pkg[.]7z | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

pkg.7z
Size

7.6MB
MD5

90e6595e664adafe264e009ebe87b7c1
SHA1

fa642cd1929f4d283ba60b408234acc65e68392d
SHA256

c41f4ce82bf89bf2210c0e35fc97bbf87e04f7ba4736ad8a138d64ffa2419493
SHA512

933f72d92d315562de680cd0a214cec2f8c838196e7c19ce9f0e31c2d41474fcf4ff5b1bded7b73156fee1608de052485b545950d3278e8b58067258e4717f5c
SSDEEP

196608:eMHu5Q+X7dKL4uorVGpFZMuT3Vqcntvmj:XO5bKLesPKuDVqcVmj

Score

7^/10

themida

Malware Config

Signatures

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/cli_gui.exe	themida
static1/unpack001/syscfg.cfg	themida

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cli_gui.exe
unpack001/cs2.exe
unpack001/syscfg.cfg

Files

pkg.7z
.7z
cli_gui.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 6KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 129B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 460B - Virtual size: 852B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 267B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 102B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
cs2.exe
.exe windows:10 windows x64 arch:x64

272245e2988e1e430500b852c4fb5e18

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

cmd.pdb

Imports

msvcrt

_setmode
exit
iswxdigit
time
srand
_wtol
fflush
wcsstr
iswalpha
wcstoul
_errno
printf
rand
fprintf
wcsncmp
_pipe
_commode
_lock
wcsrchr
realloc
towlower
_initterm
__setusermatherr
setlocale
_wcsupr
iswdigit
_ultoa
_cexit
_unlock
_exit
__dllonexit
_wcsicmp
iswspace
wcschr
fgets
??_V@YAXPEAX@Z
_pclose
ferror
_onexit
__CxxFrameHandler3
_open_osfhandle
_close
feof
_dup
_wpopen
_wcsnicmp
?terminate@@YAXXZ
memset
wcstol
_get_osfhandle
_dup2
_getch
towupper
memcmp
_setjmp
wcsspn
_fmode
qsort
__set_app_type
_tell
_wcslwr
longjmp
_local_unwind
_purecall
__C_specific_handler
??3@YAXPEAX@Z
memcpy_s
free
calloc
__getmainargs
_XcptFilter
_amsg_exit
??1type_info@@UEAA@XZ
memmove
memcpy
_CxxThrowException
_vsnwprintf
swscanf
__iob_func
malloc
_callnewh
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscmp

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtOpenProcessToken
NtQueryInformationToken
NtClose
NtOpenThreadToken
RtlFreeHeap
NtFsControlFile
RtlDosPathNameToNtPathName_U
RtlVirtualUnwind
RtlFreeUnicodeString
RtlReleaseRelativeName
NtOpenFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
NtSetInformationFile
NtQueryVolumeInformationFile
NtSetInformationProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtCancelSynchronousIoFile
RtlCreateUnicodeStringFromAsciiz
RtlFindLeastSignificantBit

api-ms-win-core-kernel32-legacy-l1-1-0

CopyFileW
GetConsoleWindow

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
InitializeCriticalSection
WaitForSingleObject
ReleaseSemaphore
TryAcquireSRWLockExclusive
WaitForSingleObjectEx
ReleaseMutex
ReleaseSRWLockShared
AcquireSRWLockShared
LeaveCriticalSection
CreateMutexExW
EnterCriticalSection
ReleaseSRWLockExclusive
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap
HeapSetInformation
HeapReAlloc
HeapSize

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
GetLastError
SetErrorMode
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

InitializeProcThreadAttributeList
GetCurrentThreadId
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetStartupInfoW
CreateProcessAsUserW
OpenThread
CreateProcessW
ResumeThread
TerminateProcess
GetExitCodeProcess
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

GetThreadLocale
SetThreadLocale
FormatMessageW
GetLocaleInfoW
GetCPInfo
GetACP
GetUserDefaultLCID

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualQuery
VirtualFree
ReadProcessMemory

api-ms-win-core-console-l1-1-0

ReadConsoleW
SetConsoleCtrlHandler
SetConsoleMode
WriteConsoleW
GetConsoleMode
GetConsoleOutputCP

api-ms-win-core-file-l1-1-0

CreateFileW
FlushFileBuffers
GetFileAttributesExW
GetDriveTypeW
FindClose
FindNextFileW
CreateDirectoryW
GetVolumeInformationW
SetFileAttributesW
SetEndOfFile
SetFilePointerEx
WriteFile
DeleteFileW
SetFileTime
GetVolumePathNameW
SetFilePointer
ReadFile
GetFileAttributesW
GetFileType
RemoveDirectoryW
FindFirstFileExW
CompareFileTime
GetFullPathNameW
GetDiskFreeSpaceExW
FileTimeToLocalFileTime
GetFileSize
FindFirstFileW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
GetEnvironmentStringsW
ExpandEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SearchPathW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetEnvironmentVariableW
SetEnvironmentStringsW
GetStdHandle

api-ms-win-core-console-l2-1-0

SetConsoleCursorPosition
GetConsoleScreenBufferInfo
ScrollConsoleScreenBufferW
FillConsoleOutputAttribute
FillConsoleOutputCharacterW
FlushConsoleInputBuffer
SetConsoleTextAttribute

api-ms-win-security-base-l1-1-0

GetFileSecurityW
RevertToSelf
GetSecurityDescriptorOwner

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
SetLocalTime
GetSystemTimeAsFileTime
GetTickCount
GetWindowsDirectoryW
GetLocalTime
GetVersion

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-systemtopology-l1-1-0

GetNumaNodeProcessorMaskEx
GetNumaHighestNodeNumber

api-ms-win-core-console-l2-2-0

SetConsoleTitleW
GetConsoleTitleW

api-ms-win-core-processenvironment-l1-2-0

NeedCurrentDirectoryForExePathW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyExW
RegDeleteValueW
RegQueryValueExW

api-ms-win-core-file-l2-1-0

MoveFileExW
CreateSymbolicLinkW
CreateHardLinkW
MoveFileWithProgressW
GetFileInformationByHandleEx

api-ms-win-core-heap-l2-1-0

GlobalAlloc
GlobalFree
LocalFree

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize

api-ms-win-core-processtopology-l1-1-0

GetThreadGroupAffinity

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-processtopology-obsolete-l1-1-0

SetProcessAffinityMask

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 196KB - Virtual size: 195KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 780B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
syscfg.cfg
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

Size: 874KB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 240KB - Virtual size: 643KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 11KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 62KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 158B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

Size: 6KB - Virtual size: 10KB

Size: 2KB - Virtual size: 11KB

Size: 129B - Virtual size: 1KB

Size: 460B - Virtual size: 852B

Size: 267B - Virtual size: 480B

Size: 102B - Virtual size: 104B

.imports Size: 1KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: - Virtual size: 5.5MB

.boot Size: 3.1MB - Virtual size: 3.1MB

272245e2988e1e430500b852c4fb5e18

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-console-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-systemtopology-l1-1-0

api-ms-win-core-console-l2-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processtopology-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 196KB - Virtual size: 195KB

.rdata Size: 41KB - Virtual size: 41KB

.data Size: 512B - Virtual size: 111KB

.pdata Size: 9KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 144B

.rsrc Size: 33KB - Virtual size: 33KB

.reloc Size: 1024B - Virtual size: 780B

Headers

DLL Characteristics

File Characteristics

Sections

Size: 874KB - Virtual size: 2.2MB

Size: 240KB - Virtual size: 643KB

Size: 11KB - Virtual size: 44KB

Size: 62KB - Virtual size: 116KB

Size: 158B - Virtual size: 248B

Size: 2KB - Virtual size: 8KB

.imports
Size: 1KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 5.5MB

.boot
Size: 3.1MB - Virtual size: 3.1MB

.text
Size: 196KB - Virtual size: 195KB

.rdata
Size: 41KB - Virtual size: 41KB

.data
Size: 512B - Virtual size: 111KB

.pdata
Size: 9KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 144B

.rsrc
Size: 33KB - Virtual size: 33KB

.reloc
Size: 1024B - Virtual size: 780B

.imports
Size: 1KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 5.7MB

.boot
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 16B - Virtual size: 4KB