loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.exe
Size

2.7MB
MD5

b491e89725b84371dfdab1b03977b715
SHA1

41cddb0e8cbb6ef9cb043f4ffeaa62098a4ddbaa
SHA256

303dd0b23f044930913178aba804a922d570c623b986980047779f59a16e9698
SHA512

32ebca65662f1f68e8663fd677cf66ceb3ecda3743697df9a95789cca74e43dc0ed5764dc6426f208cc7ca82a512b7d5ae37e0d17003d3efcfa6c64c57624e09
SSDEEP

49152:2kgnS403tjI6g0b8m0ErvonStAAAttWpbxhnrbhWOmSc+Hy7:V603ZRrtAAywxN961N

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
loader.exe

Files

loader.exe
.exe windows:6 windows x64 arch:x64

8393ff6869b8ca723fd9984be32bc83e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
GetCurrentProcessId
GlobalAlloc
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileA
WakeAllConditionVariable
GlobalFree
AcquireSRWLockExclusive
GlobalUnlock
WideCharToMultiByte
GlobalLock
ReadFile
CloseHandle
HeapAlloc
HeapFree
QueryPerformanceCounter
FreeLibrary
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
ReleaseSRWLockExclusive
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetFileSizeEx
MultiByteToWideChar
GetCurrentThreadId

user32

DestroyWindow
ShowWindow
PostQuitMessage
SetWindowPos
DefWindowProcA
UnregisterClassA
UpdateWindow
SetLayeredWindowAttributes
GetWindowLongA
SetWindowLongA
GetSystemMetrics
CreateWindowExW
RegisterClassExW
LoadIconA
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetMessageExtraInfo
LoadCursorA
GetWindowRect
MessageBoxA
PeekMessageA
TranslateMessage
DispatchMessageA
GetCursorPos
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient

advapi32

FreeSid
AllocateAndInitializeSid
CheckTokenMembership

msvcp140

??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Xlength_error@std@@YAXPEBD@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

d3d11

D3D11CreateDeviceAndSwapChain

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memchr
memmove
memcpy
longjmp
strrchr
_CxxThrowException
memset
__current_exception_context
__current_exception
__C_specific_handler
strstr
__std_exception_destroy
__std_exception_copy
__std_terminate
__intrinsic_setjmp

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
exit
_exit
_invalid_parameter_noinfo_noreturn
_c_exit
_register_thread_local_exe_atexit_callback
_set_app_type
_configure_narrow_argv
system
_seh_filter_exe
terminate
_register_onexit_function
_initialize_narrow_environment
_cexit
_crt_atexit
_get_narrow_winmain_command_line
_initialize_onexit_table

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__stdio_common_vsscanf
fclose
_get_stream_buffer_pointers
fseek
ftell
_wfopen
fread
fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush
__p__commode
ungetc
fputc
fgetc
_set_fmode
__stdio_common_vfprintf
__stdio_common_vsprintf

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strncpy
strncmp
strcmp

api-ms-win-crt-heap-l1-1-0

free
malloc
_set_new_mode
_callnewh

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-math-l1-1-0

powf
sinf
sqrtf
acosf
ceilf
cosf
fmodf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 661KB - Virtual size: 660KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 987KB - Virtual size: 986KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8393ff6869b8ca723fd9984be32bc83e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

d3d11

d3dx11_43

d3dcompiler_43

dwmapi

imm32

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 661KB - Virtual size: 660KB

.rdata Size: 987KB - Virtual size: 986KB

.data Size: 1.1MB - Virtual size: 1.1MB

.pdata Size: 32KB - Virtual size: 32KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 661KB - Virtual size: 660KB

.rdata
Size: 987KB - Virtual size: 986KB

.data
Size: 1.1MB - Virtual size: 1.1MB

.pdata
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 3KB