Loader[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Loader.zip
Size

10.9MB
MD5

3d9620abb7e0b72e84aabdf7092b72ee
SHA1

60929b9f3ec79184af21c3b5d510095b7e732938
SHA256

22fc1a0010357469b44b4f58b0e3676e680e9b84e3a0d689cf040150cb442565
SHA512

28dcffaff47b23cc3476f3ee8e58b2bc9f4dee26af7ea3598904eb9df045e867e57bfd11ee35cf1476b833ec445c6ad5fc1fef3b439ec16b8fea07b781480c9d
SSDEEP

196608:vrTILECvwkiIWX/ApRwFU7SuVywGd0r34FDJek5xEcJzEkVtG8nPlvf4E:vrWpwkJWP2wCDkwOC4FJAcJzE6Plvfh

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/loader.exe
unpack001/updater.exe

Files

Loader.zip
.zip
loader.exe
.exe windows:6 windows x64 arch:x64

7cff6682cd0825e5920dc36833fbdda6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

loader.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WakeByAddressSingle
WaitOnAddress
WakeByAddressAll

secur32

LsaFreeReturnBuffer
LsaEnumerateLogonSessions
LsaGetLogonSessionData

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
GetTempPathW
GetFullPathNameW
CreateThread
CloseHandle
GetModuleHandleA
GetProcAddress
GetCurrentProcessId
GetCurrentThreadId
Process32NextW
CreateToolhelp32Snapshot
Process32FirstW
TerminateProcess
RtlVirtualUnwind
GetComputerNameExW
LoadLibraryExW
FreeLibrary
CreateEventA
GetLogicalProcessorInformationEx
GetTickCount64
GlobalMemoryStatusEx
GetLogicalDrives
GetDiskFreeSpaceExW
GetProcessTimes
GetExitCodeProcess
GetLastError
LocalFree
GetSystemInfo
GetProcessHeap
HeapAlloc
HeapFree
OpenProcess
GetSystemTimes
GetProcessIoCounters
VirtualQueryEx
ReadProcessMemory
CreateFileW
GetDriveTypeW
GetVolumeInformationW
DeviceIoControl
GetCurrentProcess
WaitForSingleObject
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
DuplicateHandle
VirtualProtect
LoadLibraryA
LoadLibraryExA
FormatMessageW
Sleep
GlobalLock
GlobalSize
GlobalAlloc
GlobalFree
WideCharToMultiByte
MultiByteToWideChar
GlobalUnlock
SetHandleInformation
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
SetFileCompletionNotificationModes
QueryPerformanceFrequency
QueryPerformanceCounter
RemoveVectoredExceptionHandler
GetModuleHandleW
AddVectoredExceptionHandler
GetModuleFileNameW
SetThreadErrorMode
ReleaseMutex
RtlCaptureContext
RtlLookupFunctionEntry
WaitForSingleObjectEx
CreateMutexA
lstrlenW
GetConsoleMode
GetUserPreferredUILanguages
FreeEnvironmentStringsW
DeleteProcThreadAttributeList
CompareStringOrdinal
SetThreadStackGuarantee
GetCurrentThread
SwitchToThread
CreateWaitableTimerExW
SetWaitableTimer
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetCommandLineW
SetFileInformationByHandle
SetFilePointerEx
GetStdHandle
WriteFileEx
SleepEx
GetSystemTimePreciseAsFileTime
HeapReAlloc
FindNextFileW
FindClose
GetFileInformationByHandle
GetFileInformationByHandleEx
FindFirstFileW
DeleteFileW
GetFinalPathNameByHandleW
ExitProcess
CreateNamedPipeW
ReadFileEx
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
WriteConsoleW

ntdll

NtQuerySystemInformation
NtReadFile
NtCreateFile
NtQueryInformationProcess
RtlGetVersion
RtlAdjustPrivilege
NtCancelIoFileEx
NtDeviceIoControlFile
NtWriteFile
NtLoadDriver
NtUnloadDriver
RtlNtStatusToDosError

user32

ToUnicodeEx
GetKeyState
IsProcessDPIAware
OpenClipboard
GetClipboardData
EmptyClipboard
SetClipboardData
SystemParametersInfoA
GetDC
SendMessageW
IsIconic
GetKeyboardLayout
ClipCursor
CloseClipboard
PostMessageW
GetClipCursor
ShowCursor
GetWindowRect
GetActiveWindow
FlashWindowEx
GetForegroundWindow
ClientToScreen
GetClientRect
DestroyIcon
GetCursorPos
ReleaseCapture
IsWindowVisible
RegisterClassExW
CreateWindowExW
SetWindowLongPtrW
RedrawWindow
GetMessageW
CreateIcon
SetForegroundWindow
SendInput
MapVirtualKeyW
SetWindowTextW
GetRawInputData
TranslateMessage
DispatchMessageW
LoadCursorW
SetCursor
MonitorFromPoint
SetCapture
DestroyWindow
MapVirtualKeyA
PostThreadMessageW
GetWindowLongPtrW
RegisterRawInputDevices
AdjustWindowRectEx
GetWindowLongW
SetWindowLongW
EnableMenuItem
GetSystemMenu
ShowWindow
RegisterWindowMessageA
GetMonitorInfoW
MonitorFromWindow
CloseTouchInputHandle
ScreenToClient
GetTouchInputInfo
TrackMouseEvent
MonitorFromRect
GetMenu
DefWindowProcW
GetUpdateRect
ValidateRect
MessageBoxA
MessageBoxW
SetWindowDisplayAffinity
InvalidateRgn
SetWindowPlacement
SetWindowPos
GetWindowPlacement
PeekMessageW
ChangeDisplaySettingsExW
MsgWaitForMultipleObjectsEx
GetSystemMetrics
RegisterTouchWindow
GetKeyboardState

gdi32

GetDeviceCaps
StretchDIBits
CreateRectRgn
DeleteObject

dwmapi

DwmEnableBlurBehindWindow

ole32

CoSetProxyBlanket
CoCreateInstance
CoInitializeEx
CoUninitialize
RevokeDragDrop
RegisterDragDrop
OleInitialize
CoInitializeSecurity

psapi

GetPerformanceInfo
GetModuleFileNameExW

ws2_32

WSASocketW
bind
connect
ioctlsocket
getsockopt
shutdown
recv
send
closesocket
WSASend
getpeername
setsockopt
WSAIoctl
getsockname
getaddrinfo
freeaddrinfo
WSACleanup
WSAStartup
WSAGetLastError

advapi32

RegCreateKeyW
RegSetKeyValueW
RegOpenKeyExW
SystemFunction036
RegCloseKey
RegDeleteTreeW
GetTokenInformation
OpenProcessToken
LookupAccountSidW
CopySid
GetLengthSid
IsValidSid
GetUserNameW
RegQueryValueExW

pdh

PdhCollectQueryData
PdhOpenQueryA
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhCloseQuery
PdhRemoveCounter

powrprof

CallNtPowerInformation

oleaut32

GetErrorInfo
VariantClear
SysAllocStringLen
SysStringLen
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayUnaccessData
SysFreeString
SysAllocString

shell32

CommandLineToArgvW
DragQueryFileW
DragFinish

iphlpapi

GetAdaptersAddresses
GetIfEntry2
FreeMibTable
GetIfTable2

netapi32

NetUserGetLocalGroups
NetUserGetInfo
NetUserEnum
NetApiBufferFree

winmm

timeGetDevCaps
timeEndPeriod
timeBeginPeriod

imm32

ImmGetContext
ImmAssociateContextEx
ImmGetCompositionStringW
ImmReleaseContext

uxtheme

SetWindowTheme

d3dcompiler_47

D3DCompile

bcrypt

BCryptGenRandom

userenv

GetUserProfileDirectoryW

vcruntime140

__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
memcmp
memcpy
memmove
memset
__CxxFrameHandler3

api-ms-win-crt-string-l1-1-0

wcslen
strlen

api-ms-win-crt-math-l1-1-0

atan2
fmod
cos
tan
ceil
fmodf
acosf
_hypotf
tanf
cosf
exp2
pow
floorf
fmaf
sin
round
acos
expf
ceilf
floor
truncf
trunc
powf
exp2f
roundf
__setusermatherr
sinf

api-ms-win-crt-heap-l1-1-0

realloc
free
_set_new_mode
malloc

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-runtime-l1-1-0

_set_app_type
strerror
_exit
terminate
_initterm_e
_initterm
_crt_atexit
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_exe
exit
_register_onexit_function
_initialize_onexit_table

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 11.6MB - Virtual size: 11.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 451KB - Virtual size: 450KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
updater.exe
.exe windows:6 windows x64 arch:x64

13734ad1f261b150b9bae9fc41ce6d38

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

updater.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
WakeByAddressSingle
WaitOnAddress

user32

SetWindowLongPtrW
ValidateRect
PostThreadMessageW
GetUpdateRect
DefWindowProcW
RegisterClassExW
ScreenToClient
GetMenu
DestroyWindow
LoadCursorW
SetCursor
MonitorFromRect
TrackMouseEvent
GetTouchInputInfo
CreateIcon
InvalidateRgn
GetClientRect
AdjustWindowRectEx
GetWindowLongW
SetWindowLongW
SendMessageW
EnableMenuItem
GetSystemMenu
ShowWindow
SetWindowPos
IsIconic
CloseTouchInputHandle
SetWindowDisplayAffinity
RegisterTouchWindow
ClipCursor
GetClipCursor
ShowCursor
GetCursorPos
GetRawInputData
MonitorFromWindow
GetMonitorInfoW
GetWindowRect
GetSystemMetrics
ClientToScreen
GetWindowLongPtrW
SetForegroundWindow
FlashWindowEx
DispatchMessageW
TranslateMessage
PeekMessageW
SendInput
MapVirtualKeyW
RedrawWindow
PostMessageW
SetWindowTextW
MonitorFromPoint
ToUnicodeEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
MapVirtualKeyA
SystemParametersInfoA
IsProcessDPIAware
DestroyIcon
SetCapture
GetMessageW
MsgWaitForMultipleObjectsEx
ChangeDisplaySettingsExW
RegisterWindowMessageA
RegisterRawInputDevices
GetWindowPlacement
CloseClipboard
GetDC
CreateWindowExW
SetClipboardData
EmptyClipboard
GetClipboardData
OpenClipboard
SetWindowPlacement
IsWindowVisible
ReleaseCapture
GetForegroundWindow
GetActiveWindow

kernel32

LoadLibraryA
GlobalSize
CloseHandle
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GlobalAlloc
GetCurrentThreadId
GlobalFree
GetFullPathNameW
CreateThread
WriteConsoleW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
GetFileAttributesW
CreateProcessW
RtlVirtualUnwind
GetLastError
Sleep
FormatMessageW
GetProcAddress
GetWindowsDirectoryW
GetSystemDirectoryW
ReadFileEx
CreateNamedPipeW
ExitProcess
GetFinalPathNameByHandleW
SetHandleInformation
FindFirstFileW
CreateDirectoryW
GetFileInformationByHandleEx
GetFileInformationByHandle
WideCharToMultiByte
FindClose
FindNextFileW
HeapReAlloc
GetSystemTimePreciseAsFileTime
TerminateProcess
CreateIoCompletionPort
GetQueuedCompletionStatusEx
SleepEx
PostQueuedCompletionStatus
WriteFileEx
SetFileCompletionNotificationModes
GetStdHandle
QueryPerformanceFrequency
QueryPerformanceCounter
WaitForSingleObject
RemoveVectoredExceptionHandler
GetModuleHandleW
AddVectoredExceptionHandler
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
FreeLibrary
GetModuleFileNameW
SetThreadErrorMode
RtlCaptureContext
RtlLookupFunctionEntry
ReleaseMutex
GetCurrentProcess
WaitForSingleObjectEx
GetCurrentProcessId
CreateMutexA
lstrlenW
GetProcessHeap
HeapFree
SetFileInformationByHandle
HeapAlloc
GetCommandLineW
GetEnvironmentVariableW
CreateEventA
GetConsoleMode
GetModuleHandleA
GetSystemInfo
GetUserPreferredUILanguages
CreateFileMappingW
MapViewOfFile
DuplicateHandle
UnmapViewOfFile
VirtualProtect
GlobalLock
CreateFileW
GlobalUnlock
GetEnvironmentStringsW
GetCurrentDirectoryW
FreeEnvironmentStringsW
DeleteProcThreadAttributeList
CompareStringOrdinal
SetThreadStackGuarantee
GetCurrentThread
SwitchToThread
SetLastError
IsProcessorFeaturePresent

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
RegisterDragDrop
OleInitialize
RevokeDragDrop

gdi32

CreateRectRgn
GetDeviceCaps
DeleteObject
StretchDIBits

dwmapi

DwmEnableBlurBehindWindow

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW
SystemFunction036

ws2_32

WSAStartup
getsockname
getpeername
WSASocketW
bind
connect
ioctlsocket
getsockopt
shutdown
recv
send
WSASend
setsockopt
WSAIoctl
getaddrinfo
WSAGetLastError
freeaddrinfo
closesocket
WSACleanup

shell32

DragFinish
DragQueryFileW

winmm

timeGetDevCaps
timeEndPeriod
timeBeginPeriod

uxtheme

SetWindowTheme

imm32

ImmGetCompositionStringW
ImmGetContext
ImmAssociateContextEx
ImmReleaseContext

ntdll

RtlNtStatusToDosError
NtDeviceIoControlFile
NtCancelIoFileEx
NtCreateFile
NtReadFile
NtWriteFile

d3dcompiler_47

D3DCompile

oleaut32

GetErrorInfo
SysStringLen
SysFreeString

bcrypt

BCryptGenRandom

userenv

GetUserProfileDirectoryW

vcruntime140

memcpy
__current_exception_context
__current_exception
__CxxFrameHandler3
memcmp
memmove
memset
__C_specific_handler

api-ms-win-crt-math-l1-1-0

round
fmaf
fmodf
_hypotf
floorf
roundf
ceil
powf
exp2f
trunc
tan
floor
cosf
acosf
pow
sinf
exp2
ceilf
__setusermatherr
expf
tanf
cos
truncf
acos
fmod
atan2
sin

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
_seh_filter_exe
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
terminate
strerror
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_initialize_narrow_environment

api-ms-win-crt-string-l1-1-0

strlen

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 8.2MB - Virtual size: 8.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7cff6682cd0825e5920dc36833fbdda6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

secur32

kernel32

ntdll

user32

gdi32

dwmapi

ole32

psapi

ws2_32

advapi32

pdh

powrprof

oleaut32

shell32

iphlpapi

netapi32

winmm

imm32

uxtheme

d3dcompiler_47

bcrypt

userenv

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 11.6MB - Virtual size: 11.6MB

.rdata Size: 4.3MB - Virtual size: 4.3MB

.data Size: 18KB - Virtual size: 20KB

.pdata Size: 451KB - Virtual size: 450KB

.rsrc Size: 1024B - Virtual size: 888B

.reloc Size: 71KB - Virtual size: 70KB

13734ad1f261b150b9bae9fc41ce6d38

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

user32

kernel32

ole32

gdi32

dwmapi

advapi32

ws2_32

shell32

winmm

uxtheme

imm32

ntdll

d3dcompiler_47

oleaut32

bcrypt

userenv

vcruntime140

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

.text
Size: 11.6MB - Virtual size: 11.6MB

.rdata
Size: 4.3MB - Virtual size: 4.3MB

.data
Size: 18KB - Virtual size: 20KB

.pdata
Size: 451KB - Virtual size: 450KB

.rsrc
Size: 1024B - Virtual size: 888B

.reloc
Size: 71KB - Virtual size: 70KB

.text
Size: 8.2MB - Virtual size: 8.2MB

.rdata
Size: 2.5MB - Virtual size: 2.5MB

.data
Size: 14KB - Virtual size: 16KB

.pdata
Size: 136KB - Virtual size: 135KB

.reloc
Size: 62KB - Virtual size: 61KB