Advanced File Analysis System

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: .vmp1, entropy: 7.99, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00346e00, virtual_size: 0x00346de0

The executable is likely packed with VMProtect Show sources

packer_section

{u'name': u'.vmp0', u'characteristics': u'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', u'virtual_address': u'0x0009c000', u'size_of_data': u'0x00000000', u'entropy': u'0.00', u'raw_address': u'0x00000000', u'virtual_size': u'0x002f9cb5', u'characteristics_raw': u'0x60000060'}

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

File Name: fn1o2ifn1f21n2of1no12oj2b4o3h3jhwdvssdfosdfk.exe

File Type: PE32 executable (console) Intel 80386, for MS Windows

SHA1: acbbb49f6ed2e281f81cc82240a0c954f178d6a1

MD5: 0066f7a96a58509de0dc17c82403b7e4