Loader[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Loader.exe
Size

153KB
MD5

90c2376b554b824f28fbcf6e9e0b137e
SHA1

9965f3794cff1862c3ca8ea12827ffe6df95fc76
SHA256

f5649bbbd339edac2cf043380eeb51017e2a04a02572997589398f4de33398fb
SHA512

9ee6f92b0f1fa7f7ab832907944bd10294727ddc1393ad5d5ec135e12e1f153a9e67d8b7281959ba2784cca606108bab3695888f7c6dedd968ce1862f64257e8
SSDEEP

3072:nGtHEJC8sRzs/1ylG6hUU1d7VuT/V5JChv35NFm4mgwGXjMpgB8W:n0HEKqdylVhUUv58nJCnlMpgB8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Loader.exe

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

4f682edf06b98c0949adc6b8a2bd39d5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

socket
WSAConnectByNameW
WSARecv
WSAGetOverlappedResult
setsockopt
WSAGetLastError
WSAResetEvent
WSACleanup
closesocket
WSASend
WSACloseEvent
WSACreateEvent
WSAStartup

kernel32

CreateFileW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
CreateDirectoryW
TerminateProcess
SetFileInformationByHandle
Process32FirstW
DeviceIoControl
GetModuleHandleW
GetCurrentDirectoryW
RtlCaptureContext
lstrcmpW
CopyFileW
GetFileInformationByHandle
GetCurrentProcess
WideCharToMultiByte
CreateProcessW
CloseHandle
CreateEventW
GetModuleFileNameW
GetCurrentThreadId
CreateSymbolicLinkW
GetWindowsDirectoryW
CreateToolhelp32Snapshot
Process32NextW
AreFileApisANSI
GetFileInformationByHandleEx
OpenProcess
GetLastError
WaitForMultipleObjects
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
GetLocaleInfoEx
FormatMessageA
LocalFree
MoveFileExW
RtlLookupFunctionEntry

user32

GetDesktopWindow
EndPaint
LoadCursorW
LoadIconW
TranslateMessage
PostQuitMessage
BeginPaint
CreateWindowExW
PeekMessageW
RedrawWindow
DispatchMessageW
DefWindowProcW
GetWindowRect
ShowWindow
SetWindowPos
FillRect
DestroyWindow
UnregisterClassW
RegisterClassExW

gdi32

TextOutW
SetTextColor
SetBkMode
GetStockObject

advapi32

GetTokenInformation
OpenProcessToken

msvcp140

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
_Query_perf_frequency
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Random_device@std@@YAIXZ
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
_Thrd_sleep
_Query_perf_counter
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
_Xtime_get_ticks
?good@ios_base@std@@QEBA_NXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ

crypt32

CertFindCertificateInStore
CertGetNameStringW
CertFindExtension
CertCloseStore
CertOpenStore
CertFreeCertificateChain
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateChain
CertFindChainInStore
CryptDecodeObject
CertVerifyCertificateChainPolicy
CryptAcquireCertificatePrivateKey

secur32

InitSecurityInterfaceW

dnsapi

DnsNameCompare_W

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
memmove
__std_exception_copy
__std_terminate
_purecall
__C_specific_handler
memset
__current_exception_context
__current_exception
memchr
memcmp
memcpy
_CxxThrowException

api-ms-win-crt-stdio-l1-1-0

fputwc
fflush
fclose
ungetwc
fgetwc
fgetc
fwrite
fgetpos
__stdio_common_vsprintf_s
setvbuf
_set_fmode
ungetc
fsetpos
fread
_get_stream_buffer_pointers
__p__commode
fputc
_fseeki64

api-ms-win-crt-runtime-l1-1-0

_seh_filter_exe
_crt_atexit
_exit
_initterm_e
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_initterm
exit
_get_wide_winmain_command_line
_initialize_wide_environment
terminate
_invalid_parameter_noinfo_noreturn
_cexit
_register_onexit_function
_configure_wide_argv
_set_app_type
_c_exit
_invalid_parameter_noinfo
_errno

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
_set_new_mode

api-ms-win-crt-convert-l1-1-0

_itow_s
strtol

api-ms-win-crt-string-l1-1-0

wcscpy_s
towupper

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 580B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4f682edf06b98c0949adc6b8a2bd39d5

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

user32

gdi32

advapi32

msvcp140

crypt32

secur32

dnsapi

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 101KB - Virtual size: 100KB

.rdata Size: 40KB - Virtual size: 39KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 5KB - Virtual size: 5KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 1024B - Virtual size: 580B

.text
Size: 101KB - Virtual size: 100KB

.rdata
Size: 40KB - Virtual size: 39KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 1024B - Virtual size: 580B