CheraxLoader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

CheraxLoader.exe
Size

2.9MB
MD5

ef4b3022ac595d2e995ce72887ec7a8a
SHA1

db848157152f41193c4e52ad95270296391226b3
SHA256

e4ab7594e0a902e78f00cd89fcf575079c51939b68da4150159def7547010f03
SHA512

38ed672131996eb78efbf2df602b8a562adb8fb3f65abc8ba4561bdd5b6696016e87402e872b7d665dd101839f65e6e89db61723acadca7d8f604f589da0c429
SSDEEP

49152:CleAoP9mPjVhHeV8nWuYf8GNQWsS3sM+8jWkj5OMoMB5rk8:Cl81XVmJasRM+IO

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CheraxLoader.exe

Files

CheraxLoader.exe
.exe windows:6 windows x64 arch:x64

3e190570e6192bb56b4a5f4f0252d64e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\fasbe\source\repos\ImCytox\Cherax\bin\Final\CheraxLoader.pdb

Imports

kernel32

WaitForSingleObjectEx
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetStdHandle
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ReadFile
SleepEx
Sleep
GetEnvironmentVariableA
VerifyVersionInfoW
GetTickCount
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetSystemDirectoryW
FormatMessageW
SetLastError
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
UnhandledExceptionFilter
LoadLibraryA
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
HeapFree
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileA
GetModuleHandleW
ConnectNamedPipe
DisconnectNamedPipe
WriteFile
CreateNamedPipeA
VirtualFreeEx
CreateRemoteThread
CreateProcessW
VirtualAllocEx
GetProcAddress
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
GetLastError
CreateProcessA
GetCurrentProcessId
GetComputerNameW
GetFileSizeEx
GetModuleFileNameA
ExitProcess
SetFileAttributesA
CloseHandle
GetFileAttributesA
GetVolumeInformationA
QueryPerformanceFrequency
HeapAlloc

user32

ClientToScreen
TrackMouseEvent
LoadCursorW
SetClipboardData
GetKeyState
SetCapture
ScreenToClient
SetCursor
GetClipboardData
MessageBoxA
GetClientRect
FindWindowA
SetForegroundWindow
UpdateWindow
PostQuitMessage
CloseClipboard
SetFocus
GetForegroundWindow
PeekMessageW
DispatchMessageW
ShowWindow
RegisterClassExW
UnregisterClassW
ReleaseCapture
CreateWindowExW
SetActiveWindow
SetWindowPos
DestroyWindow
GetWindowRect
DefWindowProcW
GetActiveWindow
GetCapture
SetCursorPos
EmptyClipboard
OpenClipboard
TranslateMessage
GetCursorPos

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetUserNameA
CryptGetHashParam
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptReleaseContext

shell32

ShellExecuteW
SHGetFolderPathA

msvcp140

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
??1ios_base@std@@UEAA@XZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Toupper
_Tolower
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Mtx_unlock
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Thrd_yield
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z

d3d11

D3D11CreateDeviceAndSwapChain

winhttp

WinHttpSetOption
WinHttpOpen
WinHttpQueryHeaders
WinHttpWebSocketReceive
WinHttpOpenRequest
WinHttpSendRequest
WinHttpWebSocketClose
WinHttpConnect
WinHttpWebSocketCompleteUpgrade
WinHttpReadData
WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpWebSocketSend

d3dcompiler_47

D3DCompile

imm32

ImmSetCandidateWindow
ImmAssociateContextEx
ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
__intrinsic_setjmp
strstr
memcmp
memchr
strchr
memmove
__std_terminate
memcpy
strrchr
wcschr
longjmp
memset
__current_exception
__std_exception_copy
__current_exception_context
_CxxThrowException
__C_specific_handler

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
calloc
_callnewh
realloc
free

api-ms-win-crt-string-l1-1-0

_wcsdup
strncpy
wcspbrk
strcspn
strcmp
toupper
wcsncpy
wcsncmp
strpbrk
strspn
_strdup
strncmp

api-ms-win-crt-math-l1-1-0

_fdsign
ldexp
_fdopen
sqrtf
_dsign
_dclass
__setusermatherr
_fdclass
_ldclass
acosf
ceilf
cosf
fmodf
powf
sinf
_ldsign

api-ms-win-crt-convert-l1-1-0

strtoll
strtoull
atoi
strtol
strtoul
strtod
wcstombs

api-ms-win-crt-runtime-l1-1-0

__sys_errlist
_invalid_parameter_noinfo_noreturn
system
__sys_nerr
_beginthreadex
_errno
terminate
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_onexit_table
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

__p__commode
fopen
_read
_write
_lseeki64
fclose
fwrite
_close
_set_fmode
fputc
fflush
_wopen
fgetc
fputs
fgetpos
setvbuf
__stdio_common_vsprintf
ungetc
fsetpos
_wfopen
fread
__acrt_iob_func
__stdio_common_vsscanf
feof
fopen_s
_fseeki64
fseek
ferror
ftell
_get_stream_buffer_pointers
fgets

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_lock_file
_wstat64
_waccess
_stat64i32
remove
_unlink
_unlock_file

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_gmtime64
strftime
_time64
_mktime64

api-ms-win-crt-utility-l1-1-0

qsort

ws2_32

WSAEnumNetworkEvents
WSAWaitForMultipleEvents
send
WSAResetEvent
WSAEventSelect
WSASetEvent
WSACreateEvent
WSACloseEvent
WSAStartup
WSAGetLastError
recv
ntohs
WSASetLastError
closesocket
setsockopt
WSAIoctl
htons
select
__WSAFDIsSet
getsockopt
connect
socket
getsockname
getpeername
bind
sendto
recvfrom
listen
accept
htonl
freeaddrinfo
getaddrinfo
ioctlsocket
gethostname
WSACleanup

wldap32

ord216
ord142
ord41
ord14
ord147
ord145
ord27
ord167
ord208
ord73
ord133
ord219
ord79
ord301
ord117
ord46
ord26
ord127

crypt32

PFXImportCertStore
CertFreeCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertCreateCertificateChainEngine
CertFindCertificateInStore
CertFindExtension
CertGetNameStringW
CertFreeCertificateChain
CryptQueryObject
CertAddCertificateContextToStore
CertOpenStore
CertFreeCertificateChainEngine
CertGetCertificateChain
CryptDecodeObjectEx
CryptStringToBinaryW

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 983KB - Virtual size: 982KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3e190570e6192bb56b4a5f4f0252d64e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

msvcp140

d3d11

winhttp

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

ws2_32

wldap32

crypt32

Exports

Exports

Sections

.text Size: 1.8MB - Virtual size: 1.8MB

.rdata Size: 983KB - Virtual size: 982KB

.data Size: 7KB - Virtual size: 11KB

.pdata Size: 65KB - Virtual size: 64KB

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 1.8MB - Virtual size: 1.8MB

.rdata
Size: 983KB - Virtual size: 982KB

.data
Size: 7KB - Virtual size: 11KB

.pdata
Size: 65KB - Virtual size: 64KB

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 5KB - Virtual size: 4KB