voice modules[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

voice modules.rar
Size

6.2MB
MD5

a41866eef7a681a4bcbeecafb0c6d7ef
SHA1

5316e529f99b5376e9b2168f5edc5c6f38ee4cfb
SHA256

12514885865282e7015104aba5ef968b081c4e50a80f66d0cd66b5b32c10060c
SHA512

896279600339f586a30f95dc4925323424601ea5cb046a10230ce1a41bfd26db4a7751c0b9b5facd55a172cf3f6e4727fb3815f5888293810c1dce76471f64c3
SSDEEP

196608:6JPnSfP0VI2avN+fsGiMwsBHJ1e19zkVHGyTTn3:69AiavN+fsGiMBDTTn3

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/voice modules/hook.dll	themida

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/voice modules/hook.dll
unpack001/voice modules/injector.exe

Files

voice modules.rar
.rar
voice modules/hook.dll
.dll windows:6 windows x64 arch:x64

fc8a5754f1fbe8934b51a4726e74eaac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt

crypt32

CertFindExtension
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertOpenStore
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

iphlpapi

GetAdaptersInfo

kernel32

CloseHandle
HeapAlloc
HeapDestroy
GetThreadContext
FlushInstructionCache
SetThreadContext
OpenThread
MoveFileExA
CreateThread
SetConsoleTextAttribute
GetStdHandle
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
GetProcAddress
GetEnvironmentVariableA
GetFileType
ReadFile
Thread32Next
WaitForMultipleObjects
SetLastError
GetLastError
CreateFileA
GetFileSizeEx
QueryPerformanceFrequency
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetCurrentProcess
HeapFree
VirtualProtect
HeapCreate
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualFree
GetConsoleWindow
GetModuleHandleW
FreeConsole
Sleep
HeapReAlloc
ResumeThread
CreateToolhelp32Snapshot
SuspendThread
GetCurrentThreadId
FormatMessageA
Thread32First
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
LoadLibraryA
MultiByteToWideChar
GetLocaleInfoA
GetModuleHandleA
AllocConsole
GetCurrentProcessId
AttachConsole
GlobalAlloc
QueryPerformanceCounter
FreeLibrary
PeekNamedPipe
VerSetConditionMask
WaitForSingleObjectEx
RtlLookupFunctionEntry

msvcp140

?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ

normaliz

IdnToAscii

shell32

ShellExecuteA

user32

SetWindowLongW
DefWindowProcW
DestroyWindow
GetCursorPos
CreateWindowExW
UnregisterClassW
SetLayeredWindowAttributes
ShowWindow
GetAsyncKeyState
DispatchMessageW
PeekMessageW
SetWindowDisplayAffinity
TranslateMessage
RegisterClassExW
UpdateWindow
OpenClipboard
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
CloseClipboard
LoadCursorW
GetForegroundWindow
MessageBoxA
GetKeyboardLayout
TrackMouseEvent
GetWindowLongW
PostQuitMessage
MoveWindow
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetMessageExtraInfo
ScreenToClient
GetCapture
ClientToScreen

vcruntime140

__std_type_info_destroy_list
_CxxThrowException
__C_specific_handler
memcmp
memcpy
memset
memcpy
__std_exception_copy
__std_exception_destroy
strchr
strstr
__std_terminate
wcsstr
memchr
strrchr

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_first_entry
ldap_err2stringA
ldap_msgfree
ldap_search_sA
ldap_bind_sA
ldap_simple_bind_sA
ldap_first_attributeA
ldap_set_optionA
ldap_unbind_s
ldap_get_dnA
ldap_memfreeA
ldap_sslinitA
ber_free
ldap_next_entry
ldap_value_freeW
ldap_next_attributeA
ldap_initA
ldap_get_values_lenA

ws2_32

listen
htonl
accept
select
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
htons
ioctlsocket
getsockopt
getsockname
getpeername
connect
bind
getaddrinfo
FreeAddrInfoW
WSAGetLastError
send
recv
closesocket
htons
recvfrom
sendto
gethostname
htonl
__WSAFDIsSet

ucrtbase

atof
strtoul
atoi
strtol
_strtoi64
_access
_stat64
_fstat64
_unlink
calloc
malloc
free
realloc
_callnewh
pow
sinf
sqrt
log10f
log10
log
fmaxf
fmodf
floor
exp
cosf
cos
ceilf
acosf
sqrtf
_errno
_invalid_parameter_noinfo_noreturn
_beginthreadex
strerror
_getpid
__sys_nerr
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_cexit
_execute_onexit_table
_initialize_onexit_table
_initialize_narrow_environment
exit
_write
_close
__stdio_common_vsprintf
_open
fread
ftell
_read
_lseeki64
__stdio_common_vsscanf
fclose
fgets
fputc
fseek
fwrite
fopen
freopen
__stdio_common_vfprintf
fputs
fflush
__acrt_iob_func
_wfopen
feof
strncmp
strcmp
strspn
isupper
_mbsdup
tolower
isspace
strncpy
strcspn
strpbrk
_gmtime64
_time64
qsort

d3d9

Direct3DCreate9

Sections

.text
Size: 716KB - Virtual size: 716KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 164KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 27KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
voice modules/injector.exe
.exe windows:6 windows x64 arch:x64

8f18ef3a00bfd699ac5d69caeb261960

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Users\jumpo\Downloads\Development\Injector\x64\Release\Injector.pdb

Imports

kernel32

GetModuleFileNameA
WriteProcessMemory
WaitForSingleObject
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
LoadLibraryA
Process32FirstW
CloseHandle
GetProcAddress
VirtualAllocEx
GetModuleHandleW
CreateRemoteThread
VirtualFreeEx
FreeConsole
AllocConsole
GetLocaleInfoEx
FormatMessageA
LocalFree
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
AreFileApisANSI
GetLastError
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
CreateFileW

msvcp140

?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
__std_exception_destroy
__std_exception_copy
__std_terminate
__C_specific_handler
_CxxThrowException
__current_exception
memmove
__current_exception_context
memset

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
_callnewh
malloc

api-ms-win-crt-string-l1-1-0

_wcsicmp

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
_cexit
_crt_atexit
__p___argc
_exit
_register_onexit_function
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_set_app_type
_seh_filter_exe
terminate
exit
_initialize_onexit_table
abort
__p___argv
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fc8a5754f1fbe8934b51a4726e74eaac

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

imm32

iphlpapi

kernel32

msvcp140

normaliz

shell32

user32

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d9

Sections

.text Size: 716KB - Virtual size: 716KB

Size: 164KB - Virtual size: 172KB

Size: 4KB - Virtual size: 8KB

Size: 27KB - Virtual size: 28KB

Size: 512B - Virtual size: 4KB

Size: 512B - Virtual size: 4KB

Size: 2KB - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 5.5MB - Virtual size: 5.5MB

.boot Size: 3.2MB - Virtual size: 3.2MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 9KB - Virtual size: 12KB

8f18ef3a00bfd699ac5d69caeb261960

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

Sections

.text Size: 24KB - Virtual size: 23KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 172B

.text
Size: 716KB - Virtual size: 716KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 5.5MB - Virtual size: 5.5MB

.boot
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 9KB - Virtual size: 12KB

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 172B