waveypkg[.]7z | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

waveypkg.7z
Size

8.3MB
MD5

fba86310680ddf6dc9cef8574d9f4b7f
SHA1

2749e6705098cf2a1e4fadb9400793a8385bc4a2
SHA256

609f4bb6eccf5d6c2f4bdb753d9b5d01a39b930b852231b634023a58bb3d2c7f
SHA512

b56db07dd678e7a3aabef453555ccf6bdd55550236884283eeeb574d7bf96b4fafc3f7bc817df6f809f9b95c8e9527eba3b15564f88a3d8ac67df092c1471efc
SSDEEP

196608:d/O71yTIbqDbTcrCzTzB2vn9Tsy/SQSQLQeC1E8:/TfnSCzT4v9J6QF4

Score

7^/10

themida

Malware Config

Signatures

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/cli_gui.exe	themida
static1/unpack001/syscfg.cfg	themida

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cli_gui.exe
unpack001/cs2.exe
unpack001/syscfg.cfg

Files

waveypkg.7z
.7z
cli_gui.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 6KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 129B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 460B - Virtual size: 852B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 267B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 102B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
cs2.exe
.exe windows:10 windows x64 arch:x64

272245e2988e1e430500b852c4fb5e18

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

cmd.pdb

Imports

msvcrt

_setmode
exit
iswxdigit
time
srand
_wtol
fflush
wcsstr
iswalpha
wcstoul
_errno
printf
rand
fprintf
wcsncmp
_pipe
_commode
_lock
wcsrchr
realloc
towlower
_initterm
__setusermatherr
setlocale
_wcsupr
iswdigit
_ultoa
_cexit
_unlock
_exit
__dllonexit
_wcsicmp
iswspace
wcschr
fgets
??_V@YAXPEAX@Z
_pclose
ferror
_onexit
__CxxFrameHandler3
_open_osfhandle
_close
feof
_dup
_wpopen
_wcsnicmp
?terminate@@YAXXZ
memset
wcstol
_get_osfhandle
_dup2
_getch
towupper
memcmp
_setjmp
wcsspn
_fmode
qsort
__set_app_type
_tell
_wcslwr
longjmp
_local_unwind
_purecall
__C_specific_handler
??3@YAXPEAX@Z
memcpy_s
free
calloc
__getmainargs
_XcptFilter
_amsg_exit
??1type_info@@UEAA@XZ
memmove
memcpy
_CxxThrowException
_vsnwprintf
swscanf
__iob_func
malloc
_callnewh
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscmp

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtOpenProcessToken
NtQueryInformationToken
NtClose
NtOpenThreadToken
RtlFreeHeap
NtFsControlFile
RtlDosPathNameToNtPathName_U
RtlVirtualUnwind
RtlFreeUnicodeString
RtlReleaseRelativeName
NtOpenFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
NtSetInformationFile
NtQueryVolumeInformationFile
NtSetInformationProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtCancelSynchronousIoFile
RtlCreateUnicodeStringFromAsciiz
RtlFindLeastSignificantBit

api-ms-win-core-kernel32-legacy-l1-1-0

CopyFileW
GetConsoleWindow

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
InitializeCriticalSection
WaitForSingleObject
ReleaseSemaphore
TryAcquireSRWLockExclusive
WaitForSingleObjectEx
ReleaseMutex
ReleaseSRWLockShared
AcquireSRWLockShared
LeaveCriticalSection
CreateMutexExW
EnterCriticalSection
ReleaseSRWLockExclusive
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap
HeapSetInformation
HeapReAlloc
HeapSize

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
GetLastError
SetErrorMode
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

InitializeProcThreadAttributeList
GetCurrentThreadId
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetStartupInfoW
CreateProcessAsUserW
OpenThread
CreateProcessW
ResumeThread
TerminateProcess
GetExitCodeProcess
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

GetThreadLocale
SetThreadLocale
FormatMessageW
GetLocaleInfoW
GetCPInfo
GetACP
GetUserDefaultLCID

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualQuery
VirtualFree
ReadProcessMemory

api-ms-win-core-console-l1-1-0

ReadConsoleW
SetConsoleCtrlHandler
SetConsoleMode
WriteConsoleW
GetConsoleMode
GetConsoleOutputCP

api-ms-win-core-file-l1-1-0

CreateFileW
FlushFileBuffers
GetFileAttributesExW
GetDriveTypeW
FindClose
FindNextFileW
CreateDirectoryW
GetVolumeInformationW
SetFileAttributesW
SetEndOfFile
SetFilePointerEx
WriteFile
DeleteFileW
SetFileTime
GetVolumePathNameW
SetFilePointer
ReadFile
GetFileAttributesW
GetFileType
RemoveDirectoryW
FindFirstFileExW
CompareFileTime
GetFullPathNameW
GetDiskFreeSpaceExW
FileTimeToLocalFileTime
GetFileSize
FindFirstFileW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
GetEnvironmentStringsW
ExpandEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SearchPathW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetEnvironmentVariableW
SetEnvironmentStringsW
GetStdHandle

api-ms-win-core-console-l2-1-0

SetConsoleCursorPosition
GetConsoleScreenBufferInfo
ScrollConsoleScreenBufferW
FillConsoleOutputAttribute
FillConsoleOutputCharacterW
FlushConsoleInputBuffer
SetConsoleTextAttribute

api-ms-win-security-base-l1-1-0

GetFileSecurityW
RevertToSelf
GetSecurityDescriptorOwner

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
SetLocalTime
GetSystemTimeAsFileTime
GetTickCount
GetWindowsDirectoryW
GetLocalTime
GetVersion

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-systemtopology-l1-1-0

GetNumaNodeProcessorMaskEx
GetNumaHighestNodeNumber

api-ms-win-core-console-l2-2-0

SetConsoleTitleW
GetConsoleTitleW

api-ms-win-core-processenvironment-l1-2-0

NeedCurrentDirectoryForExePathW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyExW
RegDeleteValueW
RegQueryValueExW

api-ms-win-core-file-l2-1-0

MoveFileExW
CreateSymbolicLinkW
CreateHardLinkW
MoveFileWithProgressW
GetFileInformationByHandleEx

api-ms-win-core-heap-l2-1-0

GlobalAlloc
GlobalFree
LocalFree

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize

api-ms-win-core-processtopology-l1-1-0

GetThreadGroupAffinity

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-processtopology-obsolete-l1-1-0

SetProcessAffinityMask

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 196KB - Virtual size: 195KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 780B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
syscfg.cfg
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

Size: 1.1MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 177KB - Virtual size: 743KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 499KB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 130KB - Virtual size: 234KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 28B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 182B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 10B - Virtual size: 45B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

Size: 6KB - Virtual size: 10KB

Size: 2KB - Virtual size: 11KB

Size: 129B - Virtual size: 1KB

Size: 460B - Virtual size: 852B

Size: 267B - Virtual size: 480B

Size: 102B - Virtual size: 104B

.imports Size: 1KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: - Virtual size: 5.3MB

.boot Size: 2.9MB - Virtual size: 2.9MB

272245e2988e1e430500b852c4fb5e18

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-console-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-systemtopology-l1-1-0

api-ms-win-core-console-l2-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processtopology-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 196KB - Virtual size: 195KB

.rdata Size: 41KB - Virtual size: 41KB

.data Size: 512B - Virtual size: 111KB

.pdata Size: 9KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 144B

.rsrc Size: 33KB - Virtual size: 33KB

.reloc Size: 1024B - Virtual size: 780B

Headers

DLL Characteristics

File Characteristics

Sections

Size: 1.1MB - Virtual size: 3.6MB

Size: 177KB - Virtual size: 743KB

Size: 499KB - Virtual size: 1.1MB

Size: 130KB - Virtual size: 234KB

Size: 28B - Virtual size: 56B

Size: 182B - Virtual size: 448B

.imports
Size: 1KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 5.3MB

.boot
Size: 2.9MB - Virtual size: 2.9MB

.text
Size: 196KB - Virtual size: 195KB

.rdata
Size: 41KB - Virtual size: 41KB

.data
Size: 512B - Virtual size: 111KB

.pdata
Size: 9KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 144B

.rsrc
Size: 33KB - Virtual size: 33KB

.reloc
Size: 1024B - Virtual size: 780B

.imports
Size: 1KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.themida
Size: - Virtual size: 6.1MB

.boot
Size: 3.5MB - Virtual size: 3.5MB

.reloc
Size: 16B - Virtual size: 4KB