual size: 69KB

.rdata Size: - Virtual size: 912KB

.data Size: - Virtual size: 38KB

.pdata Size: - Virtual size: 145KB

.vmp Size: - Virtual size: 4B

.vmp0 Size: - Virtual size: 4B

.taggant Size: - Virtual size: 4B

.aspack Size: - Virtual size: 4B

.mpress Size: - Virtual size: 4B

.pecompa Size: - Virtual size: 4B

.0nP Size: - Virtual size: 27.4MB

.FY, Size: 512B - Virtual size: 456B

.pfR Size: 42.6MB - Virtual size: 42.6MB

.rsrc Size: 101KB - Virtual size: 101KB

.text
Size: - Virtual size: 3.7MB

.themida
Size: - Virtual size: 4B

.reacto
Size: - Virtual size: 4B

.upx0
Size: - Virtual size: 4B

.upx1
Size: - Virtual size: 4B

.upx2
Size: - Virtual size: 4B

.enigma
Size: - Virtual size: 69KB

.rdata
Size: - Virtual size: 912KB

.data
Size: - Virtual size: 38KB

.pdata
Size: - Virtual size: 145KB

.vmp
Size: - Virtual size: 4B

.vmp0
Size: - Virtual size: 4B

.taggant
Size: - Virtual size: 4B

.aspack
Size: - Virtual size: 4B

.mpress
Size: - Virtual size: 4B

.pecompa
Size: - Virtual size: 4B

.0nP
Size: - Virtual size: 27.4MB

.FY,
Size: 512B - Virtual size: 456B

.pfR
Size: 42.6MB - Virtual size: 42.6MB

.rsrc
Size: 101KB - Virtual size: 101KB