aresloader | 7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb

Analysis

max time kernel
15s
max time network
19s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
11-09-2023 03:21

Target

aresloader.exe
Size

1.5MB
MD5

82acd827f36e29c05e6581558b0d76ca
SHA1

bd43089a78e97b66064b37d72f086f4c042a4c91
SHA256

7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb
SHA512

cdf9077fb0c06a9fc38dc0aa630345adfb65bfb264d03d7b56b0961f02798f8bce49fcfa28fd40671a02e1e385ac0c4c2a3f914b1d0b64a844462be2127b261f
SSDEEP

24576:f/f6OAqD+EoVeQExeVATaXAuQ5x3f3TWH5x:faOAU+M/WH5x

Score

10^/10

aresloader loader

Family

aresloader

http://45.80.69.193

AresLoader
AresLoader is a loader and downloader written in C++.
loader aresloader

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 4212	5024	aresloader.exe	69

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 5024 wrote to memory of 4212	5024	aresloader.exe	69
PID 4212 wrote to memory of 4864	4212	aresloader.exe	70
PID 4212 wrote to memory of 4864	4212	aresloader.exe	70
PID 4212 wrote to memory of 4864	4212	aresloader.exe	70
PID 4864 wrote to memory of 2052	4864	cmd.exe	72
PID 4864 wrote to memory of 2052	4864	cmd.exe	72
PID 4864 wrote to memory of 2052	4864	cmd.exe	72

C:\Users\Admin\AppData\Roaming\MicrosoftSetup\MsMpEng.exe

Filesize
153B

MD5
cd31d1bda62e6c59e395bcd54ea7b23f

SHA1
8be312a526cda4e722942b168514c5a25ad57870

SHA256
5c829b1bc9a371935075b06108fa9f9aa1d2f00098db46650d6bea3d58099da0

SHA512
4e960c9794b0cbdcc375d4f8844d8ffb5ddbab73fdb1ff96b95859eac41118e48b27c23aa90b9737ca2fa3c87505e12466b966ad2f55d396bbd4ab0efa3a13ea

Download Submit
memory/4212-2-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4212-5-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4212-6-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4212-23-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/5024-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

Filesize
1024KB

Download
memory/5024-3-0x0000000004890000-0x00000000049CD000-memory.dmp

Filesize
1.2MB

Download