Loader[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Loader.exe
Size

3.5MB
MD5

79f625cb8e8e6369a75183365761f54e
SHA1

e8f4eebdb7046ca85f710c75548cc05b6b415106
SHA256

03775057d2bac2240053fa03184de2697b96d30e6ccdc70d21942f57c8c36386
SHA512

5df83cb1af1512e5393a6450a1ac788a16ff36d89d9af8ecf848bb6c807bbb039499c7a8c77257acdccad361a0dc13ce25440e49af8dbb2e698e6092f15a17f5
SSDEEP

49152:ZTeHiJ79Os8vmknjnKMQumuAKrquKMQum0o:ZTeSwvmSBm

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Loader.exe

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

fe7cc07a8ad1f1be51205f4c8b2b9af7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\lunar\Desktop\XWorm\XWorm V5.2\ClientsFolder\212A6D5BD236DC1C0EDA\Spoofer\Loader\Logic - Loader\x64\Release\Loader.pdb

Imports

d3d9

Direct3DCreate9

d3dx9_43

D3DXCreateTextureFromFileInMemory

kernel32

SetLastError
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
Sleep
GetConsoleWindow
GetModuleHandleW
GetProcessHeap
DeleteCriticalSection
CopyFileW
FindResourceW
LoadResource
FindResourceExW
HeapDestroy
HeapAlloc
HeapReAlloc
HeapSize
InitializeCriticalSectionEx
HeapFree
ReadFile
WriteFile
PeekNamedPipe
CreateFileW
GetLastError
CloseHandle
GetCurrentProcessId
WaitNamedPipeW
lstrlenW
GetModuleFileNameW
MultiByteToWideChar
DeleteFileW
LockResource
SizeofResource
GetExitCodeProcess
SetThreadContext
CreateProcessW
QueryPerformanceCounter
VirtualAllocEx
GetThreadContext
ResumeThread
GlobalAlloc
GlobalFree
WaitForSingleObject
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
GetLocaleInfoA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
VerSetConditionMask
TerminateProcess
WriteProcessMemory
CreateThread
GetCurrentProcess
Beep
FreeLibrary

user32

DestroyWindow
SetWindowRgn
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
GetDesktopWindow
GetKeyboardLayout
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
GetMessageExtraInfo
GetKeyState
UnregisterClassW
GetSystemMetrics
UpdateWindow
PostQuitMessage
TranslateMessage
PeekMessageW
DispatchMessageW
GetWindowRect
MessageBoxW
BlockInput
CreateWindowExW
RegisterClassExW
ShowWindow
GetForegroundWindow
MoveWindow
SetClipboardData
LoadCursorW
DefWindowProcW

gdi32

CreateRoundRectRgn

advapi32

CryptGenRandom
GetLengthSid
GetTokenInformation
IsValidSid
RegSetValueExW
RegCreateKeyExW
RegCloseKey
CopySid
ConvertSidToStringSidA
CryptImportKey
CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
OpenProcessToken
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA

msvcp140

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
_Query_perf_frequency
?_Xinvalid_argument@std@@YAXPEBD@Z
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Cnd_destroy_in_situ
_Cnd_broadcast
_Cnd_do_broadcast_at_thread_exit
_Mtx_init_in_situ
_Mtx_lock
_Mtx_destroy_in_situ
_Cnd_timedwait
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_init_in_situ
_Mtx_current_owns
_Xtime_get_ticks
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
_Mtx_unlock

imm32

ImmReleaseContext
ImmSetCandidateWindow
ImmGetContext
ImmSetCompositionWindow

wininet

DeleteUrlCacheEntryW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

urlmon

URLDownloadToFileW

normaliz

IdnToAscii

wldap32

ord26
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord143
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301

crypt32

CertCloseStore
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertFreeCertificateContext

ws2_32

htonl
closesocket
WSASetLastError
recv
send
WSAIoctl
WSAGetLastError
bind
connect
getpeername
getsockname
setsockopt
getsockopt
htons
WSAStartup
ntohl
gethostname
sendto
ntohs
recvfrom
WSACleanup
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
accept
ioctlsocket
listen
socket

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
strstr
strchr
__std_exception_destroy
__std_exception_copy
wcsrchr
__std_terminate
_CxxThrowException
memchr
memcmp
__current_exception_context
memmove
memset
strrchr
__C_specific_handler
__current_exception

api-ms-win-crt-heap-l1-1-0

malloc
realloc
free
calloc
_set_new_mode
_callnewh

api-ms-win-crt-stdio-l1-1-0

fclose
__stdio_common_vswprintf
ftell
_lseeki64
fseek
fwrite
_wfopen
__stdio_common_vsprintf
feof
fputs
fopen
fread
__stdio_common_vfprintf
_open
_close
fgets
_write
_read
__stdio_common_vfwprintf
__stdio_common_vswprintf_s
__stdio_common_vsscanf
__acrt_iob_func
__p__commode
_set_fmode
_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
fflush
fgetc
fputc

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
system
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
exit
_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
_exit
_cexit
strerror
__sys_nerr
_crt_atexit
_resetstkoflw
_getpid
_errno
_beginthreadex
terminate
_get_initial_narrow_environment
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-utility-l1-1-0

qsort
rand

api-ms-win-crt-string-l1-1-0

_strdup
wcsnlen
strncmp
wmemcpy_s
isupper
tolower
strpbrk
strcspn
strncpy
strcmp
strspn

api-ms-win-crt-convert-l1-1-0

strtol
_wtoi
atoi
strtoull
strtoul
strtoll
strtod

api-ms-win-crt-math-l1-1-0

sinf
fmodf
sqrtf
acosf
ceilf
cosf
_dsign
_dclass
__setusermatherr

api-ms-win-crt-filesystem-l1-1-0

_unlink
remove
_access
_fstat64
_stat64
_unlock_file
_lock_file

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

Sections

.text
Size: 784KB - Virtual size: 783KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 171KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2.5MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fe7cc07a8ad1f1be51205f4c8b2b9af7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

d3dx9_43

kernel32

user32

gdi32

advapi32

msvcp140

imm32

wininet

version

urlmon

normaliz

wldap32

crypt32

ws2_32

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 784KB - Virtual size: 783KB

.rdata Size: 171KB - Virtual size: 170KB

.data Size: 2.5MB - Virtual size: 2.7MB

.pdata Size: 32KB - Virtual size: 31KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 784KB - Virtual size: 783KB

.rdata
Size: 171KB - Virtual size: 170KB

.data
Size: 2.5MB - Virtual size: 2.7MB

.pdata
Size: 32KB - Virtual size: 31KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 1KB