Themida packing

This sample on Hybrid Analysis

https://www.reverse.it/sample/90f22eada562c8d124211faa33337b5f8e8a43235605b8e8f12dab55f5962d3f?environmentId=100

but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this

It says Themida, which when I googled is
https://www.oreans.com/themida.php
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks

So the attacker is using this legit packing software to hide his code from us malware analysts.

Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!

Random PEiD notes

Random PEiD notes.


Packers ASProtect 2.1x SKE -> Alexey Solodovnikov =



Others

Borland Delphi 6.0 - 7.0 =

Microsoft Visual C++ 6.0 =

Nothing found * =







More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.