C:\Users\123\Desktop\Sapphire Loader\x64\Release\loader.pdb
Static task
static1
Behavioral task
behavioral1
Sample
loader.exe
Resource
win10v2004-20240226-en
General
-
Target
loader.exe
-
Size
657KB
-
MD5
687ee33dc2e3202b1481472c2fa9cbd6
-
SHA1
8946911a042bccef5dd665c201e4cafa1e750632
-
SHA256
fe8a06bb19550a82a2cfc153ad0abac67885363423f4b15113d6b77c1e50c3f3
-
SHA512
3f3a7e335403ebba8793735eaa34d187801f877a7c07fc52790f1e1a45230e5fc86febd3e68df91f97a14365d5d97aa04c0c085c4cb9190769ac2e8453b16d48
-
SSDEEP
12288:ZQgdvj/dan3lMOQkYKwxpTagjEVyy2cPGA+onEheE/ZM:ZJdb/In3lMOVYKw1fEVztOAPIG
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource loader.exe
Files
-
loader.exe.exe windows:6 windows x64 arch:x64
abfd224d439c244467a20bce68634a0a
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
kernel32
HeapReAlloc
HeapAlloc
HeapDestroy
DeleteCriticalSection
GetProcessHeap
WinExec
LocalFree
SetLastError
FormatMessageA
EnterCriticalSection
LeaveCriticalSection
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
VerifyVersionInfoA
QueryPerformanceCounter
GetTickCount
MoveFileExA
HeapSize
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
InitializeCriticalSectionEx
HeapFree
WideCharToMultiByte
MultiByteToWideChar
Process32Next
Process32First
CreateToolhelp32Snapshot
K32GetDeviceDriverBaseNameA
K32EnumDeviceDrivers
SetConsoleTitleA
LoadLibraryA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
VirtualFreeEx
WriteProcessMemory
ReadProcessMemory
VirtualProtectEx
VirtualAllocEx
OpenProcess
GetThreadContext
GetThreadId
ResumeThread
GetCurrentThread
CreateRemoteThread
CreateThread
GetExitCodeProcess
TerminateProcess
ExitProcess
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
GetCurrentProcess
Sleep
RaiseException
CloseHandle
RtlAddFunctionTable
VirtualProtect
RtlLookupFunctionEntry
lstrcmpiA
VerifyVersionInfoW
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
GetModuleHandleW
GetLastError
WaitForSingleObjectEx
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
VerSetConditionMask
user32
MessageBoxA
GetSystemMetrics
BlockInput
FindWindowA
advapi32
CryptGetHashParam
OpenProcessToken
GetTokenInformation
LookupPrivilegeValueA
GetUserNameA
GetLengthSid
IsValidSid
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
CryptCreateHash
CryptHashData
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
AdjustTokenPrivileges
shell32
ShellExecuteA
oleaut32
VariantClear
msvcp140
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Thrd_detach
_Query_perf_frequency
_Query_perf_counter
_Xtime_get_ticks
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
psapi
GetModuleInformation
wininet
InternetCloseHandle
InternetOpenUrlA
InternetReadFile
InternetOpenA
ntdll
RtlCaptureContext
RtlVirtualUnwind
normaliz
IdnToAscii
wldap32
ord143
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
crypt32
CertFindCertificateInStore
CertOpenStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertEnumCertificatesInStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertAddCertificateContextToStore
CertCloseStore
ws2_32
ntohl
gethostname
sendto
recvfrom
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
ntohs
closesocket
recv
WSAStartup
WSAIoctl
WSASetLastError
send
WSAGetLastError
socket
setsockopt
bind
connect
getpeername
getsockname
getsockopt
htons
userenv
UnloadUserProfile
vcruntime140
memchr
strchr
strrchr
memmove
__C_specific_handler
memcpy
__current_exception_context
memcmp
__std_terminate
memset
__std_exception_copy
__std_exception_destroy
_CxxThrowException
strstr
__current_exception
vcruntime140_1
__CxxFrameHandler4
api-ms-win-crt-stdio-l1-1-0
fgetpos
fputc
_pclose
fread
_lseeki64
fsetpos
__acrt_iob_func
_fseeki64
_set_fmode
fgets
__stdio_common_vsprintf
fseek
feof
__stdio_common_vsscanf
__p__commode
fwrite
_popen
setvbuf
_read
_write
_close
_open
fflush
ftell
fopen
_get_stream_buffer_pointers
ungetc
fputs
fclose
fgetc
api-ms-win-crt-runtime-l1-1-0
_invalid_parameter_noinfo
strerror
exit
__sys_nerr
system
_invalid_parameter_noinfo_noreturn
_resetstkoflw
terminate
raise
_beginthreadex
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
_errno
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_getpid
_seh_filter_exe
_cexit
abort
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
api-ms-win-crt-heap-l1-1-0
_set_new_mode
realloc
malloc
free
_callnewh
calloc
api-ms-win-crt-utility-l1-1-0
qsort
rand
api-ms-win-crt-convert-l1-1-0
strtol
atoi
strtoll
strtoul
strtod
strtoull
api-ms-win-crt-filesystem-l1-1-0
_unlock_file
_fstat64
_unlink
_stat64
_access
_lock_file
api-ms-win-crt-time-l1-1-0
_gmtime64
_localtime64_s
_time64
strftime
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
setlocale
localeconv
api-ms-win-crt-math-l1-1-0
ceilf
__setusermatherr
_dclass
api-ms-win-crt-string-l1-1-0
strncmp
strncpy
_strdup
strpbrk
strcmp
tolower
strcspn
strspn
isupper
Sections
.text Size: 515KB - Virtual size: 514KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 113KB - Virtual size: 113KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 19KB - Virtual size: 18KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 488B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ