unpacked_Lala[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

unpacked_Lala.exe
Size

19.5MB
MD5

e17248273c9aecf425d8febcb56a36f4
SHA1

38a115d981f6c1a63936a0b6bdc7b7ba3920c02e
SHA256

a199b9c4529b8f5667ffa2582371fc47427518c361490604936f87ebe5a3ddd3
SHA512

7755b7d33c471109d49d223427bb56350a8cb611ca82d662bf8d198832f1487d378ab06e4a836961ea7503c2f465c5bbfa6dee2c10fd15cd9c785e05c4c09f49
SSDEEP

196608:Dex+27MPmI9zdmE/34qag2jXdjsXS9KGMkNd8QvCf8y5xzh53DX9CDM+iiFupaCi:D2V7q/D3H27JU2vHSTX9EfuJk

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_Lala.exe

Files

unpacked_Lala.exe
.exe windows:6 windows x64 arch:x64

8c3a961256da8dd7a3cce608465ca23c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptDestroyHash
RegDeleteValueA
RegOpenKeyExA
RegSetValueExA
RegCloseKey
OpenProcessToken
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
GetUserNameA
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyKey
CryptImportKey
IsValidSid
CryptEncrypt
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW

crypt32

CryptDecodeObjectEx
CryptStringToBinaryA
CertFreeCertificateContext
CertFindExtension
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
PFXImportCertStore
CertAddCertificateContextToStore

gdi32

CreateCompatibleBitmap
GetDIBits
CreateCompatibleDC
SelectObject
BitBlt

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext

kernel32

GetCurrentProcessId
WaitForMultipleObjects
OutputDebugStringW
GetFileInformationByHandleEx
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
PeekNamedPipe
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetStartupInfoW
IsDebuggerPresent
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WaitNamedPipeW
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
ReadFile
GetFileType
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
CreateFileW
AllocConsole
SleepEx
GetConsoleWindow
CloseHandle
Sleep
WriteFile
lstrlenW
GetFileSizeEx
IsProcessorFeaturePresent
CreateFileA
RtlLookupFunctionEntry
RtlCaptureContext
GetEnvironmentVariableA
GetStdHandle
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetModuleFileNameA
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar

msvcp140

_Query_perf_counter
_Thrd_detach
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
_Cnd_do_broadcast_at_thread_exit
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?iword@ios_base@std@@QEAAAEAJH@Z
?xalloc@ios_base@std@@SAHXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
_Xtime_get_ticks
_Mtx_init_in_situ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
_Mtx_current_owns
_Mtx_lock
_Mtx_unlock
_Cnd_init_in_situ
_Cnd_timedwait
_Cnd_broadcast
?_Throw_C_error@std@@YAXH@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Random_device@std@@YAIXZ
_Query_perf_frequency
?id@?$ctype@D@std@@2V0locale@2@A
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?clog@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Syserror_map@std@@YAPEBDH@Z

normaliz

IdnToAscii

psapi

GetModuleInformation

rpcrt4

RpcStringFreeA
UuidCreate
UuidToStringA

shell32

ShellExecuteA

shlwapi

PathFindFileNameW

user32

GetWindowRect
DestroyWindow
SetWindowPos
GetSystemMetrics
ShowWindow
GetAsyncKeyState
MessageBoxA
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
TranslateMessage
PeekMessageA
UnregisterClassA
DispatchMessageA
PostQuitMessage
GetDesktopWindow
RegisterClassExA
UpdateWindow
GetKeyState
GetMessageExtraInfo
LoadCursorA
GetDC
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture
SetCursorPos
GetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData

userenv

UnloadUserProfile

vcruntime140

memcpy
__current_exception
__C_specific_handler
strrchr
__current_exception_context
__std_terminate
memcpy
memset
strstr
strchr
__std_exception_destroy
__std_exception_copy
_CxxThrowException
memchr
memcmp

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_first_attributeA
ber_free
ldap_memfreeA
ldap_get_dnA
ldap_initA
ldap_sslinitA
ldap_unbind_s
ldap_value_freeW
ldap_get_values_lenA
ldap_next_attributeA
ldap_next_entry
ldap_first_entry
ldap_msgfree
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_err2stringA

ws2_32

recv
bind
closesocket
send
WSAGetLastError
connect
getpeername
htonl
gethostname
sendto
getsockname
getsockopt
recvfrom
htons
FreeAddrInfoW
getaddrinfo
htons
select
__WSAFDIsSet
ioctlsocket
listen
setsockopt
socket
WSASetLastError
WSAIoctl
htonl
accept
WSACleanup
WSAStartup

ucrtbase

atof
_strtoui64
strtol
atoi
strtod
_strtoi64
strtoul
getenv
_unlock_file
_lock_file
_access
_mkdir
_stat64
_fstat64
_stat64i32
_unlink
realloc
malloc
calloc
free
_callnewh
_set_new_mode
localeconv
___lc_codepage_func
_configthreadlocale
_dsign
ceilf
sqrtf
_dclass
cosf
fmodf
pow
sinf
sqrt
acosf
__setusermatherr
_cexit
_seh_filter_exe
_set_app_type
_get_narrow_winmain_command_line
_initterm
_initterm_e
_Exit
exit
_c_exit
_register_thread_local_exe_atexit_callback
_register_onexit_function
_initialize_onexit_table
abort
_beginthreadex
system
terminate
_initialize_narrow_environment
_configure_narrow_argv
_errno
_invalid_parameter_noinfo_noreturn
strerror
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
_getpid
_crt_atexit
ftell
__acrt_iob_func
fflush
fclose
fseek
__stdio_common_vfprintf
_lseeki64
fwrite
_wfopen
__stdio_common_vsprintf
fread
feof
fputs
fopen
__stdio_common_vswprintf
__stdio_common_vsscanf
_set_fmode
__p__commode
freopen
fputc
_popen
_pclose
_get_stream_buffer_pointers
_open
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
_close
_fileno
_write
_isatty
_read
fgetc
fgets
strcspn
isupper
strspn
_mbsdup
strncpy
strncmp
strcpy_s
strcmp
tolower
strpbrk
_gmtime64
_localtime64_s
_localtime64
_time64
strftime
qsort

d3d9

Direct3DCreate9

Sections

.text
Size: 901KB - Virtual size: 904KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 176KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 9KB - Virtual size: 228KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 35KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 10.9MB - Virtual size: 10.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 7.5MB - Virtual size: 7.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

8c3a961256da8dd7a3cce608465ca23c

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

gdi32

imm32

kernel32

msvcp140

normaliz

psapi

rpcrt4

shell32

shlwapi

user32

userenv

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d9

Sections

.text Size: 901KB - Virtual size: 904KB

Size: 176KB - Virtual size: 188KB

Size: 9KB - Virtual size: 228KB

Size: 35KB - Virtual size: 36KB

Size: 512B - Virtual size: 4KB

Size: 2KB - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 6KB - Virtual size: 8KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 10.9MB - Virtual size: 10.9MB

.boot Size: 7.5MB - Virtual size: 7.5MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 15KB - Virtual size: 16KB

.text
Size: 901KB - Virtual size: 904KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 6KB - Virtual size: 8KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 10.9MB - Virtual size: 10.9MB

.boot
Size: 7.5MB - Virtual size: 7.5MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 15KB - Virtual size: 16KB