CheraxLoader[.]exe

Resubmissions

01/05/2024, 21:10

240501-z1bcpsge5w 3

01/05/2024, 21:09

240501-zzx53sge5t 3

Sharing

Copy URL Twitter E-mail

General

Target

CheraxLoader.exe
Size

2.9MB
MD5

ef98c8c3764e955edefb213ca3f97f7c
SHA1

af164d0e7735e205fd6c145f3f766e6427fac35b
SHA256

1857ce72c8115220a3a83b55300ac8acda30c9ed9f91747b7045083c8ff96be6
SHA512

3bb8eb7f1ec42236f7f8fc731663265c7d4de00f0a1cf47e7465107cd6768e9bc3d81e3a572a9807257ad69f3d26fa753c5b87d62c01e31fcd4fea92c222cfa8
SSDEEP

49152:IAUNJvdSJgDkDO7chgQUJ8J4upYrmAOYGWye4OMWMB5rc8LcM:IPIzSARptAOZOe

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CheraxLoader.exe

Files

CheraxLoader.exe
.exe windows:6 windows x64 arch:x64

dd9bfd63f8c51affcf45502bb51cb76d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\fasbe\source\repos\ImCytox\Cherax\bin\Final\CheraxLoader.pdb

Imports

kernel32

GetModuleHandleW
CreateFileMappingA
UnmapViewOfFile
MapViewOfFile
DisconnectNamedPipe
WriteFile
CreateNamedPipeA
VirtualFreeEx
CreateRemoteThread
HeapFree
HeapAlloc
CreateFileW
FindClose
FindFirstFileW
GetFileAttributesExW
SetFileInformationByHandle
CreateProcessW
AreFileApisANSI
VirtualAllocEx
GetProcAddress
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
GetLastError
CreateProcessA
FormatMessageA
MoveFileExW
GetComputerNameW
ExitProcess
SetFileAttributesA
CloseHandle
GetFileAttributesA
GetFileInformationByHandleEx
GetVolumeInformationA
MultiByteToWideChar
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
Sleep
LoadLibraryA
QueryPerformanceFrequency
VerSetConditionMask
FreeLibrary
QueryPerformanceCounter
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
SetLastError
FormatMessageW
GetSystemDirectoryW
LoadLibraryW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
WaitForSingleObject
CreateEventW
SetEvent
DeleteCriticalSection
GetTickCount
VerifyVersionInfoW
GetEnvironmentVariableA
SleepEx
ReadFile
ConnectNamedPipe
GetLocaleInfoEx
GetCurrentProcessId
CreateDirectoryW
GetStdHandle
WaitForMultipleObjects
PeekNamedPipe
GetFileType
GetModuleFileNameA
WaitForSingleObjectEx
GetFileSizeEx
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
LocalFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileA

user32

FindWindowA
SetForegroundWindow
UpdateWindow
PostQuitMessage
TranslateMessage
SetFocus
GetForegroundWindow
PeekMessageW
DispatchMessageW
ShowWindow
RegisterClassExW
UnregisterClassW
CreateWindowExW
SetActiveWindow
SetWindowPos
DestroyWindow
OpenClipboard
CloseClipboard
MessageBoxA
GetClipboardData
SetClipboardData
GetKeyState
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
LoadCursorW
SetCapture
SetCursor
GetClientRect
ReleaseCapture
SetCursorPos
GetCursorPos
GetWindowRect
DefWindowProcW
GetActiveWindow
EmptyClipboard

advapi32

CryptEncrypt
CryptDestroyKey
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetUserNameA
CryptImportKey
CryptAcquireContextW

shell32

SHGetFolderPathA
ShellExecuteW

msvcp140

?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
??1ios_base@std@@UEAA@XZ
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
_Xtime_get_ticks
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
_Toupper
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
_Thrd_yield
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Mtx_unlock
_Thrd_join
_Thrd_detach
_Query_perf_counter
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
_Mtx_init_in_situ
_Mtx_lock
_Mtx_destroy_in_situ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$numpunct@D@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
?_Throw_Cpp_error@std@@YAXH@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Query_perf_frequency
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
_Tolower

d3d11

D3D11CreateDeviceAndSwapChain

winhttp

WinHttpQueryDataAvailable
WinHttpWebSocketCompleteUpgrade
WinHttpReadData
WinHttpWebSocketClose
WinHttpWebSocketSend
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpWebSocketReceive
WinHttpOpenRequest
WinHttpSetOption
WinHttpConnect

d3dcompiler_47

D3DCompile

imm32

ImmSetCandidateWindow
ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow
ImmAssociateContextEx

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
__intrinsic_setjmp
_CxxThrowException
__C_specific_handler
__current_exception_context
__current_exception
memcmp
wcschr
memchr
strrchr
strchr
strstr
__std_terminate
memmove
memcpy
longjmp
__std_exception_copy
__std_exception_destroy

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
malloc
calloc
_set_new_mode
free

api-ms-win-crt-math-l1-1-0

powf
sqrtf
sinf
_fdopen
ldexp
fmodf
cosf
ceilf
acosf
_ldclass
_fdclass
_ldsign
_fdsign
_dclass
_dsign
__setusermatherr

api-ms-win-crt-convert-l1-1-0

wcstombs
atoi
strtoull
strtoul
strtoll
strtod
strtol

api-ms-win-crt-runtime-l1-1-0

terminate
_errno
__sys_errlist
_beginthreadex
__sys_nerr
system
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_c_exit
_register_onexit_function
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
abort

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
_read
_write
__stdio_common_vsscanf
_lseeki64
_fileno
fopen
fgets
__p__commode
fwrite
_wopen
__stdio_common_vswprintf
fputc
fflush
fputs
fgetc
_close
_wfopen
fclose
fgetpos
setvbuf
__acrt_iob_func
ungetc
fsetpos
_set_fmode
fread
feof
fopen_s
_fseeki64
fseek
ferror
ftell
_get_stream_buffer_pointers

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_fstat64
_stat64i32
remove
_wstat64
_waccess
_lock_file
_unlink

api-ms-win-crt-string-l1-1-0

strncmp
strcmp
strncpy
_wcsdup
wcspbrk
strcspn
_strdup
strspn
wcsncpy
wcsncmp
strpbrk

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_time64
_mktime64
strftime
_gmtime64

api-ms-win-crt-utility-l1-1-0

qsort

ws2_32

__WSAFDIsSet
connect
select
htons
WSAIoctl
setsockopt
closesocket
WSAGetLastError
WSASetLastError
ntohs
socket
WSACloseEvent
WSACreateEvent
WSASetEvent
gethostname
ioctlsocket
getaddrinfo
freeaddrinfo
htonl
WSAEventSelect
send
WSAResetEvent
getsockname
getpeername
accept
listen
WSAWaitForMultipleEvents
getsockopt
bind
WSAStartup
recv
WSACleanup
sendto
WSAEnumNetworkEvents
recvfrom

wldap32

ord127
ord46
ord117
ord301
ord219
ord27
ord26
ord133
ord145
ord73
ord216
ord142
ord41
ord167
ord208
ord14
ord147
ord79

crypt32

CertOpenStore
CertFreeCertificateContext
PFXImportCertStore
CryptStringToBinaryW
CertCloseStore
CertFindCertificateInStore
CryptDecodeObjectEx
CertGetCertificateChain
CertFreeCertificateChainEngine
CertAddCertificateContextToStore
CryptQueryObject
CertFreeCertificateChain
CertGetNameStringW
CertFindExtension
CertCreateCertificateChainEngine
CertEnumCertificatesInStore

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 996KB - Virtual size: 995KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

dd9bfd63f8c51affcf45502bb51cb76d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

msvcp140

d3d11

winhttp

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

ws2_32

wldap32

crypt32

Exports

Exports

Sections

.text Size: 1.8MB - Virtual size: 1.8MB

.rdata Size: 996KB - Virtual size: 995KB

.data Size: 8KB - Virtual size: 11KB

.pdata Size: 69KB - Virtual size: 69KB

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.8MB - Virtual size: 1.8MB

.rdata
Size: 996KB - Virtual size: 995KB

.data
Size: 8KB - Virtual size: 11KB

.pdata
Size: 69KB - Virtual size: 69KB

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 5KB - Virtual size: 5KB