Loader[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Loader.exe
Size

1013KB
MD5

121f40b877e0db403d580b0eef6ee6e5
SHA1

1198e5dc195ad02950bda3df3f156402f92cd140
SHA256

c08b31a3b9db166b695c307313df2905e1ccd0c89ca42c17b268ef2c431d4a7c
SHA512

de1f88738843b1de99933984ea5d34f1f6ea857312fb312f8f956d733e76f86e46edfcd61f13effe20a0e5064b0ad726be19644dd69d0a97a7eaba099e05b95b
SSDEEP

24576:9Xrk4uI8+GTXgSiFBZhnumcQUKU/ayTW:9XQbTQ5nnumLuJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Loader.exe

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

Password: 123

3725abb7a8e75dc8a7290fd896b6ed64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Source_c\Source c++\x64\Release\Loader.pdb

Imports

d3dx9_43

D3DXCreateTextureFromFileInMemoryEx

kernel32

FindFirstFileW
OutputDebugStringW
FindNextFileW
FindClose
InitializeSListHead
GetSystemTimeAsFileTime
GetFileAttributesExW
GetCurrentThreadId
GetCurrentProcessId
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
SetFileInformationByHandle
AcquireSRWLockExclusive
AreFileApisANSI
ReleaseSRWLockExclusive
GetFileInformationByHandleEx
CreateProcessA
CopyFileW
CreateProcessW
CloseHandle
DeleteFileW
GetLocaleInfoEx
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
CreateFileW
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentProcess
CreateThread
VirtualProtect
CreateFileMappingW
GetLastError
Sleep
WaitForSingleObject
GetTempPathW
QueryPerformanceCounter
VerifyVersionInfoW
FreeLibrary
GetModuleHandleW
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
MapViewOfFile
GlobalAlloc
UnmapViewOfFile
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
FindFirstFileExW
MultiByteToWideChar
LocalFree
EnterCriticalSection
SetLastError
FormatMessageA

user32

IsIconic
SetForegroundWindow
ReleaseCapture
GetClientRect
SetWindowLongW
ReleaseDC
GetCursorPos
SetCursor
SetCapture
LoadCursorW
OpenClipboard
SetFocus
SetLayeredWindowAttributes
GetForegroundWindow
IsChild
ClientToScreen
GetMonitorInfoW
GetCapture
ShowWindow
WindowFromPoint
RegisterClassExW
SetWindowTextW
UnregisterClassW
ScreenToClient
CreateWindowExW
EnumDisplayMonitors
MonitorFromWindow
SetWindowPos
GetDC
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
SetCursorPos
BringWindowToTop
DestroyWindow
GetActiveWindow
DispatchMessageW
PeekMessageW
SetWindowDisplayAffinity
MessageBoxA
TranslateMessage
PostQuitMessage
UpdateWindow
GetWindowLongW
DefWindowProcW
AdjustWindowRectEx
GetKeyState

gdi32

GetDeviceCaps

advapi32

OpenServiceW
AddAccessAllowedAce
GetLengthSid
CryptEncrypt
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CryptAcquireContextA
ChangeServiceConfigW
RegOpenKeyExW
RegDeleteTreeW
ControlService
OpenSCManagerW
CloseServiceHandle
RegCloseKey
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
OpenProcessToken

shell32

ShellExecuteW
ShellExecuteA

msvcp140

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
_Strxfrm
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?tolower@?$ctype@D@std@@QEBADD@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?good@ios_base@std@@QEBA_NXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
_Xtime_get_ticks
_Thrd_detach
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
_Strcoll
?_Syserror_map@std@@YAPEBDH@Z
?id@?$collate@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?id@?$ctype@D@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ

d3d9

Direct3DCreate9

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

urlmon

URLDownloadToFileW

normaliz

IdnToAscii

wldap32

ord217
ord143
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertOpenStore
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFreeCertificateChain
CryptStringToBinaryA
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension

ws2_32

ioctlsocket
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
htonl
listen
ntohl
gethostname
sendto
freeaddrinfo
__WSAFDIsSet
recvfrom
select
getaddrinfo

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

psapi

GetModuleInformation

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
strstr
__C_specific_handler
__current_exception_context
__current_exception
strrchr
memset
memmove
memcpy
memcmp
memchr
_CxxThrowException
__std_exception_copy
__std_exception_destroy
strchr

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
fwrite
_lseeki64
fread
__acrt_iob_func
__stdio_common_vsscanf
_set_fmode
feof
__p__commode
fputs
fseek
fputc
_read
_write
_close
_open
fclose
_popen
_pclose
fgets
fflush
ftell
_wfopen
fopen

api-ms-win-crt-string-l1-1-0

_strdup
tolower
strpbrk
strcmp
strcspn
strspn
isupper
strncmp
strncpy

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-heap-l1-1-0

calloc
_set_new_mode
realloc
_callnewh
malloc
free

api-ms-win-crt-convert-l1-1-0

strtod
atoi
strtoul
strtoll
strtoull
strtol

api-ms-win-crt-runtime-l1-1-0

system
_errno
abort
strerror
__sys_nerr
_beginthreadex
perror
exit
_register_thread_local_exe_atexit_callback
_c_exit
_invalid_parameter_noinfo_noreturn
_exit
_initterm_e
_initterm
_get_wide_winmain_command_line
_initialize_wide_environment
_configure_wide_argv
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
terminate
_getpid

api-ms-win-crt-filesystem-l1-1-0

_unlink
_fstat64
_access
_stat64
remove

api-ms-win-crt-environment-l1-1-0

_dupenv_s

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-math-l1-1-0

_dclass
sqrtf
acosf
ceilf
cosf
fmodf
pow
sinf
sqrt
__setusermatherr

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64

Sections

.text
Size: 755KB - Virtual size: 754KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 157KB - Virtual size: 157KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 123

3725abb7a8e75dc8a7290fd896b6ed64

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3dx9_43

kernel32

user32

gdi32

advapi32

shell32

msvcp140

d3d9

imm32

urlmon

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 755KB - Virtual size: 754KB

.rdata Size: 157KB - Virtual size: 157KB

.data Size: 64KB - Virtual size: 67KB

.pdata Size: 32KB - Virtual size: 32KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 755KB - Virtual size: 754KB

.rdata
Size: 157KB - Virtual size: 157KB

.data
Size: 64KB - Virtual size: 67KB

.pdata
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 1KB