Static task
static1
General
-
Target
CheraxLoader.exe
-
Size
3.0MB
-
MD5
6df14535c7bac998a171a5052d762ae5
-
SHA1
393fd9a67c838affb7a3526a42a9dba28e121aa1
-
SHA256
aadcb77869b2ccca40792b686c8980b4858b6111a8acf3793cf7747006408878
-
SHA512
f6b0482f1e676ad34eb4e4b7ae84ce3fd31b043c8f03dfe1fe6cef6024e75f76721bf129d66f9793b2f11c74b2095a2a5490180d62091953a5d3f4cab0ba61f2
-
SSDEEP
49152:FZWlAGt5JSinfg9eT4tI5iFORocMcobl7jWUFMOMdMB5rRnL9+:F2/cy2ecSicyblsOX
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource CheraxLoader.exe
Files
-
CheraxLoader.exe.exe windows:6 windows x64 arch:x64
ca5e80d14c235f67b1ea3f425dd0e8b9
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
kernel32
IsProcessorFeaturePresent
TerminateProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
SleepConditionVariableSRW
WakeAllConditionVariable
GetFileSizeEx
WaitForSingleObjectEx
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetStdHandle
ReadFile
GetEnvironmentVariableA
VerifyVersionInfoW
SleepEx
GetTickCount
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileA
HeapAlloc
HeapFree
MapViewOfFile
CreateNamedPipeA
VirtualFreeEx
CreateRemoteThread
CreateProcessW
VirtualAllocEx
GetProcAddress
Process32FirstW
DeleteCriticalSection
SetEvent
CreateEventW
Process32NextW
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetSystemDirectoryW
FormatMessageW
SetLastError
UnmapViewOfFile
GlobalAlloc
DisconnectNamedPipe
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
Sleep
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
CreateFileMappingA
GlobalUnlock
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
SetUnhandledExceptionFilter
GetModuleHandleW
UnhandledExceptionFilter
AddVectoredExceptionHandler
GetCurrentThread
IsDebuggerPresent
GlobalLock
CreateMutexA
GlobalFree
ConnectNamedPipe
GetModuleHandleExA
GetCurrentThreadId
GetCurrentProcess
RtlCaptureContext
QueryPerformanceCounter
WriteFile
RemoveVectoredExceptionHandler
GetLastError
GetComputerNameA
DebugBreak
CreateProcessA
GetCurrentProcessId
ExitProcess
SetFileAttributesA
GetModuleFileNameA
CloseHandle
GetFileAttributesA
GetVolumeInformationA
WaitForSingleObject
user32
GetActiveWindow
DefWindowProcW
GetWindowRect
DestroyWindow
SetWindowPos
SetActiveWindow
CreateWindowExW
UnregisterClassW
RegisterClassExW
ShowWindow
DispatchMessageW
PeekMessageW
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
LoadCursorW
GetKeyState
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
SetFocus
TranslateMessage
PostQuitMessage
UpdateWindow
SetForegroundWindow
FindWindowA
MessageBoxW
MessageBoxA
GetCursorPos
SetCursorPos
ReleaseCapture
GetClientRect
SetCursor
SetCapture
ScreenToClient
advapi32
CryptDestroyKey
RegOpenKeyExW
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
GetUserNameA
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptImportKey
CryptEncrypt
RegQueryValueExW
shell32
SHGetKnownFolderPath
ShellExecuteW
ole32
CoTaskMemFree
msvcp140
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Thrd_yield
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Tolower
_Toupper
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
??1ios_base@std@@UEAA@XZ
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??Bios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit
_Thrd_id
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Thrd_join
_Mtx_unlock
d3d11
D3D11CreateDeviceAndSwapChain
winhttp
WinHttpWebSocketReceive
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpOpenRequest
WinHttpReadData
WinHttpWebSocketCompleteUpgrade
WinHttpConnect
WinHttpCloseHandle
WinHttpWebSocketClose
WinHttpWebSocketSend
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpOpen
dbghelp
StackWalk64
ImageNtHeader
SymCleanup
SymGetModuleBase64
SymSetOptions
SymInitialize
SymGetLineFromAddr64
SymFunctionTableAccess64
d3dcompiler_47
D3DCompile
imm32
ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow
ImmAssociateContextEx
ImmSetCandidateWindow
bcrypt
BCryptGenRandom
vcruntime140_1
__CxxFrameHandler4
vcruntime140
_CxxThrowException
__current_exception_context
__current_exception
wcschr
strchr
memset
longjmp
strrchr
strstr
memcpy
__std_terminate
__std_exception_copy
__std_exception_destroy
__C_specific_handler
memmove
memchr
memcmp
__intrinsic_setjmp
api-ms-win-crt-heap-l1-1-0
realloc
_callnewh
_set_new_mode
free
malloc
calloc
api-ms-win-crt-math-l1-1-0
_fdopen
sqrtf
_fdsign
sinf
powf
fmodf
cosf
__setusermatherr
ceilf
ldexp
_dsign
acosf
_ldsign
api-ms-win-crt-convert-l1-1-0
strtol
strtod
strtoul
strtoull
atoi
wcstombs
strtoll
api-ms-win-crt-runtime-l1-1-0
terminate
_errno
abort
_beginthreadex
_invalid_parameter_noinfo_noreturn
__sys_errlist
__sys_nerr
system
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_onexit_table
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
exit
api-ms-win-crt-locale-l1-1-0
localeconv
___lc_codepage_func
_configthreadlocale
api-ms-win-crt-stdio-l1-1-0
__stdio_common_vsprintf
_read
__stdio_common_vsscanf
_lseeki64
fopen
fclose
fgets
fwrite
fputc
__stdio_common_vswprintf
fflush
__p__commode
fgetc
_write
_wopen
_fileno
_close
fgetpos
_wfopen
setvbuf
__acrt_iob_func
ungetc
fsetpos
fputs
fread
_set_fmode
feof
fopen_s
_fseeki64
fseek
ferror
ftell
_get_stream_buffer_pointers
api-ms-win-crt-time-l1-1-0
_time64
_gmtime64
_mktime64
_localtime64
strftime
api-ms-win-crt-filesystem-l1-1-0
_fstat64
_wstat64
_lock_file
_waccess
remove
_wstat64i32
_unlock_file
_unlink
api-ms-win-crt-string-l1-1-0
strncmp
_strdup
strncpy
_wcsdup
wcspbrk
strcspn
strspn
wcsncpy
wcsncmp
strpbrk
strcmp
api-ms-win-crt-environment-l1-1-0
getenv
api-ms-win-crt-utility-l1-1-0
qsort
ws2_32
gethostname
ioctlsocket
getaddrinfo
ntohs
freeaddrinfo
htonl
accept
WSACloseEvent
listen
recvfrom
getsockname
WSACreateEvent
select
WSASetLastError
WSASetEvent
sendto
WSAEventSelect
WSAGetLastError
WSAStartup
closesocket
WSACleanup
connect
__WSAFDIsSet
WSAEnumNetworkEvents
getpeername
getsockopt
WSAIoctl
WSAWaitForMultipleEvents
socket
send
WSAResetEvent
recv
htons
setsockopt
bind
wldap32
ord127
ord142
ord41
ord14
ord147
ord79
ord27
ord26
ord46
ord117
ord301
ord219
ord145
ord133
ord216
ord73
ord208
ord167
crypt32
CertFreeCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CryptDecodeObjectEx
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
PFXImportCertStore
CertAddCertificateContextToStore
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertFreeCertificateChain
Exports
Exports
curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send
Sections
.text Size: 1.9MB - Virtual size: 1.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1001KB - Virtual size: 1001KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 8KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 69KB - Virtual size: 69KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 67KB - Virtual size: 67KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 5KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ