vax[.]rar | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

vax.rar
Size

20.7MB
MD5

5904153840e514281c9914d23f7789b7
SHA1

20ed3c90775b2213b9134fde3cedefaa19c48b2f
SHA256

56f4cb592f497bf2e259e31eba53719910bea7f34e49df9939a4ab474fd0d2e9
SHA512

49ff859c980bcaee2f31cca9bdd449d07063d0024b408c71ed6a96a80742ed0ca92f26aac9217363adaafdc0e62d02e256e997265a93af7b99517588352c2f3c
SSDEEP

393216:YzAAmOfL0xziHU7QAlKCfLJ+ZTEQM1OuiVVNKpmJibwjo2utHfyuUkxol:imOfc571KCTU7VNKQJEwzutauDk

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/vax/hm whats this.exe	vmprotect
static1/unpack001/vax/scammer.exe	vmprotect

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/vax/hm whats this.exe
unpack001/vax/scammer.exe

Files

vax.rar
.rar
vax/hm whats this.exe
.exe windows:6 windows x64 arch:x64

1f9ced065df682408cdbc8874dbb7cb1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

EnterCriticalSection
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

ScreenToClient
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW

gdi32

CreateSolidBrush

advapi32

CryptGenRandom

shell32

SHGetFolderPathW

msvcp140

_Query_perf_counter

ntdll

RtlInitAnsiString

dbghelp

ImageRvaToVa

d3d11

D3D11CreateDeviceAndSwapChain

imm32

ImmReleaseContext

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

rpcrt4

UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy

api-ms-win-crt-runtime-l1-1-0

_beginthreadex

api-ms-win-crt-stdio-l1-1-0

fwrite

api-ms-win-crt-heap-l1-1-0

malloc

api-ms-win-crt-math-l1-1-0

powf

api-ms-win-crt-convert-l1-1-0

atof

api-ms-win-crt-filesystem-l1-1-0

_stat64

api-ms-win-crt-string-l1-1-0

strncpy

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_localtime64

ws2_32

gethostname

normaliz

IdnToAscii

crypt32

CertOpenStore

wldap32

ord45

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 988KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 227KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 647KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 7.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 10.6MB - Virtual size: 10.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
vax/logs/log2024-08-16_01-04-29.txt
vax/scammer.exe
.exe windows:6 windows x64 arch:x64

c5df107411d44fd99932b3b71ed58ec7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

winmm

PlaySoundA

kernel32

HeapSize
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

FindWindowA
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW

gdi32

CreateSolidBrush

advapi32

CryptEncrypt

shell32

SHGetFolderPathW

msvcp140

?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

ntdll

RtlInitAnsiString

dbghelp

ImageRvaToVa

d3d11

D3D11CreateDeviceAndSwapChain

imm32

ImmSetCompositionWindow

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

shlwapi

PathFindFileNameW

rpcrt4

UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy

api-ms-win-crt-stdio-l1-1-0

fputs

api-ms-win-crt-runtime-l1-1-0

__sys_nerr

api-ms-win-crt-heap-l1-1-0

_set_new_mode

api-ms-win-crt-math-l1-1-0

acosf

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-filesystem-l1-1-0

_fstat64

api-ms-win-crt-string-l1-1-0

isupper

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-locale-l1-1-0

localeconv

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_localtime64

ws2_32

ntohl

normaliz

IdnToAscii

crypt32

CertFreeCertificateContext

wldap32

ord60

wtsapi32

WTSSendMessageW

Exports

Exports

OPENSSL_Applink

Sections

.text
Size: - Virtual size: 855KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 194KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 8.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 11.0MB - Virtual size: 11.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 260B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
vax/vax login.vax

Sharing

General

Malware Config

Signatures

Files

1f9ced065df682408cdbc8874dbb7cb1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcp140

ntdll

dbghelp

d3d11

imm32

d3dx11_43

d3dcompiler_43

dwmapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

ws2_32

normaliz

crypt32

wldap32

wtsapi32

Sections

.text Size: - Virtual size: 988KB

.rdata Size: - Virtual size: 227KB

.data Size: - Virtual size: 647KB

.pdata Size: - Virtual size: 38KB

.vmp0 Size: - Virtual size: 7.9MB

.vmp1 Size: 10.6MB - Virtual size: 10.6MB

.reloc Size: 512B - Virtual size: 248B

.rsrc Size: 512B - Virtual size: 480B

c5df107411d44fd99932b3b71ed58ec7

Headers

DLL Characteristics

File Characteristics

Imports

winmm

kernel32

user32

gdi32

advapi32

shell32

msvcp140

ntdll

dbghelp

d3d11

imm32

d3dx11_43

d3dcompiler_43

dwmapi

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

.text
Size: - Virtual size: 988KB

.rdata
Size: - Virtual size: 227KB

.data
Size: - Virtual size: 647KB

.pdata
Size: - Virtual size: 38KB

.vmp0
Size: - Virtual size: 7.9MB

.vmp1
Size: 10.6MB - Virtual size: 10.6MB

.reloc
Size: 512B - Virtual size: 248B

.rsrc
Size: 512B - Virtual size: 480B

.text
Size: - Virtual size: 855KB

.rdata
Size: - Virtual size: 194KB

.data
Size: - Virtual size: 1.1MB

.pdata
Size: - Virtual size: 27KB

.vmp0
Size: - Virtual size: 8.0MB

.vmp1
Size: 11.0MB - Virtual size: 11.0MB

.reloc
Size: 512B - Virtual size: 260B

.rsrc
Size: 512B - Virtual size: 480B