{"id":8003,"date":"2024-06-18T10:36:46","date_gmt":"2024-06-18T10:36:46","guid":{"rendered":"\/cybersecurity-blog\/?p=8003"},"modified":"2024-07-31T09:33:31","modified_gmt":"2024-07-31T09:33:31","slug":"vmprotect-themida-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/vmprotect-themida-malware-analysis\/","title":{"rendered":"Analyzing Malware Protected with Themida and VMprotect: Is It Really That Hard?"},"content":{"rendered":"\n

Malware authors use protectors like Themida and VMProtect in the hope that they will completely prevent analysts from reversing samples.  <\/p>\n\n\n\n

These protectors can use sophisticated techniques to hide malicious functionality: code virtualization, obfuscation, anti-debugging, compression, and encryption<\/a>. (We’ll see later in the article why we said “can.”)  <\/p>\n\n\n\n

So, do Themida and VMProtect really always prevent something interesting from being extracted from malicious samples, like C2 servers, strings, or analyzable code? <\/p>\n\n\n\n

To answer that question, we’ll analyze malware samples from different families that use Themida and VMProtect and compare the specific protection mechanisms they use. <\/p>\n\n\n\n

Research results <\/h2>\n\n\n\n

Our analysis is quite detailed, so to make it easier to keep up, we’ll take a somewhat unusual approach and start with the results. <\/p>\n\n\n\n

The table below shows our findings for six malware families \u2014 all of which use protectors. The table ranks them from least to most difficult to analyze. <\/p>\n\n\n\n

\n \n\n \n \n \n \n \n \n \n \n
\n <\/td>\n \n Compressed\/
encrypted\u00a0\u00a0 <\/td>\n 		\n \u00a0Virtualization\u00a0 <\/td>\n \n Obfuscation\u00a0 <\/td>\n \n Anti-debug <\/td>\n \n What is encrypted in the dump <\/td>\n <\/tr>\n
\n Strings\u00a0 <\/td>\n \n \u04212\u00a0 <\/td>\n <\/tr>\n
\n Arkei (VMP)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Only\u00a0
unpacker\u00a0 <\/td>\n 		\n -\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n -\u00a0 <\/td>\n <\/tr>\n
\n RisePro (Themida)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Only unpacker\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n <\/tr>\n
\n RisePro (VMP)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Only unpacker\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n <\/tr>\n
\n PrivateLoader (VMP)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Only unpacker\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n +\u00a0 <\/td>\n <\/tr>\n
\n Amadey (Themida)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Only unpacker\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n +\u00a0 <\/td>\n <\/tr>\n
\n Lumma (VMP)\u00a0 <\/td>\n \n +\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n Control flow flattening technique\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n -\u00a0 <\/td>\n \n -\u00a0 <\/td>\n <\/tr>\n <\/table>\n<\/div>