(CAPA) CAPA_Detect_vmprotect

Download Raw

rule:
  meta:
    name: packed with VMProtect
    namespace: anti-analysis/packer/vmprotect
    authors:
      - william.ballenthin@mandiant.com
    scope: file
    att&ck:
      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
    mbc:
      - Anti-Static Analysis::Software Packing::VMProtect [F0001.010]
    references:
      - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html
      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
    examples:
      - 971e599e6e707349eccea2fd4c8e5f67
  features:
    - or:
      - string: "A debugger has been found running in your system."
      - string: "Please, unload it from memory and restart your program."
      - string: "File corrupted!. This program has been manipulated and maybe"
      - string: "it's infected by a Virus or cracked. This file won't work anymore."
      - section: .vmp0
      - section: .vmp1
      - section: .vmp2

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
VMProtect U1410 F0001.010

Created

June 28, 2022

Last Revised

June 28, 2022