TOMUDA BYPASS - RAT IHITIIMALI VAR[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

TOMUDA BYPASS - RAT IHITIIMALI VAR.rar
Size

11.1MB
MD5

1be8b6e5a3d7e939db5d8ca295287c0a
SHA1

ae2c570096e0e7d627442c6e1478e7ab9b690054
SHA256

664a9cded35977c39ea87aaf5481ca0c305cde78032149ab6e5ff8f129912e37
SHA512

c1f8172b2adf44c0e0a624a550847f1f71a8a7d8018b2ba34350cc94d016a206ea92a99e1f7903aaa70990af8404d53e9b82c385f8df7828b7d821ca9e2c6bc8
SSDEEP

196608:akmCd/GnkjnFhnVF4Qf53T8pabOolQMHOvWocOFOVhZtcDTIGlKHWr:dZoninF2QJQa6omfeodejtcLKY

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/active key.exe	vmprotect
static1/unpack001/ejlalsjdlajldkada.exe	vmprotect

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/BYPASS BBB.exe
unpack001/active key.exe
unpack001/ejlalsjdlajldkada.exe
unpack001/koreathebest.sys
unpack001/tomuda.exe

Files

TOMUDA BYPASS - RAT IHITIIMALI VAR.rar
.rar
BYPASS BBB.exe
.exe windows:6 windows x64 arch:x64

baa93d47220682c04d92f7797d9224ce

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

lstrcpy

comctl32

InitCommonControls

Sections

Size: 73KB - Virtual size: 276KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 3.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

vlpkonwg
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

qgmxnwmj
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
active key.exe
.exe windows:6 windows x64 arch:x64

e29cb7df0c6506c425797e8b10902aaa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
GetCurrentProcess
LocalAlloc
GetCurrentProcess
GetCurrentThread
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
GetLastError
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

MoveWindow
CharUpperBuffW

advapi32

CryptDestroyHash
RegQueryValueExA
OpenSCManagerW
EnumServicesStatusExW
OpenServiceW
QueryServiceConfigW
CloseServiceHandle

shell32

ShellExecuteA

oleaut32

VariantClear

msvcp140

?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

shlwapi

PathFindFileNameW

psapi

GetModuleInformation

ntdll

RtlCaptureContext

normaliz

IdnToAscii

wldap32

ord211

crypt32

CertOpenStore

ws2_32

WSAGetLastError

rpcrt4

UuidToStringA

userenv

UnloadUserProfile

vcruntime140

strrchr

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-stdio-l1-1-0

_get_stream_buffer_pointers

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment

api-ms-win-crt-heap-l1-1-0

_set_new_mode

api-ms-win-crt-string-l1-1-0

strncmp

api-ms-win-crt-time-l1-1-0

strftime

api-ms-win-crt-math-l1-1-0

ceilf

api-ms-win-crt-filesystem-l1-1-0

_stat64

api-ms-win-crt-convert-l1-1-0

atoi

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

localeconv

api-ms-win-crt-utility-l1-1-0

qsort

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 484KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 4.4MB - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ejlalsjdlajldkada.exe
.exe windows:6 windows x64 arch:x64

488248b7e0e01b078d28f3557392aaf3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentThreadId
GetCurrentProcess
LocalAlloc
GetCurrentProcess
GetCurrentThread
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
GetLastError
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

advapi32

RegCloseKey
RegQueryValueExA
OpenSCManagerW
EnumServicesStatusExW
OpenServiceW
QueryServiceConfigW
CloseServiceHandle

msvcp140

?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z

ntdll

NtQuerySystemInformation

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception

api-ms-win-crt-stdio-l1-1-0

fsetpos

api-ms-win-crt-heap-l1-1-0

malloc

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-filesystem-l1-1-0

_lock_file

api-ms-win-crt-string-l1-1-0

_wcsicmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

_get_initial_wide_environment

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

wtsapi32

WTSSendMessageW

user32

CharUpperBuffW

Sections

.text
Size: - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
koreathebest.sys
.sys windows:10 windows x64 arch:x64

fc664ebc1867cc6ee2441162db7a2d2c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\quyen\Downloads\Farlight84-Nimrod-aimbot-main\Farlight84-Nimrod-aimbot-main\Memory\driver\x64\Release\KP.pdb

Imports

ntoskrnl.exe

RtlInitUnicodeString
RtlCompareUnicodeString
RtlGetVersion
KeFlushIoBuffers
KeEnterCriticalRegion
KeLeaveCriticalRegion
MmMapLockedPagesSpecifyCache
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetCurrentProcess
ObfDereferenceObject
KeAttachProcess
KeDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ZwAllocateVirtualMemory
ZwQueryVirtualMemory
MmCopyVirtualMemory
PsGetProcessPeb
IoCreateDriver
ZwProtectVirtualMemory
PsGetProcessSectionBaseAddress
__C_specific_handler

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
test.json
test2.txt
test3.txt
tomuda.exe
.exe windows:6 windows x64 arch:x64

baa93d47220682c04d92f7797d9224ce

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

lstrcpy

comctl32

InitCommonControls

Sections

Size: 26KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

brslrnxh
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

winigphw
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

baa93d47220682c04d92f7797d9224ce

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

comctl32

Sections

Size: 73KB - Virtual size: 276KB

.rsrc Size: 512B - Virtual size: 488B

.idata Size: 512B - Virtual size: 4KB

Size: 512B - Virtual size: 3.6MB

vlpkonwg Size: 2.0MB - Virtual size: 2.0MB

qgmxnwmj Size: 512B - Virtual size: 4KB

.pdata Size: 3KB - Virtual size: 4KB

e29cb7df0c6506c425797e8b10902aaa

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

oleaut32

msvcp140

shlwapi

psapi

ntdll

normaliz

wldap32

crypt32

ws2_32

rpcrt4

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-utility-l1-1-0

wtsapi32

Sections

.text Size: - Virtual size: 484KB

.rdata Size: 117KB - Virtual size: 116KB

.data Size: - Virtual size: 1.6MB

.pdata Size: - Virtual size: 20KB

.vmp0 Size: - Virtual size: 2.6MB

.vmp1 Size: 4.4MB - Virtual size: 4.4MB

.reloc Size: 1KB - Virtual size: 1KB

.rsrc Size: 512B - Virtual size: 480B

488248b7e0e01b078d28f3557392aaf3

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

msvcp140

ntdll

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

.rsrc
Size: 512B - Virtual size: 488B

.idata
Size: 512B - Virtual size: 4KB

vlpkonwg
Size: 2.0MB - Virtual size: 2.0MB

qgmxnwmj
Size: 512B - Virtual size: 4KB

.pdata
Size: 3KB - Virtual size: 4KB

.text
Size: - Virtual size: 484KB

.rdata
Size: 117KB - Virtual size: 116KB

.data
Size: - Virtual size: 1.6MB

.pdata
Size: - Virtual size: 20KB

.vmp0
Size: - Virtual size: 2.6MB

.vmp1
Size: 4.4MB - Virtual size: 4.4MB

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 480B

.text
Size: - Virtual size: 60KB

.rdata
Size: 65KB - Virtual size: 65KB

.data
Size: - Virtual size: 3KB

.pdata
Size: - Virtual size: 3KB

.vmp0
Size: - Virtual size: 2.5MB

.vmp1
Size: 2.6MB - Virtual size: 2.6MB

.reloc
Size: 512B - Virtual size: 244B

.rsrc
Size: 512B - Virtual size: 480B

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 1024B - Virtual size: 952B

.data
Size: 512B - Virtual size: 56B

.pdata
Size: 512B - Virtual size: 204B

INIT
Size: 1024B - Virtual size: 904B

.rsrc
Size: 512B - Virtual size: 480B

.idata
Size: 512B - Virtual size: 4KB

brslrnxh
Size: 2.1MB - Virtual size: 2.1MB

winigphw
Size: 512B - Virtual size: 4KB

.pdata
Size: 3KB - Virtual size: 4KB