ExitLoader[.]exe

Resubmissions

14/10/2023, 18:18

231014-wxnl3sed5z 3

14/10/2023, 18:12

231014-wtak2sed3t 3

Sharing

Copy URL

Twitter E-mail

General

Target

ExitLoader.exe
Size

426KB
MD5

69ca180075ebeb0fdc5e699e681d49ca
SHA1

f654cdeb8f16322c59f2f401ce9195e9537dd15e
SHA256

fee76969134facebda3efea8f7e6a8691db28d50d1e58ee4627061bf76b70424
SHA512

3bdc5a4d2d32cd702b45912c459f6116a8e4dbebe79d135eecd42939656737b010b21766aeca4bbfba89462cc30538280cfb46931fa17857e1f623d85bba8f6d
SSDEEP

12288:UfJ33xWzr4IVSM0GwsI9Q2D472tZen+OeO+OeNhBBhhBB6xYWsnjzBGc+LBaG:UfZ3xTkIu2DXtZe3xJsjkc+LBaG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ExitLoader.exe

Files

ExitLoader.exe
.exe windows:6 windows x86

e9e3e103b34477e2d2a501be17a36469

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetStdHandle
ExpandEnvironmentStringsW
WaitForSingleObject
lstrcmpA
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
GetCurrentProcess
Process32FirstW
CloseHandle
LoadLibraryW
GetProcAddress
VirtualAllocEx
GetModuleHandleW
CreateRemoteThread
VirtualFreeEx
GetCurrentThreadId
WriteProcessMemory
SetConsoleTextAttribute
GetVolumeInformationW
LoadLibraryA
CreateDirectoryW
GetCurrentProcessId
IsDebuggerPresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
AreFileApisANSI
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
GetLocaleInfoEx
FormatMessageA
LocalFree
QueryPerformanceFrequency
QueryPerformanceCounter
SetLastError
GetSystemTimeAsFileTime

comdlg32

GetOpenFileNameW

advapi32

GetTokenInformation
OpenProcessToken

shell32

ShellExecuteW

msvcp140

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
?getloc@ios_base@std@@QBE?AVlocale@2@XZ
?good@ios_base@std@@QBE_NXZ
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?always_noconv@codecvt_base@std@@QBE_NXZ
??Bid@locale@std@@QAEIXZ
?_Xinvalid_argument@std@@YAXPBD@Z
?uncaught_exceptions@std@@YAHXZ
_Thrd_id
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
_Strcoll
_Strxfrm
??0_Locinfo@std@@QAE@PBD@Z
??1_Locinfo@std@@QAE@XZ
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
?c_str@?$_Yarn@D@std@@QBEPBDXZ
??0facet@locale@std@@IAE@I@Z
??1facet@locale@std@@MAE@XZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?tolower@?$ctype@D@std@@QBEDD@Z
?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z
??Bios_base@std@@QBE_NXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
??_D?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?_Xbad_function_call@std@@YAXXZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Incref@facet@locale@std@@UAEXXZ
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?seekpos@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE?AV?$fpos@U_Mbstatet@@@2@V32@H@Z
?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE?AV?$fpos@U_Mbstatet@@@2@_JHH@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHH@Z
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHH@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$collate@D@std@@2V0locale@2@A
?set_new_handler@std@@YAP6AXXZP6AXXZ@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1_Lockit@std@@QAE@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?_Syserror_map@std@@YAPBDH@Z
?_Xlength_error@std@@YAXPBD@Z
?_Random_device@std@@YAIXZ
?id@?$ctype@D@std@@2V0locale@2@A
?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Xbad_alloc@std@@YAXXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Lockit@std@@QAE@H@Z

ws2_32

getnameinfo
freeaddrinfo
getaddrinfo
WSASocketW
WSAGetLastError
WSACleanup
socket
shutdown
setsockopt
send
select
recv
ntohs
getsockopt
getsockname
getpeername
connect
closesocket
__WSAFDIsSet
WSAStartup
ioctlsocket

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptGenRandom

vcruntime140

__current_exception_context
__current_exception
memchr
_CxxThrowException
__std_type_info_name
__std_type_info_compare
_except_handler4_common
memset
memmove
memcpy
memcmp
_purecall
__std_terminate
__std_exception_copy
__std_exception_destroy
__CxxFrameHandler3
strchr

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_cexit
_invalid_parameter_noinfo
_seh_filter_exe
_controlfp_s
_initterm
_initialize_onexit_table
_crt_atexit
_initialize_narrow_environment
_errno
_initterm_e
_configure_narrow_argv
system
_get_initial_narrow_environment
_set_app_type
exit
_exit
_register_onexit_function
terminate
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-stdio-l1-1-0

fread
__stdio_common_vsprintf
__stdio_common_vfscanf
setvbuf
fputc
fsetpos
fwrite
fgetc
__stdio_common_vfprintf
fclose
fflush
fgetpos
__p__commode
_set_fmode
_get_stream_buffer_pointers
ungetc
_fseeki64
__acrt_iob_func

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
_aligned_free
malloc
_aligned_malloc
free
_set_new_mode

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-convert-l1-1-0

strtol
wcstombs_s
strtoull
strtoul
strtoll
strtod

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dtest
_dsign

api-ms-win-crt-utility-l1-1-0

rand
_byteswap_ulong

api-ms-win-crt-string-l1-1-0

strlen
strcmp
tolower
strncmp
isdigit
_stricmp

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_time64

Sections

.text
Size: 275KB - Virtual size: 275KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 109KB - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

e9e3e103b34477e2d2a501be17a36469

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

comdlg32

advapi32

shell32

msvcp140

ws2_32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 275KB - Virtual size: 275KB

.rdata Size: 109KB - Virtual size: 109KB

.data Size: 20KB - Virtual size: 30KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 19KB - Virtual size: 19KB

.text
Size: 275KB - Virtual size: 275KB

.rdata
Size: 109KB - Virtual size: 109KB

.data
Size: 20KB - Virtual size: 30KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 19KB - Virtual size: 19KB