CheraxLoader[.]exe

Resubmissions

27/07/2024, 15:15

240727-sm1bcavgjp 3

27/07/2024, 15:12

240727-sk6eksybmh 7

27/07/2024, 15:10

240727-sj3masybjf 3

Sharing

Copy URL

Twitter E-mail

General

Target

CheraxLoader.exe
Size

3.0MB
MD5

3dc5461a0e5da1860cb68ef0a9a4de99
SHA1

58e95ce8d2ef2a0abafa2b1036351d96849b8765
SHA256

76b1e254983b20b5cde0c08ed6c198592bb823068fafbd16e0efdc972373c88c
SHA512

8720e19ec2f5a1b0643cc325670b3e99f798817a93d006b25bb71f79515928cf29abae7c2ac39080e7c0e2a799623fc98df8fe337f68b8ce1fae8f0fb9c33528
SSDEEP

49152:j0HutDqxFOdeorG/bPKKi5G+oMHoW4lr7WTvJbOM/MB5rJM5:jUG2KRrw/9Mb4lmOo

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CheraxLoader.exe

Files

CheraxLoader.exe
.exe windows:6 windows x64 arch:x64

0961d37902697a5ecc75812bc2e33909

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Imports

kernel32

IsProcessorFeaturePresent
TerminateProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
SleepConditionVariableSRW
WakeAllConditionVariable
GetFileSizeEx
WaitForSingleObjectEx
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetStdHandle
ReadFile
GetEnvironmentVariableA
VerifyVersionInfoW
SleepEx
GetTickCount
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileA
HeapAlloc
HeapFree
MapViewOfFile
CreateNamedPipeA
VirtualFreeEx
CreateRemoteThread
CreateProcessW
VirtualAllocEx
GetProcAddress
Process32FirstW
DeleteCriticalSection
SetEvent
CreateEventW
Process32NextW
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetSystemDirectoryW
FormatMessageW
SetLastError
UnmapViewOfFile
GlobalAlloc
DisconnectNamedPipe
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
Sleep
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
CreateFileMappingA
GlobalUnlock
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
SetUnhandledExceptionFilter
GetModuleHandleW
UnhandledExceptionFilter
AddVectoredExceptionHandler
GetCurrentThread
IsDebuggerPresent
GlobalLock
CreateMutexA
GlobalFree
ConnectNamedPipe
GetModuleHandleExA
GetCurrentThreadId
GetCurrentProcess
RtlCaptureContext
QueryPerformanceCounter
WriteFile
RemoveVectoredExceptionHandler
GetLastError
GetComputerNameA
DebugBreak
CreateProcessA
GetCurrentProcessId
ExitProcess
SetFileAttributesA
GetModuleFileNameA
CloseHandle
GetFileAttributesA
GetVolumeInformationA
WaitForSingleObject

user32

GetActiveWindow
DefWindowProcW
GetWindowRect
DestroyWindow
SetWindowPos
SetActiveWindow
CreateWindowExW
UnregisterClassW
RegisterClassExW
ShowWindow
DispatchMessageW
PeekMessageW
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
LoadCursorW
GetKeyState
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
SetFocus
TranslateMessage
PostQuitMessage
UpdateWindow
SetForegroundWindow
MessageBoxW
FindWindowA
MessageBoxA
GetCursorPos
SetCursorPos
ReleaseCapture
GetClientRect
SetCursor
SetCapture
ScreenToClient

advapi32

CryptDestroyKey
RegOpenKeyExW
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
GetUserNameA
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptImportKey
CryptEncrypt
RegQueryValueExW

shell32

SHGetKnownFolderPath
ShellExecuteW

ole32

CoTaskMemFree

msvcp140

??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Thrd_yield
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Tolower
_Toupper
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
??1ios_base@std@@UEAA@XZ
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??Bios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit
_Thrd_id
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Thrd_join
_Mtx_unlock

d3d11

D3D11CreateDeviceAndSwapChain

winhttp

WinHttpWebSocketReceive
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpOpenRequest
WinHttpReadData
WinHttpWebSocketCompleteUpgrade
WinHttpConnect
WinHttpCloseHandle
WinHttpWebSocketClose
WinHttpWebSocketSend
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpOpen

dbghelp

StackWalk64
ImageNtHeader
SymCleanup
SymGetModuleBase64
SymSetOptions
SymInitialize
SymGetLineFromAddr64
SymFunctionTableAccess64

d3dcompiler_47

D3DCompile

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow
ImmAssociateContextEx
ImmSetCandidateWindow

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

_CxxThrowException
__current_exception_context
__current_exception
wcschr
strchr
memset
longjmp
strrchr
strstr
memcpy
__std_terminate
__std_exception_copy
__std_exception_destroy
__C_specific_handler
memmove
memchr
memcmp
__intrinsic_setjmp

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
_set_new_mode
free
malloc
calloc

api-ms-win-crt-math-l1-1-0

_fdopen
sqrtf
_fdsign
sinf
powf
fmodf
cosf
__setusermatherr
ceilf
ldexp
_dsign
acosf
_ldsign

api-ms-win-crt-convert-l1-1-0

strtol
strtod
strtoul
strtoull
atoi
wcstombs
strtoll

api-ms-win-crt-runtime-l1-1-0

terminate
_errno
abort
_beginthreadex
_invalid_parameter_noinfo_noreturn
__sys_errlist
__sys_nerr
system
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_onexit_table
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
exit

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
_read
__stdio_common_vsscanf
_lseeki64
fopen
fclose
fgets
fwrite
fputc
__stdio_common_vswprintf
fflush
__p__commode
fgetc
_write
_wopen
_fileno
_close
fgetpos
_wfopen
setvbuf
__acrt_iob_func
ungetc
fsetpos
fputs
fread
_set_fmode
feof
fopen_s
_fseeki64
fseek
ferror
ftell
_get_stream_buffer_pointers

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64
_mktime64
_localtime64
strftime

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_wstat64
_lock_file
_waccess
remove
_wstat64i32
_unlock_file
_unlink

api-ms-win-crt-string-l1-1-0

strncmp
_strdup
strncpy
_wcsdup
wcspbrk
strcspn
strspn
wcsncpy
wcsncmp
strpbrk
strcmp

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort

ws2_32

gethostname
ioctlsocket
getaddrinfo
ntohs
freeaddrinfo
htonl
accept
WSACloseEvent
listen
recvfrom
getsockname
WSACreateEvent
select
WSASetLastError
WSASetEvent
sendto
WSAEventSelect
WSAGetLastError
WSAStartup
closesocket
WSACleanup
connect
__WSAFDIsSet
WSAEnumNetworkEvents
getpeername
getsockopt
WSAIoctl
WSAWaitForMultipleEvents
socket
send
WSAResetEvent
recv
htons
setsockopt
bind

wldap32

ord127
ord142
ord41
ord14
ord147
ord79
ord27
ord26
ord46
ord117
ord301
ord219
ord145
ord133
ord216
ord73
ord208
ord167

crypt32

CertFreeCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CryptDecodeObjectEx
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
PFXImportCertStore
CertAddCertificateContextToStore
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertFreeCertificateChain

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1002KB - Virtual size: 1001KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

0961d37902697a5ecc75812bc2e33909

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

msvcp140

d3d11

winhttp

dbghelp

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

ws2_32

wldap32

crypt32

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 1002KB - Virtual size: 1001KB

.data Size: 8KB - Virtual size: 12KB

.pdata Size: 69KB - Virtual size: 69KB

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 1002KB - Virtual size: 1001KB

.data
Size: 8KB - Virtual size: 12KB

.pdata
Size: 69KB - Virtual size: 69KB

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 5KB - Virtual size: 5KB