unpacked_ThunderLoader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

unpacked_ThunderLoader.exe
Size

20.3MB
MD5

2b1fc18613a3678886c2b94d3d326981
SHA1

f4485e78c6f909b0fc487537cb5ef28f96160fe3
SHA256

57b6d3061bf2ff685d63e7379062427b9225b0e4f4a73bf53216285ce80ef36e
SHA512

9f23f1adedecad281f4352090c108f228cf998877fbc6d8314c2ec1fc7e394fd173c090eed0c5b120ddf9a74e4e19877791168c3ba889aae4aa097a6cc6ee761
SSDEEP

393216:qukinMQQZs8KvkFwc80/xYJHI90XCn8kCzfg8pdTyhsB9Mr5:3Znp0KvkFwt0/WRIeXK8kCzd2hJd

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_ThunderLoader.exe

Files

unpacked_ThunderLoader.exe
.exe windows:6 windows x64 arch:x64

a0b88c95c79c0bd5a9910721842166ea

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegSetKeyValueW
RegCloseKey
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
CopySid
IsValidSid
OpenProcessToken
ConvertSidToStringSidW
GetLengthSid
GetTokenInformation

kernel32

InitializeCriticalSectionEx
Thread32First
CreateFileW
GetCurrentThreadId
OpenFileMappingW
GetModuleHandleA
OpenProcess
HeapSize
CreateToolhelp32Snapshot
MultiByteToWideChar
Sleep
GetConsoleMode
GetLastError
Process32NextW
CreateFileA
GetCurrentThread
Process32FirstW
HeapReAlloc
CloseHandle
LoadLibraryW
HeapAlloc
HeapDestroy
GetThreadContext
GetProcAddress
LocalFree
DeleteCriticalSection
ReadProcessMemory
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
Thread32Next
IsDebuggerPresent
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
VirtualFree
VirtualAlloc
GetModuleHandleW
SetUnhandledExceptionFilter
DeviceIoControl
GetTempPathW
LoadLibraryA
FindClose
GetCurrentDirectoryW
TerminateProcess
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
LoadLibraryExA
OutputDebugStringA
SetConsoleMode
WriteFile
GetStdHandle
GetCurrentProcess
SetLastError
HeapFree
VirtualProtect
OpenThread
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
OutputDebugStringW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetLocaleInfoEx
FormatMessageA
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
FindFirstFileW
GetFileAttributesExW
SetFileInformationByHandle
ReleaseSRWLockExclusive

msvcp140

?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Thrd_detach
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??7ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
??7ios_base@std@@QEBA_NXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?put@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@G@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Throw_Cpp_error@std@@YAXH@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Query_perf_frequency
?_Xbad_function_call@std@@YAXXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ

oleaut32

SysFreeString
SysAllocString
VariantClear

user32

FindWindowA
FindWindowW
SetWindowsHookExA
PostThreadMessageW
GetWindowThreadProcessId

userenv

UnloadUserProfile

vcruntime140

_local_unwind
__current_exception_context
__std_terminate
__current_exception
__std_exception_copy
__std_exception_destroy
memcpy
wcsstr
memcmp
memchr
_CxxThrowException
memset
memcpy
__C_specific_handler

vcruntime140_1

__CxxFrameHandler4

ucrtbase

_getch
_strtoui64
strtod
_strtoi64
_lock_file
_unlock_file
_stat64i32
_wremove
malloc
_set_new_mode
free
_recalloc
calloc
_callnewh
_configthreadlocale
___lc_codepage_func
localeconv
__setusermatherr
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_invalid_parameter_noinfo
_get_initial_narrow_environment
_initterm
_initterm_e
_Exit
_beginthreadex
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
system
terminate
abort
_errno
exit
_resetstkoflw
_configure_narrow_argv
_invalid_parameter_noinfo_noreturn
_set_app_type
fopen
__acrt_iob_func
fflush
fread
fputc
_fseeki64
__p__commode
_set_fmode
fsetpos
ungetc
setvbuf
fclose
fgetc
fgetpos
__stdio_common_vsprintf
_get_stream_buffer_pointers
__stdio_common_vfprintf
fwrite
__stdio_common_vfprintf_s
_stricmp
_wcsicmp
_gmtime64
_time64
srand
rand

Sections

.text
Size: 537KB - Virtual size: 540KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 74KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 99KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 12.3MB - Virtual size: 12.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 7.2MB - Virtual size: 7.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a0b88c95c79c0bd5a9910721842166ea

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcp140

oleaut32

user32

userenv

vcruntime140

vcruntime140_1

ucrtbase

Sections

.text Size: 537KB - Virtual size: 540KB

Size: 74KB - Virtual size: 84KB

Size: 99KB - Virtual size: 108KB

Size: 8KB - Virtual size: 8KB

Size: 512B - Virtual size: 4KB

Size: 512B - Virtual size: 4KB

.imports Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 12.3MB - Virtual size: 12.3MB

.boot Size: 7.2MB - Virtual size: 7.2MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 11KB - Virtual size: 12KB

.text
Size: 537KB - Virtual size: 540KB

.imports
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 12.3MB - Virtual size: 12.3MB

.boot
Size: 7.2MB - Virtual size: 7.2MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 11KB - Virtual size: 12KB