General
-
Target
loader.exe
-
Size
10.6MB
-
MD5
333ba33542818fe82c02784b4e5c6db4
-
SHA1
183836bb7d6b00bc2c7cc9614364909a4e468d1c
-
SHA256
9d41594e3f5eda978df3a811fa0034ee8d6c14d8ce35e26d08afbf8af7d6bdc8
-
SHA512
b77ffe745aae3e27126079f01a591fa3ff55ce9946aee0ffdac1d936333588df40b46fce5c3dd9b02ee8388a79453ecec8f0889134b9124bfdcddcb1859396c4
-
SSDEEP
98304:HZMlSz9ZuFoP+EPWQ7xgwLthYMudDC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUn:HSlSTIA7WWye2qcUzp6UYeJRCxP
Malware Config
Signatures
-
resource yara_rule sample themida -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource loader.exe
Files
-
loader.exe.exe windows:6 windows x64 arch:x64
923841e5435ffde1f135f5ea77ffb435
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
advapi32
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptEncrypt
CryptImportKey
CryptDestroyKey
OpenProcessToken
crypt32
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
CertFreeCertificateContext
PFXImportCertStore
CryptStringToBinaryA
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
d3dcompiler_47
D3DCompile
imm32
ImmGetContext
ImmSetCompositionWindow
ImmReleaseContext
ImmSetCandidateWindow
kernel32
CreateDirectoryW
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
GetStartupInfoW
GetFileType
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
GetFileSizeEx
GetStdHandle
CreateFileA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
LocalFree
FormatMessageA
SetLastError
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
CloseHandle
CreateFileW
GetCurrentProcess
Sleep
GetCurrentThreadId
GetModuleHandleW
VerifyVersionInfoA
GetSystemDirectoryA
MultiByteToWideChar
GetModuleFileNameA
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
VerSetConditionMask
FreeLibrary
QueryPerformanceCounter
SleepEx
LeaveCriticalSection
EnterCriticalSection
GetModuleFileNameW
GetLocaleInfoEx
WaitForMultipleObjects
PeekNamedPipe
GetEnvironmentVariableA
ReadFile
GetCurrentProcessId
msvcp140
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Thrd_detach
_Cnd_do_broadcast_at_thread_exit
?_Syserror_map@std@@YAPEBDH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Throw_C_error@std@@YAXH@Z
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Throw_Cpp_error@std@@YAXH@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
normaliz
IdnToAscii
psapi
GetModuleInformation
rpcrt4
UuidToStringA
UuidCreate
RpcStringFreeA
shell32
ShellExecuteA
user32
GetClipboardData
GetWindowRect
MessageBoxA
MoveWindow
DefWindowProcW
SetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
LoadCursorW
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
GetMessageExtraInfo
GetKeyState
UpdateWindow
PostQuitMessage
TranslateMessage
SetLayeredWindowAttributes
PeekMessageW
ShowWindow
RegisterClassExW
UnregisterClassW
GetSystemMetrics
CreateWindowExW
DestroyWindow
ReleaseCapture
DispatchMessageW
userenv
UnloadUserProfile
vcruntime140
__current_exception
__C_specific_handler
strrchr
__current_exception_context
memchr
_CxxThrowException
memset
memcpy
memcpy
strchr
memcmp
__std_exception_destroy
__std_exception_copy
__std_terminate
strstr
vcruntime140_1
__CxxFrameHandler4
wldap32
ber_free
ldap_err2stringA
ldap_msgfree
ldap_first_entry
ldap_get_dnA
ldap_bind_sA
ldap_simple_bind_sA
ldap_set_optionA
ldap_unbind_s
ldap_sslinitA
ldap_memfreeA
ldap_search_sA
ldap_value_freeW
ldap_get_values_lenA
ldap_next_attributeA
ldap_first_attributeA
ldap_next_entry
ldap_initA
ws2_32
getsockopt
htonl
gethostname
sendto
recvfrom
closesocket
FreeAddrInfoW
getaddrinfo
recv
select
__WSAFDIsSet
send
ioctlsocket
WSAGetLastError
listen
htonl
bind
connect
accept
WSACleanup
WSAStartup
WSAIoctl
getpeername
WSASetLastError
getsockname
htons
socket
setsockopt
htons
ucrtbase
strtoul
strtod
_strtoi64
atoi
_strtoui64
strtol
getenv
_unlink
_fstat64
_stat64
_lock_file
_access
_unlock_file
malloc
_callnewh
_set_new_mode
calloc
free
realloc
_configthreadlocale
localeconv
___lc_codepage_func
cosf
_dclass
ceilf
fmodf
acosf
_dsign
ldexp
sinf
__setusermatherr
sqrtf
pow
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_invalid_parameter_noinfo_noreturn
_get_narrow_winmain_command_line
_initterm
_initterm_e
_Exit
_beginthreadex
_c_exit
_register_thread_local_exe_atexit_callback
system
terminate
_errno
abort
_getpid
strerror
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
exit
fclose
__stdio_common_vfprintf
fwrite
_wfopen
_open
__stdio_common_vsprintf
fread
_close
_write
_read
__stdio_common_vsscanf
_lseeki64
fgetc
fputs
_popen
_pclose
fgets
fflush
_get_stream_buffer_pointers
_fseeki64
fsetpos
setvbuf
fgetpos
__p__commode
__acrt_iob_func
ftell
_set_fmode
fopen
fputc
fseek
feof
ungetc
strspn
tolower
strncmp
strpbrk
strcspn
_mbsdup
strcmp
isupper
strncpy
_gmtime64
_time64
qsort
d3d11
D3D11CreateDeviceAndSwapChain
dwmapi
DwmExtendFrameIntoClientArea
Sections
.text Size: 773KB - Virtual size: 776KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Size: 154KB - Virtual size: 164KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 383KB - Virtual size: 388KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Size: 31KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.imports Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.themida Size: 5.9MB - Virtual size: 5.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.boot Size: 3.4MB - Virtual size: 3.4MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
.SCY Size: 12KB - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE