Loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Loader.exe
Size

6.7MB
MD5

1a13eb0735a14e25c4a54c7e0ffcbc0f
SHA1

efd0c6aba13912a30f874f9c16582b2fc514dac2
SHA256

730a2f738171b9e83a06f3fb5768c02234e4367833eea0375466f25777dc556f
SHA512

628a78f808a0fc046cfa4d93aec45034a33ac33d5b78a9e70517663e75c9d514957128511f1526f0dd84cf18e17cbc65ef220afc0e9966e4d0086c576d195e1e
SSDEEP

196608:1uxknB4PYhn8MQW4PPvunG0dvl2XAqcv:gxQBCYhn8nWeuB3qk

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Loader.exe

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

20ac1a11062328b492918f76aef1d128

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapDestroy
GetSystemInfo
CheckRemoteDebuggerPresent
IsDebuggerPresent
DebugBreak
GlobalFindAtomA
GetConsoleWindow
GetThreadContext
VirtualProtectEx
LoadLibraryW
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
CreateThread
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
GetModuleHandleW
QueryFullProcessImageNameW
HeapReAlloc
Process32Next
GetCurrentThread
GlobalAddAtomA
Sleep
CreateToolhelp32Snapshot
OutputDebugStringA
SetConsoleTitleA
VirtualProtect
FormatMessageA
EnterCriticalSection
LeaveCriticalSection
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
VerifyVersionInfoA
QueryPerformanceCounter
GetTickCount
MoveFileExA
WaitForSingleObjectEx
MultiByteToWideChar
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
WideCharToMultiByte
GetLocaleInfoEx
FindClose
FindFirstFileW
GetFileAttributesW
GetFileAttributesExW
WriteProcessMemory
Process32First
FreeLibrary
GetProcessHeap
HeapAlloc
LoadLibraryA
HeapFree
CreateDirectoryA
LocalFree
CreateFileA
GetLastError
OpenProcess
GetCurrentDirectoryA
SetLastError
GetFileAttributesExA
GetCurrentProcess
GetTempPathW
GetFullPathNameW
SetFileInformationByHandle
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
GetCurrentProcessId
GetProcAddress
CloseHandle
GetModuleHandleA
GetCurrentThreadId
CreateFileW
VirtualAlloc
DeviceIoControl
VirtualFree
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

MessageBoxW
ShowWindow
MessageBoxA
FindWindowA
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

advapi32

ConvertSidToStringSidA
CopySid
SetSecurityInfo
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
AddAccessAllowedAce
RegSetKeyValueW
RegCloseKey
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
RegSetValueExA
RegDeleteKeyA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCreateKeyA
CryptCreateHash
CryptGenRandom
CryptGetHashParam
OpenProcessToken
CryptReleaseContext
CryptAcquireContextA

ole32

StringFromGUID2

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setf@ios_base@std@@QEAAHHH@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Xtime_get_ticks
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
?id@?$ctype@D@std@@2V0locale@2@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Winerror_map@std@@YAHH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?good@ios_base@std@@QEBA_NXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ

ntdll

NtQuerySystemInformation
RtlInitUnicodeString
NtUnloadDriver
VerSetConditionMask
NtLoadDriver
RtlInitAnsiString
RtlAnsiStringToUnicodeString

dbghelp

SymLoadModuleEx
SymGetTypeInfo
SymUnloadModule64
SymFromName
SymInitialize
SymGetTypeFromName
SymSetOptions
SymCleanup

urlmon

URLDownloadToFileA

normaliz

IdnToAscii

wldap32

ord30
ord200
ord301
ord27
ord35
ord33
ord22
ord79
ord143
ord217
ord46
ord211
ord32
ord60
ord45
ord50
ord41
ord26

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CryptQueryObject
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertAddCertificateContextToStore
CertGetNameStringA
CertFindExtension
CertOpenStore

ws2_32

WSAStartup
WSASetLastError
accept
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
recvfrom
sendto
gethostname
ntohl
socket
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
recv
closesocket
WSAIoctl
WSACleanup
send
htonl

shlwapi

PathFileExistsA

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
_CxxThrowException
__C_specific_handler
memcmp
strrchr
strchr
__std_terminate
wcsstr
__std_exception_copy
__std_exception_destroy
strstr
memchr
memset
memmove
memcpy

api-ms-win-crt-stdio-l1-1-0

_fseeki64
fopen
fputs
__stdio_common_vsscanf
_set_fmode
_popen
_pclose
fgets
fsetpos
feof
fseek
__p__commode
ftell
ungetc
setvbuf
fgetpos
fwrite
_lseeki64
_write
fgetc
_read
__acrt_iob_func
fclose
__stdio_common_vsprintf
_close
fread
fflush
_open
fputc
__stdio_common_vfprintf
_get_stream_buffer_pointers

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-filesystem-l1-1-0

rename
_fstat64
_stat64
remove
_unlock_file
_wremove
_access
_unlink
_lock_file

api-ms-win-crt-string-l1-1-0

strncpy
isupper
strspn
tolower
strcspn
_stricmp
strpbrk
_strdup
strncmp
strcmp

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64

api-ms-win-crt-runtime-l1-1-0

_cexit
exit
_seh_filter_exe
_register_onexit_function
_beginthreadex
_configure_narrow_argv
_getpid
_initialize_narrow_environment
system
terminate
_set_app_type
_invalid_parameter_noinfo_noreturn
_errno
_crt_atexit
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_invalid_parameter_noinfo
_register_thread_local_exe_atexit_callback
__p___argc
strerror
__sys_nerr
_resetstkoflw
_c_exit
_initialize_onexit_table
__p___argv

api-ms-win-crt-heap-l1-1-0

realloc
_set_new_mode
calloc
free
_callnewh
malloc

api-ms-win-crt-convert-l1-1-0

strtoul
strtoull
strtoll
strtol
strtod
_itoa_s
atoi
wcstombs_s

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dclass

shell32

ShellExecuteA

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 736KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 6.6MB - Virtual size: 6.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 163KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

20ac1a11062328b492918f76aef1d128

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

msvcp140

ntdll

dbghelp

urlmon

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

shell32

wtsapi32

Sections

.text Size: - Virtual size: 736KB

.rdata Size: - Virtual size: 219KB

.data Size: - Virtual size: 47KB

.pdata Size: - Virtual size: 22KB

.vmp0 Size: - Virtual size: 4.4MB

.vmp1 Size: 6.6MB - Virtual size: 6.6MB

.reloc Size: 512B - Virtual size: 180B

.rsrc Size: 163KB - Virtual size: 162KB

.text
Size: - Virtual size: 736KB

.rdata
Size: - Virtual size: 219KB

.data
Size: - Virtual size: 47KB

.pdata
Size: - Virtual size: 22KB

.vmp0
Size: - Virtual size: 4.4MB

.vmp1
Size: 6.6MB - Virtual size: 6.6MB

.reloc
Size: 512B - Virtual size: 180B

.rsrc
Size: 163KB - Virtual size: 162KB