kekhack_loader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

kekhack_loader.exe
Size

9.3MB
MD5

2d4eeaa6f0656954fccdc3aac27a880c
SHA1

b390c5030555efc9b2aa0b8e36b56722252d4109
SHA256

3cdacbaec97c166a3cf8d7c36b5af4f6db65446a838d95c8151f4c79fc64b669
SHA512

14c291465b5433f102d8df035212a1679570790b3b3cad1aacffbafa7a9e583a9a039f0fd7cd67569a0a5c352cfa7077ff5f4c68e4a978341ccc2ebf56265225
SSDEEP

196608:0yrnR0JEnWStR6VlpZqGngZrLabsExdtk3lRqDhchiVl:XR0VHV3+ZrL4sH3lRUKiV

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
kekhack_loader.exe

Files

kekhack_loader.exe
.exe windows:6 windows x64 arch:x64

9017b794d902567bde196efe772f16f5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetSystemFirmwareTable
GetVolumeInformationA
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
QueryPerformanceFrequency
VerSetConditionMask
QueryPerformanceCounter
CreateFileW
PeekNamedPipe
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
Process32NextW
TerminateProcess
Process32FirstW
WideCharToMultiByte
FreeLibrary
Process32First
Process32Next
LoadLibraryExA
Module32First
Module32Next
lstrlenA
OpenProcess
GetFullPathNameA
DeviceIoControl
CreateRemoteThread
SetEndOfFile
HeapSize
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
GetTimeZoneInformation
HeapReAlloc
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
GetConsoleOutputCP
CreateProcessW
WaitForSingleObject
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
RtlAddFunctionTable
VirtualProtectEx
Sleep
ReadProcessMemory
GetExitCodeProcess
SetThreadContext
VirtualFreeEx
WriteProcessMemory
VirtualAllocEx
ResumeThread
GetThreadContext
SuspendThread
Thread32Next
GetThreadTimes
QueryThreadCycleTime
OpenThread
GetCurrentProcessId
Thread32First
CreateToolhelp32Snapshot
GetProcessId
LoadLibraryA
GetTickCount
LocalFree
GetProcAddress
SetFileAttributesA
CloseHandle
CompareStringW
HeapFree
HeapAlloc
GetModuleFileNameW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetDriveTypeW
SetConsoleCtrlHandler
SetFileInformationByHandle
GetFileAttributesW
FindFirstFileExW
SetStdHandle
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
RtlUnwind
LoadLibraryExW
RaiseException
RtlPcToFileHeader
RtlUnwindEx
GetStringTypeW
GetCPInfo
CompareStringEx
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
DeleteFileA
CreateFileA
GetLastError
GetTempPathA
GetModuleHandleA
FindClose
SetFilePointer
FindNextFileA
WriteFile
LCMapStringEx
InitializeCriticalSectionEx
DecodePointer
EncodePointer
CreateDirectoryW
InitOnceComplete
InitOnceBeginInitialize
TryAcquireSRWLockExclusive
GetFileInformationByHandleEx
GetCurrentProcess
FindFirstFileA
GetLogicalDrives
LCMapStringW
ReadFile
AreFileApisANSI
GetTempPathW
WriteConsoleW
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemDirectoryA
FormatMessageA
GetStdHandle
GetFileType
GetModuleHandleW
VirtualAlloc
VirtualProtect
VirtualFree
GetEnvironmentVariableW
GetSystemTimeAsFileTime
GetACP
SwitchToFiber
DeleteFiber
CreateFiberEx
ConvertFiberToThread
ConvertThreadToFiberEx
FindFirstFileW
FindNextFileW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetSystemTime
SystemTimeToFileTime
GetCurrentThread
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
GetLocaleInfoEx
GetCurrentDirectoryW
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

CloseClipboard
OpenClipboard
GetCursorPos
wsprintfA
SetCursorPos
ReleaseCapture
IsWindowUnicode
SetProcessDPIAware
GetClientRect
SetCursor
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
SetCapture
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
GetClipboardData
LoadCursorA
GetKeyState
MessageBoxA
LoadIconA
RegisterClassExA
CreateWindowExA
UnregisterClassA
ShowWindow
UpdateWindow
PeekMessageA
TranslateMessage
DispatchMessageA
DestroyWindow
PostQuitMessage
DefWindowProcA
EmptyClipboard
SetClipboardData
GetWindowThreadProcessId
FindWindowA
UnhookWindowsHookEx
PostThreadMessageA
SetWindowsHookExA
ScreenToClient
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegCreateKeyExA
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
CheckTokenMembership
GetCurrentHwProfileA
LookupPrivilegeValueW
RegDeleteKeyA
RegOpenKeyA
RegCreateKeyA
SetEntriesInAclA
AdjustTokenPrivileges
RegCloseKey
RegQueryValueExA
SetNamedSecurityInfoA
AllocateAndInitializeSid
LookupPrivilegeValueA
CryptEnumProvidersW
RegSetValueExA
OpenProcessToken
FreeSid
RegOpenKeyExA
RegCopyTreeA
RegEnumKeyExA
DeregisterEventSource

shell32

ShellExecuteA
SHFileOperationA
SHGetFolderPathA

ole32

CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitializeEx

oleaut32

VariantClear
SysFreeString
SysStringLen
SysAllocString

shlwapi

SHDeleteKeyA
StrStrA
SHDeleteValueA
PathFileExistsA

ws2_32

getnameinfo
shutdown
closesocket
getservbyname
getservbyport
ntohs
getsockname
getpeername
send
recv
select
freeaddrinfo
setsockopt
ioctlsocket
getsockopt
__WSAFDIsSet
WSAGetLastError
connect
socket
WSASocketW
getaddrinfo
inet_pton
WSAStartup
WSACleanup
WSASetLastError
gethostbyname
htonl
htons
inet_addr
inet_ntoa
gethostbyaddr

crypt32

CertOpenStore
CertEnumCertificatesInStore
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenSystemStoreW
CertCloseStore
CertFreeCertificateContext
CertDuplicateCertificateContext

d3d9

Direct3DCreate9

d3dx9_43

D3DXCreateTexture
D3DXCreateTextureFromFileInMemory

ntdll

RtlInitAnsiString
RtlAnsiStringToUnicodeString
NtQuerySystemTime
RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

imm32

ImmSetCandidateWindow
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

bcrypt

BCryptGenRandom

wtsapi32

WTSSendMessageW

Exports

Exports

��P��W�7��b��-��p�ڳ�'�D��}lw`�g�y��Bu֞�9��t��H@��/��U�K��xG�+<�")뒱��:�Φ0��s�E��hK�_��k�Iǎx/��tm$_{q�Ҵl[��yo<a�@<��1�k�ڒ2��9[Q:��Zx�bV�Ò��ɎD�wP��k#��A��!�\9��b@i�T"8}%a�ɾa9W��ئ�x�p]��{�a{�O��4��!>b�%��&z�d��y��u�+Ґsm��@%��t4%� ��~��_(D��I�7+.为X��X�G��#�9�8��I��U�44t[�m�0��ҮY�L�>��KN!Z�ݎC�S��g*�Q)�SE �"��`P3�]_ �x��z�8� ~\U H�Ic�.Ч�k�j �<7�lɰ��Yρ��8_� ��N3�^^|j3�i��t��8>��C�U��yx�&d.��ۅ��/�+�ݾ��JN-⽠2F��T�{x�R1�Ё2g��m��j��aV@��Yv��L�V�U�A��1H��&��S�{K}`~��L^�5��kW�Jn9�4|�z�)_F�s��Y��mWX ��M��*�yù�=�@��_S)�8ߴ&��Hx ��b~��hf X�;��\��.��t*x��Jo��g��SQ�j�L��̢��i�?�g>�C�+[w� �3 ��#�B�$t�@��C��T��y�'�N&p ��3ʒ$�g��?ivIՃ�<�T×�)�W>�e��Ғ�u5��ЍsW�S�v��YZk�rS��d �m�L7&0��=�ԽQ6̗*{��-XkǷ�� C�h�+�ӷ*��.��cb->Y?�n;H�9�nɸi��LBh�ꤡ��_�=%�#��ѧU~��gg�f�(s�{|��´��t�"��1H�MY-KX55��@��3/G��߾8�`�Ҳ`I��d��0�)��R`�Zk1��3�p�0[I/�9��v_!��9�GKs�0��@��-��Tz�#t�M3��t+W��2ϯ��8�2�̈UĲ��?I�wx�n��"��= w�>x+��:,�;��3A�|��6<9j�M��a�[��`�9 c]^��x��m;��Ѷ㚎#�)h�@��DI��;{p��!훔�� '��l��ș�hx��/��9v�,lm�\��բ�[��a��ٍWq�6آ�x̉]��b��/��xן��)�s�Q㄃��|�,��t0:��[6��m.F��a�rڨ+��i�� 6�V�� Y��kV�\��\V32X��r]�C�$�ciI��9�x�˽+�:�ol?��z%>aL��kc��e"'�y��7�7b(_�R�GG��XM�+��<n�!�q�$��U�8=1��\��.ӗ��>V�_Z�|��Ew��("��&�ؖGr��Vzg#$�AM%�lv߅�M��ː�'�)Ӄu��e�yڍ��b5;/��謣n�`�K$t��Lr��M�X˷�g��'�z�@#*��'(.-��Vy�2�_l��qH��o�ꙣ��љ{��@c�$f�l��A5WDYA��y'S��MFa=��)��J]��;4��4��-��6�'4��<�Y�KפM� bs��a�@L��Z�9�f�� ?�P �$��%"#'j�n�?��KkZK��Wj��2w�Y�!�>��_��uU�\W��G~��"��%��0��U�J��v+�7�!8��:��*� �mc��b��l��ht%�� ,�98%y��wV��0f��c7�iv��%O"�B4\$�8�c�x{xS��ER�X�z�g��䛶��o��5�ީ�N�>'�5 [B��"1$��H�`��dQ�ҏ�� ή�Τ��u�l-�� H9��,O{��*Bʚo(��ߜ��C9��L'-��߂qD��g�/lj}G��ј�wz3�^��9DG R��>�$��Q]5��Th�ĩ�?ӄ~�&94��P u>��V;RY;^�7+~lR1��ۧ��dtT��r��c��e40V�*�AO�Xo��ѠA�e&@��X1��n6o��dAp`bő孈��޳�� Uz��O~�l]�L��y~��F}��4-��FPa^��VP��N�0��B��[�)��s��_wN��F3��`�?��ÜO�|�Y �~/��LH�0��U�SK�sL2O��FD�h7a��T~ It�42G0@&)ю�Y��U!�V�"Sm��(5�ɳ��q�9S�w��i�TrR��F%�LJjU��nǖ2<?.((Ԝ �HW`q��j�N�mQ�� nžPx8.V ��3��λ��L�.e菺�O��+��4aUx��}0y��#�Vѷ؏:<��<�ݲ��N�= ԝ�t�ѣc^xF��`^��s@7�5Ѿ�3��K�kl�;+��u�U6lD� ӦP�� Y�1g�4:��Hj��n nO��AM혞�0�bLv�� [�(�{��r�^� �Eo5T>$Gd+�=6��7 �3H�g��&p��c��:�\*�C�cc��J5�r��Rw�:!��f�y��'֏6#|yۏm�2�~��(�$-��.�/�+H��ʑD|�l6��1<�WT�2ߑ�4B��FY�X|옗�瞹:P��`�`�嘤�d��"�&)�nzw��G� g�=`_��tp��\Q�5M?�oF��2��O�5ob��o�<��6+(!��е�r[�*� ��H�c,�owݩ��F ��w"雿k��d�ª� �D;��?]�~c(P�6�h��:��<�\E��k=��^�D$�ET��į�D��@��DRG��t�m{t@

Sections

.text
Size: - Virtual size: 4.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.penis
Size: - Virtual size: 6.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp2
Size: 9.3MB - Virtual size: 9.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9017b794d902567bde196efe772f16f5

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

ws2_32

crypt32

d3d9

d3dx9_43

ntdll

imm32

bcrypt

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 4.0MB

.rdata Size: - Virtual size: 1.7MB

.data Size: - Virtual size: 165KB

.pdata Size: - Virtual size: 142KB

_RDATA Size: - Virtual size: 348B

.vmp0 Size: - Virtual size: 10KB

.reloc Size: - Virtual size: 42KB

.penis Size: - Virtual size: 6.2MB

.vmp1 Size: - Virtual size: 2.3MB

.vmp2 Size: 9.3MB - Virtual size: 9.3MB

.rsrc Size: 10KB - Virtual size: 10KB

.text
Size: - Virtual size: 4.0MB

.rdata
Size: - Virtual size: 1.7MB

.data
Size: - Virtual size: 165KB

.pdata
Size: - Virtual size: 142KB

_RDATA
Size: - Virtual size: 348B

.vmp0
Size: - Virtual size: 10KB

.reloc
Size: - Virtual size: 42KB

.penis
Size: - Virtual size: 6.2MB

.vmp1
Size: - Virtual size: 2.3MB

.vmp2
Size: 9.3MB - Virtual size: 9.3MB

.rsrc
Size: 10KB - Virtual size: 10KB