loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.exe
Size

6.1MB
MD5

f881f622f61a015633c78c361e6811e3
SHA1

a096e588ad7c1a83eddbf55a0075cd629c0b1297
SHA256

7f2054078931f87a5662d9edaa77505b62880f6fdc4d092875dc1eef2cef5bd9
SHA512

44a8716dd20bb89bfab44ede37af4d76f360fb8b0b2ddba7f8ec2c588eb18e2f3a1871f1bb25cc35fd169801c7f749ba1a5c85dfa5389befd5b746cf49d7dbaa
SSDEEP

98304:lP2ALk5qRaaUGzm7ub343+yihLdSfHvOPG+6HK4HM7GP7asE2VKZ:lptLUGVb343+yc5UvrM6P7vFIZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
loader.exe

Files

loader.exe
.exe windows:6 windows x64 arch:x64

3d31c3b6cbf6ca760aae257bb2177a4e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAResetEvent
WSASetLastError
WSAStartup
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
inet_ntop
inet_pton
ioctlsocket
listen
ntohs
recv
recvfrom
select
send
sendto
setsockopt
socket

advapi32

CloseServiceHandle
CreateServiceW
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
LookupPrivilegeValueA
OpenSCManagerW
OpenServiceW
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
StartServiceW

ntdll

NtAdjustPrivilegesToken
NtAllocateVirtualMemory
NtClose
NtCreateFile
NtDeviceIoControlFile
NtFreeVirtualMemory
NtLoadDriver
NtOpenFile
NtOpenProcess
NtOpenProcessToken
NtQueryInformationFile
NtQueryInformationProcess
NtQuerySystemInformation
NtReadFile
NtReadVirtualMemory
NtWriteVirtualMemory
RtlCaptureContext
RtlGetVersion
RtlLookupFunctionEntry
RtlVirtualUnwind
VerSetConditionMask

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AreFileApisANSI
CloseHandle
CreateDirectoryW
CreateEventA
CreateFileA
CreateFileMappingW
CreateFileW
CreateMutexW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
DeviceIoControl
EnterCriticalSection
ExitThread
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
FindClose
FindFirstFileW
FormatMessageA
FormatMessageW
FreeLibrary
GetConsoleMode
GetConsoleScreenBufferInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableA
GetExitCodeThread
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandleEx
GetFileSizeEx
GetFirmwareEnvironmentVariableA
GetLargePageMinimum
GetLastError
GetLocaleInfoEx
GetModuleHandleA
GetModuleHandleW
GetNumberOfConsoleInputEvents
GetProcAddress
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
GlobalMemoryStatusEx
InitOnceBeginInitialize
InitOnceComplete
InitializeCriticalSection
InitializeCriticalSectionEx
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LocalFree
MapViewOfFile
MoveFileExA
MultiByteToWideChar
Process32FirstW
Process32NextW
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleInputW
ReadFile
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
SetConsoleCP
SetConsoleCursorPosition
SetConsoleMode
SetConsoleOutputCP
SetEvent
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SleepEx
SwitchToThread
TerminateProcess
UnhandledExceptionFilter
UnmapViewOfFile
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualQueryEx
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WideCharToMultiByte

msvcp140

??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??0_Lockit@std@@QEAA@H@Z
??0facet@locale@std@@IEAA@_K@Z
??0ios_base@std@@IEAA@XZ
??0task_continuation_context@Concurrency@@AEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1_Locinfo@std@@QEAA@XZ
??1_Lockit@std@@QEAA@XZ
??1facet@locale@std@@MEAA@XZ
??1ios_base@std@@UEAA@XZ
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z
?_Capture@_ContextCallback@details@Concurrency@@AEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Id_cnt@id@locale@std@@0HA
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_LogCancelTask@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogScheduleTask@_TaskEventLogger@details@Concurrency@@QEAAX_N@Z
?_LogTaskCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogTaskExecutionCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogWorkItemCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogWorkItemStarted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z
?_Reset@_ContextCallback@details@Concurrency@@AEAAXXZ
?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Winerror_map@std@@YAHH@Z
?_Xbad_alloc@std@@YAXXZ
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?fail@ios_base@std@@QEBA_NXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$numpunct@D@std@@2V0locale@2@A
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IEAAXPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uncaught_exceptions@std@@YAHXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Cnd_broadcast
_Cnd_destroy_in_situ
_Cnd_do_broadcast_at_thread_exit
_Cnd_init_in_situ
_Cnd_register_at_thread_exit
_Cnd_signal
_Cnd_timedwait
_Cnd_unregister_at_thread_exit
_Cnd_wait
_Mtx_current_owns
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Mtx_lock
_Mtx_unlock
_Query_perf_counter
_Query_perf_frequency
_Thrd_id
_Thrd_join
_Thrd_sleep
_Thrd_yield
_Xtime_get_ticks

ncrypt

NCryptFreeObject
NCryptGetProperty
NCryptOpenStorageProvider

dxgi

CreateDXGIFactory

bcrypt

BCryptGenRandom

crypt32

CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFindExtension
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCertificateChain
CertGetNameStringA
CertOpenStore
CryptDecodeObjectEx
CryptQueryObject
CryptStringToBinaryA
PFXImportCertStore

vcruntime140

_CxxThrowException
__C_specific_handler
__current_exception
__current_exception_context
__std_exception_copy
__std_exception_destroy
_purecall
memchr
memcmp
memcpy
memmove
memset
strchr
strrchr
strstr

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__stdio_common_vsprintf
__stdio_common_vsscanf
_close
_fileno
_fseeki64
_get_stream_buffer_pointers
_open
_set_fmode
fclose
feof
fflush
fgetc
fgetpos
fgets
fopen
fputc
fread
fseek
fsetpos
ftell
fwrite
setvbuf
ungetc

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___argv
__sys_errlist
__sys_nerr
_beginthreadex
_c_exit
_cexit
_configure_narrow_argv
_crt_atexit
_errno
_exit
_get_initial_narrow_environment
_initialize_narrow_environment
_initialize_onexit_table
_initterm
_initterm_e
_invalid_parameter_noinfo_noreturn
_register_onexit_function
_register_thread_local_exe_atexit_callback
_seh_filter_exe
_set_app_type
abort
exit
signal
terminate

api-ms-win-crt-filesystem-l1-1-0

_access
_fstat64
_lock_file
_stat64
_unlink
_unlock_file

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dsign
_dtest
_fdopen
_fdsign
_fdtest
_ldsign
_ldtest
ceilf
powf

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64
strftime

api-ms-win-crt-string-l1-1-0

_strdup
_strnicmp
strcmp
strcpy
strcspn
strlen
strncmp
strncpy
strpbrk
strspn
wcslen

api-ms-win-crt-convert-l1-1-0

atoi
strtol
strtoll
strtoul
wcstombs

api-ms-win-crt-heap-l1-1-0

_callnewh
_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort

Sections

.text
Size: 901KB - Virtual size: 901KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 357KB - Virtual size: 356KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 75KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_sysc
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.vlizer
Size: 4.8MB - Virtual size: 16.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

3d31c3b6cbf6ca760aae257bb2177a4e

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

advapi32

ntdll

kernel32

msvcp140

ncrypt

dxgi

bcrypt

crypt32

vcruntime140

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 901KB - Virtual size: 901KB

.rdata Size: 357KB - Virtual size: 356KB

.data Size: 75KB - Virtual size: 79KB

.pdata Size: 22KB - Virtual size: 21KB

.00cfg Size: 512B - Virtual size: 56B

.tls Size: 512B - Virtual size: 9B

_sysc Size: 512B - Virtual size: 4B

.rsrc Size: 512B - Virtual size: 432B

.reloc Size: - Virtual size: 5KB

.vlizer Size: 4.8MB - Virtual size: 16.9MB

.text
Size: 901KB - Virtual size: 901KB

.rdata
Size: 357KB - Virtual size: 356KB

.data
Size: 75KB - Virtual size: 79KB

.pdata
Size: 22KB - Virtual size: 21KB

.00cfg
Size: 512B - Virtual size: 56B

.tls
Size: 512B - Virtual size: 9B

_sysc
Size: 512B - Virtual size: 4B

.rsrc
Size: 512B - Virtual size: 432B

.reloc
Size: - Virtual size: 5KB

.vlizer
Size: 4.8MB - Virtual size: 16.9MB