Loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Loader.exe
Size

1.9MB
MD5

11628b8d0a73b47ab3da6efa1a7eb159
SHA1

8e0f0c0badce07bee50ab5e8086f95695b8ecf6c
SHA256

fcf5b020b8eb78c93feba02f35e6b3f2954c0b2d9924d42064ef8c2e60045ffe
SHA512

c965f2dbd6a38e4ea41d034c6ac9167dbd5149094c0c5b160529e62ef26b94260da7fef64016b48c06c46bbad5377942ddd197e8b418d258d7d9a522b41ccd57
SSDEEP

24576:ZyEh8Nd2VV54VVWfcesrcVvpMqLilrEgnh9UFzV0zca34m9wP+siHX3:UEhXcBrs6vlvnhy0g

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Loader.exe

Files

Loader.exe
.exe windows:6 windows x64 arch:x64

01a313f538f06f4e61525f28cb930aa5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Ex\Desktop\Working srcs\Viper Private\p2c\x64\Release\Loader.pdb

Imports

ntdll

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
VerSetConditionMask

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

kernel32

MapViewOfFile
UnmapViewOfFile
HeapAlloc
GetModuleFileNameA
HeapReAlloc
HeapSize
InitializeCriticalSectionEx
HeapFree
SetThreadExecutionState
GetModuleHandleW
GetStartupInfoW
FormatMessageW
GetModuleHandleExW
GetLastError
GetModuleFileNameW
TlsFree
QueryFullProcessImageNameW
TlsSetValue
TlsGetValue
TlsAlloc
GetLocaleInfoA
LoadLibraryA
GetModuleHandleA
SetLastError
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
Process32Next
Process32First
GetProcessHeap
GetCurrentDirectoryW
CreateDirectoryW
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetCurrentProcess
GetFileInformationByHandleEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
WakeAllConditionVariable
SleepConditionVariableSRW
IsDebuggerPresent
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
SetConsoleTitleA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
WideCharToMultiByte
MultiByteToWideChar
lstrcmpiA
LoadLibraryW
GetProcAddress
OpenProcess
TerminateProcess
ExitProcess
InitializeCriticalSection
Sleep
DeviceIoControl
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
GetLocaleInfoEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
CloseHandle
CreateFileW
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
HeapDestroy
CreateFileMappingW
VirtualProtect
CreateThread
EnterCriticalSection
FormatMessageA
LocalFree

user32

DestroyIcon
EnumDisplaySettingsW
ToUnicode
CreateWindowExW
RegisterClassExW
MapVirtualKeyW
EnumDisplaySettingsExW
ChangeDisplaySettingsExW
UnregisterClassW
DefWindowProcW
UnregisterDeviceNotification
EnumDisplayDevicesW
MonitorFromWindow
LoadCursorA
ScreenToClient
ClientToScreen
SetCursor
SetCursorPos
GetClientRect
ReleaseDC
GetDC
ReleaseCapture
SetCapture
GetKeyState
TrackMouseEvent
RegisterDeviceNotificationW
EmptyClipboard
GetClipboardData
SetClipboardData
CloseClipboard
OpenClipboard
GetWindowThreadProcessId
GetClassNameA
EnumWindows
GetDesktopWindow
SetWindowLongPtrA
GetWindowLongPtrA
SetWindowLongA
GetWindowLongA
GetCursorPos
GetWindowRect
GetWindowTextA
GetForegroundWindow
UpdateWindow
SetMenu
GetSystemMetrics
GetAsyncKeyState
MessageBoxA
GetRawInputDeviceList
GetRawInputDeviceInfoA
RegisterRawInputDevices
GetRawInputData
IsWindowVisible
SetWindowDisplayAffinity
SystemParametersInfoW
SetWindowPos
CreateIconIndirect
LoadImageW
LoadCursorW
ShowWindow
GetClassLongPtrW
DestroyWindow
PeekMessageA
DispatchMessageA
TranslateMessage
SetWindowLongW
PeekMessageW
DispatchMessageW
GetWindowLongW
PtInRect
GetMonitorInfoW
GetKeyboardLayout
EnumDisplayMonitors
GetMessageTime
SendMessageW
PostMessageW
WaitMessage
GetLayeredWindowAttributes
SetLayeredWindowAttributes
FlashWindow
OffsetRect
SetRect
ClipCursor
WindowFromPoint
MoveWindow
GetWindowPlacement
SetWindowPlacement
IsIconic
BringWindowToTop
IsZoomed
SetFocus
AdjustWindowRectEx
SetWindowTextW
RemovePropW
GetActiveWindow
GetPropW
SetPropW
SetForegroundWindow
MsgWaitForMultipleObjects

gdi32

DeleteObject
CreateRectRgn
ChoosePixelFormat
GetDeviceCaps
CreateDIBSection
CreateBitmap
SetDeviceGammaRamp
GetDeviceGammaRamp
SetPixelFormat
DeleteDC
DescribePixelFormat
CreateDCW
SwapBuffers

advapi32

CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
AddAccessAllowedAce
GetLengthSid
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
GetUserNameA
CryptEncrypt
CryptImportKey
OpenProcessToken

ole32

CoInitialize
CoUninitialize
CoCreateInstance

msvcp140

?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
?setf@ios_base@std@@QEAAHHH@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_unlock
_Mtx_lock
_Thrd_detach
_Query_perf_frequency
_Query_perf_counter
?uncaught_exceptions@std@@YAHXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext

dwmapi

DwmExtendFrameIntoClientArea

shlwapi

PathFindFileNameW

psapi

GetModuleInformation

normaliz

IdnToAscii

wldap32

ord217
ord46
ord211
ord60
ord143
ord50
ord41
ord22
ord26
ord27
ord45
ord301
ord32
ord200
ord30
ord33
ord79
ord35

crypt32

CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore
CertGetNameStringA
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CertFindExtension
CertAddCertificateContextToStore
PFXImportCertStore
CryptQueryObject
CryptDecodeObjectEx

ws2_32

WSAStartup
WSASetLastError
WSAIoctl
setsockopt
ntohs
WSACleanup
accept
htonl
listen
ioctlsocket
htons
getsockopt
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
getsockname
recvfrom
sendto
gethostname
ntohl
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
socket

rpcrt4

UuidToStringA
UuidCreate
RpcStringFreeA

userenv

UnloadUserProfile

vcruntime140

__std_exception_copy
strstr
__std_terminate
__std_exception_destroy
_CxxThrowException
__C_specific_handler
memcmp
memcpy
memmove
memset
strchr
strrchr
__current_exception
__current_exception_context
memchr

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

__sys_nerr
_invalid_parameter_noinfo
_errno
_beginthreadex
terminate
_register_thread_local_exe_atexit_callback
strerror
__p___argv
__p___argc
_resetstkoflw
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_c_exit
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
system
abort
exit
_getpid
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-heap-l1-1-0

_callnewh
realloc
_set_new_mode
malloc
calloc
free

api-ms-win-crt-utility-l1-1-0

qsort
rand

api-ms-win-crt-stdio-l1-1-0

_get_stream_buffer_pointers
fclose
fflush
fgetc
fgetpos
__acrt_iob_func
fseek
_open
_close
_write
_read
fputc
__p__commode
_set_fmode
fread
_lseeki64
fsetpos
_fseeki64
fwrite
feof
fputs
fopen
setvbuf
_popen
_pclose
fgets
ungetc
__stdio_common_vfprintf
__stdio_common_vsprintf_s
__stdio_common_vsnprintf_s
_wfopen
ftell
__stdio_common_vsprintf
__stdio_common_vsscanf

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_unlock_file
_lock_file
_access
_unlink
_stat64
remove
_fstat64

api-ms-win-crt-time-l1-1-0

strftime
_gmtime64
_localtime64_s
_time64
_localtime64

api-ms-win-crt-math-l1-1-0

sinf
sqrt
sqrtf
tanf
cosf
fmodf
acosf
log
logf
pow
ceilf
fminf
_dsign
powf
_dclass
atan2f
atan2
asin
__setusermatherr

api-ms-win-crt-string-l1-1-0

strncmp
strcmp
isupper
strncpy
_strdup
strpbrk
tolower
strcspn
strspn

api-ms-win-crt-convert-l1-1-0

atof
strtol
strtoul
strtoull
strtoll
strtod
atoi

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

shell32

DragQueryPoint
DragFinish
DragAcceptFiles
ShellExecuteA
DragQueryFileW

Sections

.text
Size: 904KB - Virtual size: 903KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 295KB - Virtual size: 294KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 753KB - Virtual size: 770KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

01a313f538f06f4e61525f28cb930aa5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

d3d11

d3dcompiler_43

kernel32

user32

gdi32

advapi32

ole32

msvcp140

d3dx11_43

imm32

dwmapi

shlwapi

psapi

normaliz

wldap32

crypt32

ws2_32

rpcrt4

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

shell32

Sections

.text Size: 904KB - Virtual size: 903KB

.rdata Size: 295KB - Virtual size: 294KB

.data Size: 753KB - Virtual size: 770KB

.pdata Size: 37KB - Virtual size: 36KB

_RDATA Size: 512B - Virtual size: 464B

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 904KB - Virtual size: 903KB

.rdata
Size: 295KB - Virtual size: 294KB

.data
Size: 753KB - Virtual size: 770KB

.pdata
Size: 37KB - Virtual size: 36KB

_RDATA
Size: 512B - Virtual size: 464B

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 3KB - Virtual size: 3KB