FFWsUpgrade[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

FFWsUpgrade.dll
Size

4.2MB
MD5

d87446632c1f0835c63929860f3ea0c5
SHA1

910e6d48484f2626ccbebdf348b7e8f1e880dde8
SHA256

1bf2826f0ebc20f65044e003d1c36f61a3b13fe712a9609443092e3d63c0d9ac
SHA512

153f3f9ee5a613943f08069ef6bd6458ffaba1a3e424b18122c3ecd45089cbff727925e24cac761131818a32ad6faa3e6ed7b0c6d8e7a1312420a76100782e2f
SSDEEP

98304:Pf3nBVNVPlLON3iqTyFjUi9E1QEdmhygc51W3rUh5Qo/zS:PfDlLOIqWlfE1QEBgoW3rUhq

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
FFWsUpgrade.dll

Files

FFWsUpgrade.dll
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Exports

Exports

??0IFFUpgradeEventObserver@@QEAA@$$QEAV0@@Z
??0IFFUpgradeEventObserver@@QEAA@AEBV0@@Z
??0IFFUpgradeEventObserver@@QEAA@XZ
??0IFFUpgradeService@@QEAA@$$QEAV0@@Z
??0IFFUpgradeService@@QEAA@AEBV0@@Z
??0IFFUpgradeService@@QEAA@XZ
??4IFFUpgradeEventObserver@@QEAAAEAV0@$$QEAV0@@Z
??4IFFUpgradeEventObserver@@QEAAAEAV0@AEBV0@@Z
??4IFFUpgradeService@@QEAAAEAV0@$$QEAV0@@Z
??4IFFUpgradeService@@QEAAAEAV0@AEBV0@@Z
??_7IFFUpgradeEventObserver@@6B@
??_7IFFUpgradeService@@6B@
createUpgradeService
releaseUpgradeService

Sections

Size: 33KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 11KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 54KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.edata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 192KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.9MB - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

Size: 33KB - Virtual size: 75KB

Size: 11KB - Virtual size: 35KB

Size: 1024B - Virtual size: 3KB

Size: 3KB - Virtual size: 4KB

Size: 54KB - Virtual size: 191KB

Size: 512B - Virtual size: 448B

.edata Size: 1024B - Virtual size: 4KB

.idata Size: 1024B - Virtual size: 4KB

.rsrc Size: 192KB - Virtual size: 192KB

.themida Size: - Virtual size: 5.3MB

.boot Size: 3.9MB - Virtual size: 3.9MB

.edata
Size: 1024B - Virtual size: 4KB

.idata
Size: 1024B - Virtual size: 4KB

.rsrc
Size: 192KB - Virtual size: 192KB

.themida
Size: - Virtual size: 5.3MB

.boot
Size: 3.9MB - Virtual size: 3.9MB