hook[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

hook.dll
Size

9.6MB
MD5

1842e5da6061aed0e5465030d2a63ebd
SHA1

2861f8f641007c7b7773a901002d3e4bda55a5bb
SHA256

7c688fe0706b770339e10c4a2055acb1c8aa8ee7028f42dd84ef52011156933b
SHA512

9ad205d51ff7d9a73687c85337e2c6dc217fc59e9bd8596b567976f281fdd10b19d488c23960ccbf532c6251fa6418c0a809e73adadb1e559c8b97bc14f83355
SSDEEP

196608:N3W7kl168arkW/Zn+vxHQUdWdnR4VURRsEVqP3f:dWU16drkW/Z+vxwgOnZfVq

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
hook.dll

Files

hook.dll
.dll windows:6 windows x64 arch:x64

fc8a5754f1fbe8934b51a4726e74eaac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt

crypt32

CertFindExtension
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertOpenStore
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

iphlpapi

GetAdaptersInfo

kernel32

CloseHandle
HeapAlloc
HeapDestroy
GetThreadContext
FlushInstructionCache
SetThreadContext
OpenThread
MoveFileExA
CreateThread
SetConsoleTextAttribute
GetStdHandle
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
GetProcAddress
GetEnvironmentVariableA
GetFileType
ReadFile
Thread32Next
WaitForMultipleObjects
SetLastError
GetLastError
CreateFileA
GetFileSizeEx
QueryPerformanceFrequency
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetCurrentProcess
HeapFree
VirtualProtect
HeapCreate
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualFree
GetConsoleWindow
GetModuleHandleW
FreeConsole
Sleep
HeapReAlloc
ResumeThread
CreateToolhelp32Snapshot
SuspendThread
GetCurrentThreadId
FormatMessageA
Thread32First
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
LoadLibraryA
MultiByteToWideChar
GetLocaleInfoA
GetModuleHandleA
AllocConsole
GetCurrentProcessId
AttachConsole
GlobalAlloc
QueryPerformanceCounter
FreeLibrary
PeekNamedPipe
VerSetConditionMask
WaitForSingleObjectEx
RtlLookupFunctionEntry

msvcp140

?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ

normaliz

IdnToAscii

shell32

ShellExecuteA

user32

SetWindowLongW
DefWindowProcW
DestroyWindow
GetCursorPos
CreateWindowExW
UnregisterClassW
SetLayeredWindowAttributes
ShowWindow
GetAsyncKeyState
DispatchMessageW
PeekMessageW
SetWindowDisplayAffinity
TranslateMessage
RegisterClassExW
UpdateWindow
OpenClipboard
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
CloseClipboard
LoadCursorW
GetForegroundWindow
MessageBoxA
GetKeyboardLayout
TrackMouseEvent
GetWindowLongW
PostQuitMessage
MoveWindow
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetMessageExtraInfo
ScreenToClient
GetCapture
ClientToScreen

vcruntime140

__std_type_info_destroy_list
_CxxThrowException
__C_specific_handler
memcmp
memcpy
memset
memcpy
__std_exception_copy
__std_exception_destroy
strchr
strstr
__std_terminate
wcsstr
memchr
strrchr

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_first_entry
ldap_err2stringA
ldap_msgfree
ldap_search_sA
ldap_bind_sA
ldap_simple_bind_sA
ldap_first_attributeA
ldap_set_optionA
ldap_unbind_s
ldap_get_dnA
ldap_memfreeA
ldap_sslinitA
ber_free
ldap_next_entry
ldap_value_freeW
ldap_next_attributeA
ldap_initA
ldap_get_values_lenA

ws2_32

listen
htonl
accept
select
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
htons
ioctlsocket
getsockopt
getsockname
getpeername
connect
bind
getaddrinfo
FreeAddrInfoW
WSAGetLastError
send
recv
closesocket
htons
recvfrom
sendto
gethostname
htonl
__WSAFDIsSet

ucrtbase

atof
strtoul
atoi
strtol
_strtoi64
_access
_stat64
_fstat64
_unlink
calloc
malloc
free
realloc
_callnewh
pow
sinf
sqrt
log10f
log10
log
fmaxf
fmodf
floor
exp
cosf
cos
ceilf
acosf
sqrtf
_errno
_invalid_parameter_noinfo_noreturn
_beginthreadex
strerror
_getpid
__sys_nerr
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_cexit
_execute_onexit_table
_initialize_onexit_table
_initialize_narrow_environment
exit
_write
_close
__stdio_common_vsprintf
_open
fread
ftell
_read
_lseeki64
__stdio_common_vsscanf
fclose
fgets
fputc
fseek
fwrite
fopen
freopen
__stdio_common_vfprintf
fputs
fflush
__acrt_iob_func
_wfopen
feof
strncmp
strcmp
strspn
isupper
_mbsdup
tolower
isspace
strncpy
strcspn
strpbrk
_gmtime64
_time64
qsort

d3d9

Direct3DCreate9

Sections

.text
Size: 716KB - Virtual size: 716KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 164KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 27KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.SCY
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fc8a5754f1fbe8934b51a4726e74eaac

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

imm32

iphlpapi

kernel32

msvcp140

normaliz

shell32

user32

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d9

Sections

.text Size: 716KB - Virtual size: 716KB

Size: 164KB - Virtual size: 172KB

Size: 4KB - Virtual size: 8KB

Size: 27KB - Virtual size: 28KB

Size: 512B - Virtual size: 4KB

Size: 512B - Virtual size: 4KB

Size: 2KB - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 5.5MB - Virtual size: 5.5MB

.boot Size: 3.2MB - Virtual size: 3.2MB

.reloc Size: 512B - Virtual size: 4KB

.SCY Size: 9KB - Virtual size: 12KB

.text
Size: 716KB - Virtual size: 716KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 5.5MB - Virtual size: 5.5MB

.boot
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 512B - Virtual size: 4KB

.SCY
Size: 9KB - Virtual size: 12KB