C:\Users\cosmoww\Desktop\Loader New\x64\Release\loader.pdb
Behavioral task
behavioral1
Sample
chromewebhelper.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
chromewebhelper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
tool.exe
Resource
win7-20240221-en
General
-
Target
240229-r6rmwacc2v_pw_infected.zip
-
Size
14.2MB
-
MD5
fa8fd1113bfe9d429d3371ea60f2c417
-
SHA1
a964457813121197282b518efb71fbbbda42bb87
-
SHA256
ad15e741394db88ef7fb88c4b1fce1e83e26bb7150b8c463e4657d510dccc58c
-
SHA512
cf427bdbf89915605418bc68f6f2f85a515bc8d47a426b33c17911d4c166ac777e927d3bbb1f984578aaf30faae39062fb1c1f4c93e43214a6500509b0a4a686
-
SSDEEP
196608:gTM2FvNknvPbBSWr06+uPOd++sd6laHhEuyf2vh+YtnGKoDe3V2GFSOYdn+TCAOT:gTM2xGr5+u2dZE9H6DWhHS04GSOYICn
Malware Config
Signatures
-
An infostealer written in Python and packaged with PyInstaller. 1 IoCs
resource yara_rule static1/unpack004/creal.pyc crealstealer -
Crealstealer family
-
Detects Pyinstaller 1 IoCs
resource yara_rule static1/unpack002/tool.exe pyinstaller -
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack002/chromewebhelper.exe unpack002/tool.exe
Files
-
240229-r6rmwacc2v_pw_infected.zip.zip
Password: infected
-
chromewebhelper.zip.zip
Password: infected
-
chromewebhelper.exe.exe windows:6 windows x64 arch:x64
Password: infected
3ec66149a72734c16cd83df816c0b2b0
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
ntdll
RtlLookupFunctionEntry
RtlCaptureContext
VerSetConditionMask
RtlVirtualUnwind
NtQuerySystemInformation
NtQueryInformationProcess
RtlAddFunctionTable
kernel32
GetStartupInfoA
ExitProcess
GetCurrentProcessId
GetProcessHeap
CreateProcessA
GetTickCount
AllocConsole
IsDebuggerPresent
GetComputerNameA
CheckRemoteDebuggerPresent
GetLocaleInfoEx
GetThreadId
AreFileApisANSI
OpenProcess
GetSystemTimeAsFileTime
GetCurrentThreadId
GetStartupInfoW
GetModuleHandleA
ContinueDebugEvent
IsProcessorFeaturePresent
ResumeThread
HeapWalk
CreateMutexA
K32GetDeviceDriverBaseNameA
TerminateProcess
GetThreadContext
RaiseException
InitializeSListHead
WaitForDebugEvent
OutputDebugStringA
SetUnhandledExceptionFilter
GetCurrentProcess
SetConsoleTitleA
UnhandledExceptionFilter
SleepConditionVariableSRW
VirtualProtect
GetModuleFileNameA
GetSystemFirmwareTable
K32EnumDeviceDrivers
GetExitCodeProcess
VirtualFreeEx
CreateRemoteThread
ReadProcessMemory
VirtualAllocEx
Process32FirstW
GetCurrentThread
CreateFileA
Process32NextW
OpenMutexA
GetLastError
GlobalAddAtomA
CreateToolhelp32Snapshot
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
GetFileSizeEx
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
MultiByteToWideChar
WaitForSingleObjectEx
MoveFileExA
VerifyVersionInfoA
FreeLibrary
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateThread
DeleteCriticalSection
GetCommandLineA
GetProcAddress
VirtualProtectEx
CloseHandle
LoadLibraryA
Sleep
WriteProcessMemory
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalUnlock
GlobalLock
GlobalAlloc
HeapAlloc
CreateFileW
OutputDebugStringW
HeapDestroy
InitializeCriticalSectionEx
HeapSize
HeapFree
HeapReAlloc
user32
CloseClipboard
OpenClipboard
ReleaseCapture
GetClientRect
GetWindowTextA
ShowWindow
SetCursor
MessageBoxA
GetClipboardData
LoadCursorA
DispatchMessageA
RegisterClassA
EnumWindows
DefWindowProcA
CreateWindowExA
TranslateMessage
LoadIconA
EmptyClipboard
PeekMessageA
UnregisterClassA
GetSystemMetrics
PostQuitMessage
SetCapture
SetWindowPos
SetClipboardData
GetWindowRect
GetKeyState
UpdateWindow
FindWindowA
GetDesktopWindow
BlockInput
advapi32
CryptHashData
GetLengthSid
GetTokenInformation
OpenProcessToken
GetUserNameA
GetCurrentHwProfileA
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
AddAccessAllowedAce
CryptCreateHash
CryptGenRandom
CryptGetHashParam
imm32
ImmSetCompositionWindow
ImmGetContext
msvcp140
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Thrd_sleep
_Query_perf_counter
_Xtime_get_ticks
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Xbad_function_call@std@@YAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setf@ios_base@std@@QEAAHHH@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
wininet
InternetReadFile
InternetConnectA
HttpSendRequestA
InternetOpenA
HttpOpenRequestA
urlmon
UrlMkSetSessionOption
URLDownloadToFileA
d3d9
Direct3DCreate9
psapi
GetModuleInformation
normaliz
IdnToAscii
wldap32
ord33
ord143
ord217
ord35
ord211
ord60
ord79
ord30
ord32
ord45
ord50
ord41
ord22
ord26
ord27
ord46
ord200
ord301
crypt32
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertGetCertificateChain
CertFreeCertificateChain
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore
ws2_32
WSACleanup
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
select
ntohl
gethostname
sendto
recvfrom
freeaddrinfo
getaddrinfo
accept
__WSAFDIsSet
ioctlsocket
htonl
listen
rpcrt4
RpcStringFreeA
UuidCreate
UuidToStringA
userenv
UnloadUserProfile
vcruntime140_1
__CxxFrameHandler4
vcruntime140
memset
_local_unwind
memmove
memcpy
memcmp
memchr
__current_exception
__std_exception_copy
__current_exception_context
__std_exception_destroy
__C_specific_handler
strchr
strstr
__std_terminate
strrchr
_CxxThrowException
api-ms-win-crt-stdio-l1-1-0
__p__commode
ftell
_read
fputc
__stdio_common_vfprintf
fseek
_write
_lseeki64
fgetc
_close
__stdio_common_vsprintf
fwrite
__acrt_iob_func
feof
fread
fopen
fgetpos
fclose
_open
setvbuf
_wfopen
_popen
_pclose
fgets
fflush
_get_stream_buffer_pointers
freopen_s
_set_fmode
_fseeki64
fsetpos
ungetc
__stdio_common_vsscanf
fputs
api-ms-win-crt-string-l1-1-0
tolower
strpbrk
isprint
strncmp
strcspn
strspn
isupper
_strdup
strcmp
strncpy
api-ms-win-crt-utility-l1-1-0
srand
rand
qsort
api-ms-win-crt-heap-l1-1-0
realloc
_callnewh
_set_new_mode
free
malloc
calloc
api-ms-win-crt-convert-l1-1-0
strtoul
strtol
strtoll
strtod
atoi
strtoull
api-ms-win-crt-runtime-l1-1-0
_invalid_parameter_noinfo
_errno
abort
_getpid
raise
_invalid_parameter_noinfo_noreturn
system
strerror
__sys_nerr
_resetstkoflw
_beginthreadex
exit
terminate
_configure_narrow_argv
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_narrow_environment
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
api-ms-win-crt-filesystem-l1-1-0
_fstat64
rename
_access
_unlink
_unlock_file
_lock_file
_stat64
api-ms-win-crt-time-l1-1-0
_gmtime64
_time64
api-ms-win-crt-locale-l1-1-0
___lc_codepage_func
localeconv
_configthreadlocale
api-ms-win-crt-math-l1-1-0
sqrtf
_dclass
ceil
cosf
floor
fmodf
sinf
sqrt
__setusermatherr
shell32
ShellExecuteA
Sections
.text Size: 628KB - Virtual size: 628KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 138KB - Virtual size: 137KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 2KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 25KB - Virtual size: 24KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 488B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
tool.exe.exe windows:5 windows x64 arch:x64
Password: infected
1af6c885af093afc55142c2f1761dbe8
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
user32
CreateWindowExW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW
comctl32
ord380
kernel32
IsValidCodePage
GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
GetACP
GetOEMCP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
GetModuleFileNameW
CreateSymbolicLinkW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
GetCPInfo
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEndOfFile
SetEnvironmentVariableW
RtlUnwindEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
advapi32
OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
gdi32
SelectObject
DeleteObject
CreateFontIndirectW
Sections
.text Size: 167KB - Virtual size: 167KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 75KB - Virtual size: 75KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 9KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
_RDATA Size: 512B - Virtual size: 348B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 61KB - Virtual size: 61KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
creal.pyc