loader[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.zip
Size

10.7MB
MD5

3e0e43373510168d70847b71982d9024
SHA1

2a906a628430db9c2ebca23de09e36b8b0117124
SHA256

b24343313d60586f9ae366956a823c4297a780beafe8995c0bfe68812095cdf0
SHA512

65cd2fe1f6e98ab7ed5f4130f6b973783b46e675b5a2be467e4f8de798665d47ec30057dc1f2eac620ec6330b8b4e786119affa3ae6f5b75c6424c63f7e50dd6
SSDEEP

196608:q8vBuV89JT1pzBwQACuuuafv7IDa9Nd2qumpWxdCVDT1PXHtIVtj:q8vBMq5tBwQKuuaXc29NdMqkCVDT1yV1

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/loader.exe
unpack001/updater.exe

Files

loader.zip
.zip
loader.exe
.exe windows:6 windows x64 arch:x64

4d129d40088b9643bc4e55b735839515

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

loader.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressSingle
WakeByAddressAll

secur32

LsaFreeReturnBuffer
LsaGetLogonSessionData
LsaEnumerateLogonSessions

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
GetTempPathW
GetFullPathNameW
CreateThread
CloseHandle
CreateToolhelp32Snapshot
Process32First
Process32Next
TerminateProcess
GetModuleHandleA
GetProcAddress
GetCurrentThreadId
GetCurrentProcessId
RtlVirtualUnwind
GetComputerNameExW
LoadLibraryExW
FreeLibrary
CreateEventA
GetLogicalProcessorInformationEx
GetTickCount64
GlobalMemoryStatusEx
GetLogicalDrives
GetDiskFreeSpaceExW
GetProcessTimes
GetExitCodeProcess
GetLastError
LocalFree
GetSystemInfo
GetProcessHeap
HeapAlloc
HeapFree
OpenProcess
GetSystemTimes
GetProcessIoCounters
VirtualQueryEx
ReadProcessMemory
CreateFileW
GetDriveTypeW
GetVolumeInformationW
DeviceIoControl
GetCurrentProcess
WaitForSingleObject
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
DuplicateHandle
VirtualProtect
LoadLibraryA
LoadLibraryExA
FormatMessageW
Sleep
GlobalLock
GlobalSize
GlobalAlloc
GlobalFree
WideCharToMultiByte
MultiByteToWideChar
GlobalUnlock
SetHandleInformation
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
SetFileCompletionNotificationModes
QueryPerformanceFrequency
QueryPerformanceCounter
RemoveVectoredExceptionHandler
GetModuleHandleW
AddVectoredExceptionHandler
GetModuleFileNameW
SetThreadErrorMode
GetCurrentThread
RtlCaptureContext
RtlLookupFunctionEntry
ReleaseMutex
WaitForSingleObjectEx
CreateMutexA
GetConsoleMode
GetUserPreferredUILanguages
FreeEnvironmentStringsW
DeleteProcThreadAttributeList
CompareStringOrdinal
SetThreadStackGuarantee
SwitchToThread
CreateWaitableTimerExW
SetWaitableTimer
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetCommandLineW
SetFileInformationByHandle
SetFilePointerEx
GetStdHandle
WriteFileEx
SleepEx
GetSystemTimePreciseAsFileTime
HeapReAlloc
lstrlenW
FindNextFileW
FindClose
GetFileInformationByHandle
GetFileInformationByHandleEx
FindFirstFileW
DeleteFileW
GetFinalPathNameByHandleW
ExitProcess
CreateNamedPipeW
ReadFileEx
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
WriteConsoleW

ntdll

NtQueryInformationProcess
RtlAdjustPrivilege
NtLoadDriver
NtWriteFile
NtReadFile
NtCreateFile
NtDeviceIoControlFile
RtlNtStatusToDosError
NtQuerySystemInformation
NtCancelIoFileEx
NtUnloadDriver
RtlGetVersion

user32

DestroyWindow
SetWindowLongPtrW
ValidateRect
PostThreadMessageW
PeekMessageW
GetUpdateRect
RedrawWindow
DefWindowProcW
PostMessageW
RegisterRawInputDevices
GetMenu
LoadCursorW
SetCursor
MonitorFromRect
TrackMouseEvent
GetTouchInputInfo
ScreenToClient
CloseTouchInputHandle
IsProcessDPIAware
CloseClipboard
IsIconic
GetWindowRect
GetCursorPos
MonitorFromWindow
ShowCursor
ClipCursor
GetClipCursor
GetMonitorInfoW
ClientToScreen
AdjustWindowRectEx
GetWindowLongW
SetWindowLongW
EnableMenuItem
GetSystemMenu
GetDC
SetForegroundWindow
SendInput
MapVirtualKeyW
CreateIcon
SetClipboardData
EmptyClipboard
SetWindowTextW
MonitorFromPoint
ToUnicodeEx
GetKeyboardLayout
GetClipboardData
OpenClipboard
GetKeyboardState
GetKeyState
GetRawInputData
SetWindowPos
SystemParametersInfoA
SendMessageW
DestroyIcon
TranslateMessage
MessageBoxA
MessageBoxW
InvalidateRgn
SetWindowPlacement
GetWindowPlacement
ChangeDisplaySettingsExW
SetCapture
DispatchMessageW
RegisterTouchWindow
GetSystemMetrics
SetWindowDisplayAffinity
MsgWaitForMultipleObjectsEx
GetWindowLongPtrW
RegisterWindowMessageA
GetMessageW
MapVirtualKeyA
CreateWindowExW
RegisterClassExW
IsWindowVisible
ReleaseCapture
GetClientRect
GetForegroundWindow
FlashWindowEx
GetActiveWindow
ShowWindow

ole32

CoUninitialize
CoSetProxyBlanket
CoCreateInstance
RevokeDragDrop
RegisterDragDrop
CoInitializeEx
OleInitialize
CoInitializeSecurity

psapi

GetPerformanceInfo
GetModuleFileNameExW
GetModuleFileNameExA

gdi32

GetDeviceCaps
CreateRectRgn
StretchDIBits
DeleteObject

dwmapi

DwmEnableBlurBehindWindow

ws2_32

getsockname
getpeername
getaddrinfo
freeaddrinfo
closesocket
WSACleanup
WSAStartup
WSASocketW
bind
connect
WSAGetLastError
WSAIoctl
setsockopt
WSASend
send
recv
shutdown
getsockopt
ioctlsocket

advapi32

RegDeleteTreeW
RegCreateKeyW
RegSetKeyValueW
RegOpenKeyExW
RegCloseKey
GetTokenInformation
OpenProcessToken
RegQueryValueExW
LookupAccountSidW
CopySid
GetLengthSid
IsValidSid
GetUserNameW
SystemFunction036

pdh

PdhOpenQueryA
PdhCollectQueryData
PdhAddEnglishCounterW
PdhRemoveCounter
PdhGetFormattedCounterValue
PdhCloseQuery

powrprof

CallNtPowerInformation

oleaut32

SafeArrayUnaccessData
SafeArrayGetLBound
SysFreeString
SysAllocStringLen
SafeArrayGetUBound
SysStringLen
SysAllocString
GetErrorInfo
SafeArrayAccessData
VariantClear

shell32

DragQueryFileW
DragFinish
CommandLineToArgvW

iphlpapi

GetIfEntry2
FreeMibTable
GetIfTable2
GetAdaptersAddresses

netapi32

NetUserGetLocalGroups
NetUserEnum
NetApiBufferFree
NetUserGetInfo

winmm

timeEndPeriod
timeBeginPeriod
timeGetDevCaps

uxtheme

SetWindowTheme

imm32

ImmAssociateContextEx
ImmGetCompositionStringW
ImmReleaseContext
ImmGetContext

d3dcompiler_47

D3DCompile

bcrypt

BCryptGenRandom

userenv

GetUserProfileDirectoryW

vcruntime140

__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
memcmp
memmove
memset
memcpy
__CxxFrameHandler3

api-ms-win-crt-math-l1-1-0

atan2
fmod
cos
tan
ceil
pow
fmodf
tanf
__setusermatherr
sinf
exp2
floorf
fmaf
roundf
round
acosf
ceilf
truncf
floor
acos
sin
trunc
expf
powf
exp2f
cosf

api-ms-win-crt-string-l1-1-0

wcslen
strlen

api-ms-win-crt-heap-l1-1-0

malloc
free
_set_new_mode

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-runtime-l1-1-0

terminate
strerror
_crt_atexit
_exit
_initterm_e
_register_onexit_function
_initterm
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_get_initial_narrow_environment
_initialize_narrow_environment
_initialize_onexit_table
_configure_narrow_argv
_seh_filter_exe
exit
_set_app_type

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 11.5MB - Virtual size: 11.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 453KB - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
updater.exe
.exe windows:6 windows x64 arch:x64

93cce1d2707c652f2723c37ad887f93a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

updater.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
WakeByAddressSingle
WaitOnAddress

user32

PostThreadMessageW
DefWindowProcW
ChangeDisplaySettingsExW
GetWindowPlacement
SetWindowPos
SetWindowPlacement
InvalidateRgn
ValidateRect
GetUpdateRect
RegisterClassExW
ScreenToClient
GetMenu
MonitorFromRect
TrackMouseEvent
CreateIcon
GetMessageW
SetWindowLongPtrW
AdjustWindowRectEx
GetWindowLongW
SetWindowLongW
SendMessageW
EnableMenuItem
GetSystemMenu
ShowWindow
MapVirtualKeyA
IsIconic
GetTouchInputInfo
FlashWindowEx
SetCursor
ClipCursor
GetClipCursor
ShowCursor
CloseTouchInputHandle
GetRawInputData
GetCursorPos
MonitorFromWindow
GetWindowRect
LoadCursorW
ClientToScreen
DestroyWindow
SetForegroundWindow
GetMonitorInfoW
GetClientRect
GetWindowLongPtrW
DispatchMessageW
SendInput
MapVirtualKeyW
TranslateMessage
PeekMessageW
SetWindowTextW
MonitorFromPoint
ToUnicodeEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
GetSystemMetrics
SystemParametersInfoA
IsProcessDPIAware
DestroyIcon
SetCapture
RegisterTouchWindow
MsgWaitForMultipleObjectsEx
RedrawWindow
RegisterWindowMessageA
RegisterRawInputDevices
PostMessageW
CloseClipboard
GetDC
CreateWindowExW
SetClipboardData
EmptyClipboard
GetClipboardData
OpenClipboard
SetWindowDisplayAffinity
IsWindowVisible
ReleaseCapture
GetForegroundWindow
GetActiveWindow

kernel32

GlobalSize
GetCurrentThreadId
CloseHandle
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GlobalAlloc
GetProcAddress
GlobalFree
GetFullPathNameW
CreateThread
WriteConsoleW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
GetFileAttributesW
CreateProcessW
RtlVirtualUnwind
GetLastError
Sleep
FormatMessageW
LoadLibraryA
GetWindowsDirectoryW
GetSystemDirectoryW
ReadFileEx
CreateNamedPipeW
ExitProcess
GetFinalPathNameByHandleW
SetHandleInformation
FindFirstFileW
CreateDirectoryW
GetFileInformationByHandleEx
GetFileInformationByHandle
WideCharToMultiByte
FindClose
FindNextFileW
HeapReAlloc
GetSystemTimePreciseAsFileTime
TerminateProcess
CreateIoCompletionPort
GetQueuedCompletionStatusEx
SleepEx
PostQueuedCompletionStatus
WriteFileEx
SetFileCompletionNotificationModes
GetStdHandle
QueryPerformanceFrequency
QueryPerformanceCounter
WaitForSingleObject
RemoveVectoredExceptionHandler
LoadLibraryExW
GetModuleHandleW
AddVectoredExceptionHandler
MultiByteToWideChar
SetFilePointerEx
FreeLibrary
GetModuleFileNameW
SetThreadErrorMode
RtlCaptureContext
RtlLookupFunctionEntry
ReleaseMutex
GetCurrentProcess
WaitForSingleObjectEx
GetCurrentProcessId
CreateMutexA
lstrlenW
GetProcessHeap
HeapFree
SetFileInformationByHandle
HeapAlloc
GetCommandLineW
GetEnvironmentVariableW
CreateEventA
GetConsoleMode
GetModuleHandleA
GetSystemInfo
GetUserPreferredUILanguages
CreateFileMappingW
MapViewOfFile
DuplicateHandle
UnmapViewOfFile
VirtualProtect
GlobalLock
CreateFileW
GlobalUnlock
GetEnvironmentStringsW
GetCurrentDirectoryW
FreeEnvironmentStringsW
DeleteProcThreadAttributeList
CompareStringOrdinal
SetThreadStackGuarantee
GetCurrentThread
SwitchToThread
SetLastError
IsProcessorFeaturePresent

ole32

CoCreateInstance
CoUninitialize
RevokeDragDrop
CoInitializeEx
OleInitialize
RegisterDragDrop

gdi32

CreateRectRgn
GetDeviceCaps
DeleteObject
StretchDIBits

dwmapi

DwmEnableBlurBehindWindow

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
SystemFunction036

ws2_32

WSAStartup
getsockname
getpeername
WSASocketW
bind
connect
ioctlsocket
getsockopt
shutdown
recv
send
WSASend
setsockopt
WSAIoctl
getaddrinfo
WSAGetLastError
freeaddrinfo
closesocket
WSACleanup

shell32

DragFinish
DragQueryFileW

winmm

timeGetDevCaps
timeEndPeriod
timeBeginPeriod

uxtheme

SetWindowTheme

imm32

ImmGetCompositionStringW
ImmGetContext
ImmAssociateContextEx
ImmReleaseContext

ntdll

NtCancelIoFileEx
NtReadFile
RtlNtStatusToDosError
NtDeviceIoControlFile
NtWriteFile
NtCreateFile

d3dcompiler_47

D3DCompile

oleaut32

SysFreeString
GetErrorInfo
SysStringLen

bcrypt

BCryptGenRandom

userenv

GetUserProfileDirectoryW

vcruntime140

__current_exception_context
__current_exception
__CxxFrameHandler3
memcmp
memmove
memset
memcpy
__C_specific_handler

api-ms-win-crt-math-l1-1-0

fmodf
fmaf
sin
ceilf
tanf
powf
exp2f
trunc
tan
floor
_hypotf
acosf
cosf
roundf
floorf
sinf
__setusermatherr
cos
expf
ceil
pow
round
truncf
acos
fmod
atan2
exp2

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_get_initial_narrow_environment
_set_app_type
_initterm_e
exit
_exit
_initterm
_configure_narrow_argv
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
terminate
strerror
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_seh_filter_exe

api-ms-win-crt-string-l1-1-0

strlen

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode

Sections

.text
Size: 8.1MB - Virtual size: 8.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4d129d40088b9643bc4e55b735839515

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

secur32

kernel32

ntdll

user32

ole32

psapi

gdi32

dwmapi

ws2_32

advapi32

pdh

powrprof

oleaut32

shell32

iphlpapi

netapi32

winmm

uxtheme

imm32

d3dcompiler_47

bcrypt

userenv

vcruntime140

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 11.5MB - Virtual size: 11.5MB

.rdata Size: 4.3MB - Virtual size: 4.3MB

.data Size: 18KB - Virtual size: 20KB

.pdata Size: 453KB - Virtual size: 452KB

.rsrc Size: 1024B - Virtual size: 888B

.reloc Size: 70KB - Virtual size: 69KB

93cce1d2707c652f2723c37ad887f93a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

user32

kernel32

ole32

gdi32

dwmapi

advapi32

ws2_32

shell32

winmm

uxtheme

imm32

ntdll

d3dcompiler_47

oleaut32

bcrypt

userenv

vcruntime140

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

.text
Size: 11.5MB - Virtual size: 11.5MB

.rdata
Size: 4.3MB - Virtual size: 4.3MB

.data
Size: 18KB - Virtual size: 20KB

.pdata
Size: 453KB - Virtual size: 452KB

.rsrc
Size: 1024B - Virtual size: 888B

.reloc
Size: 70KB - Virtual size: 69KB

.text
Size: 8.1MB - Virtual size: 8.1MB

.rdata
Size: 2.5MB - Virtual size: 2.5MB

.data
Size: 14KB - Virtual size: 16KB

.pdata
Size: 136KB - Virtual size: 135KB

.reloc
Size: 61KB - Virtual size: 61KB