CheraxLoader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

CheraxLoader.exe
Size

3.0MB
MD5

45aa804bf8563bf4d56704c7554593a9
SHA1

56fa3530abc14788cc079af6a4ef2924956b9445
SHA256

527b0271fe9f243197b92548ac8bd2990c8c093e9e82af3fa44edd85496a825f
SHA512

0e2f2baa09279d2808cf99721675428619476dabd7af45668c96ced37757b3c07a3cec5bb5536be29dd977816fca5b35324f32b94cfd83abefb87d1dcf04df6a
SSDEEP

49152:B7MxvbHdlsELqOsUjdyvu7/IoOpnWbLyOM42MB5rKM:B74b7TGFusoOPOP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CheraxLoader.exe

Files

CheraxLoader.exe
.exe windows:6 windows x64 arch:x64

860a4725082f39b4e756891e32518e39

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\kaeng\source\repos\Cherax\bin\Final\CheraxLoader.pdb

Imports

kernel32

MapViewOfFile
HeapFree
HeapAlloc
CreateFileA
InitializeSListHead
GetSystemTimeAsFileTime
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
SleepConditionVariableSRW
WakeAllConditionVariable
CreateRemoteThread
CreateProcessW
VirtualAllocEx
GetProcAddress
Process32FirstW
GetFileSizeEx
WaitForSingleObjectEx
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetStdHandle
ReadFile
SleepEx
GetEnvironmentVariableA
VerifyVersionInfoW
GetTickCount
DeleteCriticalSection
SetEvent
CreateEventW
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
Process32NextW
FormatMessageW
SetLastError
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
Sleep
CreateFileMappingA
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
SetUnhandledExceptionFilter
GetModuleHandleW
UnhandledExceptionFilter
AddVectoredExceptionHandler
GetCurrentThread
GetModuleHandleExA
GetCurrentThreadId
GetCurrentProcess
RtlCaptureContext
RemoveVectoredExceptionHandler
GetLastError
GetComputerNameA
DebugBreak
CreateProcessA
GetCurrentProcessId
ExitProcess
GetModuleFileNameA
SetFileAttributesA
CloseHandle
UnmapViewOfFile
VirtualFreeEx
ConnectNamedPipe
DisconnectNamedPipe
WriteFile
GetFileAttributesA
GetVolumeInformationA
CreateNamedPipeA
GetSystemDirectoryW

user32

DefWindowProcW
GetWindowRect
DestroyWindow
SetWindowPos
SetActiveWindow
CreateWindowExW
UnregisterClassW
RegisterClassExW
ShowWindow
DispatchMessageW
PeekMessageW
GetForegroundWindow
SetFocus
TranslateMessage
PostQuitMessage
UpdateWindow
GetCursorPos
SetCursorPos
MessageBoxA
MessageBoxW
FindWindowA
SetForegroundWindow
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetActiveWindow
GetClientRect
ReleaseCapture
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
LoadCursorW
SetCapture
SetCursor

advapi32

CryptGetHashParam
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetUserNameA
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptImportKey
CryptEncrypt
CryptDestroyKey
CryptReleaseContext

shell32

SHGetKnownFolderPath
ShellExecuteW

ole32

CoTaskMemFree

msvcp140

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
??1ios_base@std@@UEAA@XZ
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??Bios_base@std@@QEBA_NXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
_Toupper
_Tolower
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
_Thrd_yield
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Mtx_unlock
_Thrd_join
_Xtime_get_ticks
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
_Thrd_detach
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
_Query_perf_counter
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
_Thrd_id
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
_Cnd_do_broadcast_at_thread_exit
_Mtx_init_in_situ
_Mtx_lock
_Mtx_destroy_in_situ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$numpunct@D@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Xout_of_range@std@@YAXPEBD@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z

d3d11

D3D11CreateDeviceAndSwapChain

winhttp

WinHttpQueryDataAvailable
WinHttpWebSocketCompleteUpgrade
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpen
WinHttpConnect
WinHttpWebSocketReceive
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpSendRequest
WinHttpSetOption
WinHttpWebSocketSend
WinHttpQueryHeaders
WinHttpWebSocketClose

dbghelp

SymSetOptions
StackWalk64
SymInitialize
SymCleanup
SymFunctionTableAccess64
SymGetModuleBase64
ImageNtHeader
SymGetLineFromAddr64

d3dcompiler_47

D3DCompile

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext
ImmReleaseContext
ImmAssociateContextEx

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__intrinsic_setjmp
memcmp
memchr
memmove
memcpy
longjmp
__C_specific_handler
strstr
strchr
strrchr
wcschr
__current_exception
__current_exception_context
_CxxThrowException
memset
__std_exception_copy
__std_exception_destroy
__std_terminate

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
calloc
free
realloc
_set_new_mode

api-ms-win-crt-math-l1-1-0

_dsign
_dclass
_fdsign
_ldsign
_fdclass
powf
sqrtf
ldexp
ceilf
__setusermatherr
acosf
_fdopen
sinf
cosf
fmodf
_ldclass

api-ms-win-crt-convert-l1-1-0

strtoll
strtod
wcstombs
strtoul
strtoull
strtol
atoi

api-ms-win-crt-runtime-l1-1-0

terminate
_errno
system
_beginthreadex
_register_onexit_function
__sys_errlist
__sys_nerr
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_onexit_table
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
abort

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vsprintf
_read
__stdio_common_vsscanf
_lseeki64
_write
fopen
fgets
fclose
fwrite
_wopen
__stdio_common_vswprintf
fputc
fputs
fflush
fgetc
_fileno
_close
_set_fmode
_wfopen
fgetpos
__acrt_iob_func
setvbuf
ungetc
ferror
fsetpos
feof
fopen_s
fread
fseek
ftell
_get_stream_buffer_pointers
_fseeki64

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64
_mktime64
_localtime64
strftime

api-ms-win-crt-filesystem-l1-1-0

_wstat64i32
_unlock_file
_lock_file
_fstat64
_waccess
remove
_wstat64
_unlink

api-ms-win-crt-string-l1-1-0

strncmp
_strdup
strncpy
_wcsdup
wcspbrk
strcspn
strspn
wcsncpy
wcsncmp
strpbrk
strcmp

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort

ws2_32

bind
getpeername
WSAWaitForMultipleEvents
sendto
recvfrom
send
socket
accept
htonl
freeaddrinfo
connect
getaddrinfo
ioctlsocket
recv
gethostname
__WSAFDIsSet
select
WSAResetEvent
htons
WSAIoctl
getsockopt
setsockopt
closesocket
WSAGetLastError
WSASetLastError
WSAEnumNetworkEvents
ntohs
WSACloseEvent
WSACreateEvent
WSACleanup
WSAStartup
WSASetEvent
listen
WSAEventSelect
getsockname

wldap32

ord26
ord127
ord46
ord117
ord301
ord79
ord147
ord219
ord133
ord73
ord208
ord167
ord14
ord41
ord142
ord27
ord216
ord145

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertOpenStore
PFXImportCertStore
CryptStringToBinaryW
CryptDecodeObjectEx
CertGetCertificateChain
CertFreeCertificateChainEngine
CertAddCertificateContextToStore
CryptQueryObject
CertFreeCertificateChain
CertCreateCertificateChainEngine
CertFindCertificateInStore
CertGetNameStringW
CertFindExtension
CertFreeCertificateContext

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1002KB - Virtual size: 1002KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

860a4725082f39b4e756891e32518e39

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

msvcp140

d3d11

winhttp

dbghelp

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

ws2_32

wldap32

crypt32

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 1002KB - Virtual size: 1002KB

.data Size: 8KB - Virtual size: 12KB

.pdata Size: 69KB - Virtual size: 69KB

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 1002KB - Virtual size: 1002KB

.data
Size: 8KB - Virtual size: 12KB

.pdata
Size: 69KB - Virtual size: 69KB

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 5KB - Virtual size: 5KB