loader_63cfdcfa[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

loader_63cfdcfa.zip
Size

1.2MB
MD5

0ef311f6d592477066c26cad99274429
SHA1

71bade14a3597ab5b817d66003dbc6dc910d3651
SHA256

2782e183351bdecd628db1f771bb00895b86b8f2ed6dde0813b7ba0554c279b3
SHA512

5fcb6fd26b8afae9cbec28420b07e7b5de12a6ecb5eebf0a9c99febed4a720c06c1b92e61f2bd14344afe7d31b93e1193efe7e32240d741c6a66b015808922a4
SSDEEP

24576:Wst+fgxbkblbQiyiUlaYNbwxUWw/hKYNn+UmxTNCiLM5cFA+fYcTI:Wmmga79uHn+ru5n+frTI

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/bootstrapper_x64.exe
unpack001/libcurl.dll

Files

loader_63cfdcfa.zip
.zip
bootstrapper_x64.exe
.exe windows:6 windows x64 arch:x64

1dced78527ec7dbe107186ddf937f130

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\projects\products\rust products\rainycheats\loader\bin\gui_x64.pdb

Imports

d3d9

Direct3DCreate9

kernel32

DeviceIoControl
VirtualAlloc
LoadLibraryExA
WaitForSingleObject
ResumeThread
GetModuleHandleA
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
CreateFileA
GetCurrentThread
Process32Next
Process32FirstW
CloseHandle
GetCurrentDirectoryW
GetThreadContext
GetPriorityClass
VirtualAllocEx
GetCurrentProcessId
GetConsoleWindow
CreateProcessA
SetThreadContext
IsDebuggerPresent
GetComputerNameA
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
GetFileAttributesExW
SetFileInformationByHandle
AreFileApisANSI
GetModuleHandleW
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SleepConditionVariableSRW
GetCurrentThreadId
WakeAllConditionVariable
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
InitializeSListHead
GetCurrentProcess
VirtualFree
WriteProcessMemory
Process32First
GetModuleFileNameA
QueryPerformanceCounter
FreeLibrary
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
TerminateProcess
OutputDebugStringA
MultiByteToWideChar
FindFirstFileW

user32

ClientToScreen
GetCursorPos
ReleaseCapture
SetCursorPos
SetCapture
GetClientRect
OpenClipboard
CloseClipboard
EmptyClipboard
GetWindowThreadProcessId
GetWindow
EnumDisplayDevicesA
DispatchMessageA
GetSystemMetrics
ShowWindow
GetWindowTextA
MessageBoxA
GetTopWindow
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
TranslateMessage
PeekMessageA
PostQuitMessage
FindWindowA
RegisterClassExA
UpdateWindow
GetKeyState
LoadCursorA
GetDC
ScreenToClient
GetCapture
ReleaseDC
IsChild
GetForegroundWindow
GetClipboardData
SetClipboardData
SetCursor

gdi32

BitBlt
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject

advapi32

RegCreateKeyW
GetUserNameA
RegDeleteKeyW
RegQueryValueExA
RegSetKeyValueW
RegCloseKey
RegOpenKeyExA

ole32

CLSIDFromString
CreateStreamOnHGlobal

msvcp140

_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Thrd_detach
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAG@Z
?swap@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXAEAV12@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?swap@?$basic_istream@DU?$char_traits@D@std@@@std@@IEAAXAEAV12@@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Xlength_error@std@@YAXPEBD@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Xout_of_range@std@@YAXPEBD@Z

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

urlmon

URLDownloadToFileA

ntdll

RtlImageNtHeader
NtRaiseHardError
RtlInitUnicodeString
NtUnloadDriver
NtQuerySystemInformation
RtlAdjustPrivilege
RtlGetVersion
RtlVirtualUnwind
NtLoadDriver
RtlLookupFunctionEntry
RtlCaptureContext

gdiplus

GdipFree
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipCloneImage
GdipSaveImageToStream

libcurl

curl_easy_init
curl_formadd
curl_easy_perform
curl_easy_cleanup
curl_easy_setopt
curl_formfree
curl_slist_free_all
curl_global_cleanup

wininet

DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
__std_exception_destroy
__std_exception_copy
__std_terminate
strstr
memmove
_CxxThrowException
wcsstr
memchr
memcpy
__current_exception
__current_exception_context
__C_specific_handler
memset

api-ms-win-crt-runtime-l1-1-0

terminate
system
_beginthreadex
exit
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_wassert
abort
_errno
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_invalid_parameter_noinfo_noreturn
_get_initial_narrow_environment
_initterm
_initterm_e
_exit

api-ms-win-crt-stdio-l1-1-0

_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
__p__commode
_set_fmode
ftell
__stdio_common_vfprintf
fgetc
fputc
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fwrite
__acrt_iob_func
fseek
fclose
fflush

api-ms-win-crt-string-l1-1-0

strcmp
strncpy

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh
_set_new_mode

api-ms-win-crt-convert-l1-1-0

strtoll
strtol
strtoull
strtod

api-ms-win-crt-math-l1-1-0

ceilf
cosf
sinf
_dsign
sqrtf
acosf
__setusermatherr
fmodf
floorf

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_time64

Sections

.text
Size: 470KB - Virtual size: 470KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 508B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.obf0
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
libcurl.dll
.dll windows:5 windows x64 arch:x64

c2d1209ac21eae6a6a183bd373596b7b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ws2_32

ntohl
htonl
gethostname
ioctlsocket
getaddrinfo
freeaddrinfo
recvfrom
sendto
select
__WSAFDIsSet
WSASetLastError
connect
socket
closesocket
getpeername
getsockopt
WSAIoctl
setsockopt
WSAStartup
WSACleanup
htons
bind
listen
ntohs
getsockname
accept
send
recv
WSAGetLastError

wldap32

ord22
ord211
ord217
ord143
ord50
ord26
ord30
ord200
ord32
ord35
ord79
ord33
ord301
ord27
ord41
ord46
ord60
ord45

advapi32

CryptCreateHash
CryptHashData
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptGenRandom
CryptAcquireContextA

crypt32

CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CertOpenStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CryptQueryObject
CertGetNameStringA
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertGetCertificateChain
CertCloseStore
CertCreateCertificateChainEngine

kernel32

GetModuleFileNameW
HeapDestroy
HeapCreate
GetVersion
HeapSetInformation
ExitProcess
GetModuleHandleW
FlushFileBuffers
GetConsoleMode
GetConsoleCP
GetFullPathNameA
MultiByteToWideChar
LCMapStringW
WideCharToMultiByte
FlsAlloc
FlsFree
FlsGetValue
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RtlUnwindEx
GetCurrentDirectoryW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTimeZoneInformation
GetStringTypeW
WriteConsoleW
LoadLibraryW
CompareStringW
SetEnvironmentVariableA
GetDriveTypeW
SetEndOfFile
GetProcessHeap
CreateFileW
HeapSize
WriteFile
DeleteCriticalSection
GetTickCount
QueryPerformanceCounter
ExpandEnvironmentStringsA
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileType
GetStdHandle
FreeLibrary
GetProcAddress
GetLastError
SleepEx
SetLastError
FormatMessageA
Sleep
CloseHandle
WaitForSingleObject
GetFileAttributesA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
VerifyVersionInfoA
VerSetConditionMask
GetSystemDirectoryA
LoadLibraryA
GetModuleHandleA
QueryPerformanceFrequency
GetFileSizeEx
CreateFileA
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFileInformationByHandle
SetFilePointer
GetSystemTimeAsFileTime
HeapReAlloc
HeapFree
HeapAlloc
ExitThread
GetCurrentThreadId
CreateThread
GetCurrentProcessId
FindClose
GetDriveTypeA
FindFirstFileExA
FlsSetValue
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
SetStdHandle
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetStartupInfoW

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_pushheader_byname
curl_pushheader_bynum
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_version
curl_version_info

Sections

.text
Size: 402KB - Virtual size: 402KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 101KB - Virtual size: 101KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1dced78527ec7dbe107186ddf937f130

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

gdi32

advapi32

ole32

msvcp140

imm32

urlmon

ntdll

gdiplus

libcurl

wininet

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 470KB - Virtual size: 470KB

.rdata Size: 105KB - Virtual size: 105KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 19KB - Virtual size: 18KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 512B - Virtual size: 508B

.obf0 Size: 24KB - Virtual size: 24KB

c2d1209ac21eae6a6a183bd373596b7b

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

wldap32

advapi32

crypt32

kernel32

Exports

Exports

Sections

.text Size: 402KB - Virtual size: 402KB

.rdata Size: 101KB - Virtual size: 101KB

.data Size: 7KB - Virtual size: 16KB

.pdata Size: 20KB - Virtual size: 20KB

.rsrc Size: 17KB - Virtual size: 16KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 470KB - Virtual size: 470KB

.rdata
Size: 105KB - Virtual size: 105KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 19KB - Virtual size: 18KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 508B

.obf0
Size: 24KB - Virtual size: 24KB

.text
Size: 402KB - Virtual size: 402KB

.rdata
Size: 101KB - Virtual size: 101KB

.data
Size: 7KB - Virtual size: 16KB

.pdata
Size: 20KB - Virtual size: 20KB

.rsrc
Size: 17KB - Virtual size: 16KB

.reloc
Size: 3KB - Virtual size: 3KB