(CAPA) CAPA_Detect_vmprotect
rule:
meta:
name: packed with VMProtect
namespace: anti-analysis/packer/vmprotect
authors:
- william.ballenthin@mandiant.com
scope: file
att&ck:
- Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
mbc:
- Anti-Static Analysis::Software Packing::VMProtect [F0001.010]
references:
- https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html
- https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
examples:
- 971e599e6e707349eccea2fd4c8e5f67
features:
- or:
- string: "A debugger has been found running in your system."
- string: "Please, unload it from memory and restart your program."
- string: "File corrupted!. This program has been manipulated and maybe"
- string: "it's infected by a Virus or cracked. This file won't work anymore."
- section: .vmp0
- section: .vmp1
- section: .vmp2
Associated Techniques
Created
June 28, 2022
Last Revised
June 28, 2022