NewLoad3r[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

NewLoad3r.7z
Size

1.3MB
MD5

a3f6a5703ae7bb7cfde5037a918f02af
SHA1

7665099a5750b1ba006ac263fcdf8a5683004097
SHA256

dbe5d07e313b0563b22a3a7d1d4b9e2a13dec59dc63f7d51bdb140f5bbb74c3f
SHA512

a5dd2b270a2b38ec4488f6773864ae55592f413b325ad6146882da3f926dcdbf8ff2ca7cf60e8662698d9d6b3c57468c6e24465ec2859e57b16c51d861935112
SSDEEP

24576:lyoWaNtUK/VLRf344nK0Iedw0r1vwsmiljKa99RaAfZ0iblbebEpj9:p1tdD/44nK0Ie51vxmihKaZZ0iblpj9

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Loader.exe

Files

NewLoad3r.7z
.7z

Password: 2024
AAA.Core.dll
.dll windows:10 windows x64 arch:x64

Password: 2024

f6631409fdf8ba0fc04cbbcf0d4c4b2c

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/05/2022, 19:23

Not After

04/05/2023, 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:3a:1d:f1:b8:7e:e4:ff:3c:7a:66:71:17:b3:ff:b4:f5:b0:19:10:ff:4d:93:67:34:65:91:bd:a0:97:e4:56
Signer

Actual PE Digest

5a:3a:1d:f1:b8:7e:e4:ff:3c:7a:66:71:17:b3:ff:b4:f5:b0:19:10:ff:4d:93:67:34:65:91:bd:a0:97:e4:56

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AAD.Core.pdb

Imports

ntdll

RtlAllocateHeap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlImageNtHeader
RtlFreeHeap
RtlGetDeviceFamilyInfoEnum
RtlInitUnicodeString
ZwQueryLicenseValue
RtlNtStatusToDosError

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventActivityIdControl
EventRegister
EventUnregister
EventWriteTransfer

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak
OutputDebugStringA

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
GetTraceEnableFlags
GetTraceLoggerHandle
GetTraceEnableLevel

api-ms-win-core-synch-l1-1-0

OpenSemaphoreW
WaitForSingleObject
CreateEventExW
ReleaseSemaphore
ResetEvent
CreateSemaphoreExW
DeleteCriticalSection
SetEvent
InitializeCriticalSectionEx
ReleaseMutex
EnterCriticalSection
ReleaseSRWLockShared
ReleaseSRWLockExclusive
CreateMutexExW
WaitForSingleObjectEx
AcquireSRWLockShared
LeaveCriticalSection
AcquireSRWLockExclusive

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoOriginateErrorW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-util-l1-1-0

DecodePointer

api-ms-win-core-com-l1-1-0

CoCreateFreeThreadedMarshaler
CoTaskMemAlloc
StringFromGUID2
CoCreateGuid
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoGetContextToken
CoGetObjectContext
CoGetApartmentType
CLSIDFromString
CoCreateInstance
CoTaskMemFree

api-ms-win-core-localization-l1-2-0

ResolveLocaleName
FormatMessageW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegGetValueW

api-ms-win-core-processthreads-l1-1-0

SetThreadStackGuarantee
TerminateProcess
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleFileNameA
GetModuleHandleExW
GetModuleHandleW

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
WakeAllConditionVariable
SleepConditionVariableSRW
Sleep

api-ms-win-security-cryptoapi-l1-1-0

CryptReleaseContext

wincorlib

?__abi_FailFast@@YAXXZ
?UninitializeData@Details@Platform@@YAXH@Z
?InitializeData@Details@Platform@@YAJH@Z
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z
??0NullReferenceException@Platform@@QE$AAA@XZ
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z
??0InvalidArgumentException@Platform@@QE$AAA@PE$AAVString@1@@Z
?ToString@Guid@Platform@@QEAAPE$AAVString@2@XZ
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z
??0ChangedStateException@Platform@@QE$AAA@XZ
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z
??0OutOfBoundsException@Platform@@QE$AAA@XZ
??0FailureException@Platform@@QE$AAA@XZ
??0ClassNotRegisteredException@Platform@@QE$AAA@PE$AAVString@1@@Z
??0COMException@Platform@@QE$AAA@HPE$AAVString@1@@Z
??0OutOfMemoryException@Platform@@QE$AAA@XZ
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ
?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z
??0DisconnectedException@Platform@@QE$AAA@XZ
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z
?GetProxyImpl@Details@Platform@@YAJPEAUIUnknown@@AEBU_GUID@@0PEAPEAU3@@Z
?ReleaseInContextImpl@Details@Platform@@YAJPEAUIUnknown@@0@Z
?Allocate@Heap@Details@Platform@@SAPEAX_K@Z
??0Delegate@Platform@@QE$AAA@XZ
?GetObjectContext@Details@Platform@@YAPEAUIUnknown@@XZ
??0NotImplementedException@Platform@@QE$AAA@PE$AAVString@1@@Z
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z
?ToString@Enum@Platform@@QE$AAAPE$AAVString@2@XZ
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z
?Free@Heap@Details@Platform@@SAXPEAX@Z
??0Object@Platform@@QE$AAA@XZ
?__abi_WinRTraiseObjectDisposedException@@YAXXZ
?__abi_WinRTraiseInvalidCastException@@YAXXZ
?__abi_WinRTraiseNotImplementedException@@YAXXZ
?__abi_WinRTraiseDisconnectedException@@YAXXZ
?__abi_WinRTraiseFailureException@@YAXXZ
?__abi_WinRTraiseOperationCanceledException@@YAXXZ
?__abi_WinRTraiseAccessDeniedException@@YAXXZ
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ
?__abi_WinRTraiseCOMException@@YAXJ@Z
?__abi_WinRTraiseNullReferenceException@@YAXXZ
?__abi_WinRTraiseChangedStateException@@YAXXZ
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ
?__abi_WinRTraiseWrongThreadException@@YAXXZ
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z
?CreateException@Exception@Platform@@SAPE$AAV12@H@Z

msvcrt

wcscat_s
wcsncpy_s
??3@YAXPEAX@Z
__CxxFrameHandler3
memcpy_s
memmove_s
wcsstr
vswprintf_s
_vscwprintf
??_V@YAXPEAX@Z
_purecall
time
__RTDynamicCast
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
__ExceptionPtrDestroy
__ExceptionPtrRethrow
__ExceptionPtrCurrentException
__ExceptionPtrCreate
?terminate@@YAXXZ
_wcsicmp
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBD@Z
wcsrchr
?name@type_info@@QEBAPEBDXZ
__RTtypeid
wcschr
free
calloc
_ultoa_s
strncmp
_strlwr_s
malloc
swprintf_s
isalpha
isalnum
_wcslwr_s
wcspbrk
wcsnlen
iswspace
_time64
_gmtime64_s
wcsftime
__C_specific_handler
_vsnprintf
_wtoi
__ExceptionPtrCopyException
__ExceptionPtrAssign
__ExceptionPtrToBool
wcsncmp
srand
rand
_wcsupr_s
_wcsnicmp
_wcsicoll
wcscspn
wcsspn
_vsnwprintf
_vsnprintf_s
difftime
_wtol
??0exception@@QEAA@AEBQEBDH@Z
memset
wcslen
_CxxThrowException
??1type_info@@UEAA@XZ
_lock
_unlock
__dllonexit
_onexit
_XcptFilter
_amsg_exit
_initterm
_errno
realloc
memmove
??8type_info@@QEBAHAEBV0@@Z
_callnewh
memcpy
__ExceptionPtrCopy
memcmp
??2@YAPEAX_KHPEBDH@Z

api-ms-win-security-lsalookup-l1-1-2

LsaLookupUserAccountType

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsCreateString
WindowsGetStringLen
WindowsDeleteString
WindowsDuplicateString
WindowsGetStringRawBuffer
WindowsCompareStringOrdinal
WindowsConcatString
WindowsIsStringEmpty

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetSystemInfo

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualAlloc
VirtualProtect

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 304KB - Virtual size: 312KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 304B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Loader.exe
.exe windows:4 windows x86 arch:x86

Password: 2024

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\z9jsu3\obj\Release\Extractor.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 276KB - Virtual size: 276KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Microsoft WCF Document/Loader.dll
Microsoft.NET/manic.dll
Mode/Load.dll
Newtonsoft.Json.dll
Visual.dll
xNet.dll

Sharing

General

Malware Config

Signatures

Files

Password: 2024

Password: 2024

f6631409fdf8ba0fc04cbbcf0d4c4b2c

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8dCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

5a:3a:1d:f1:b8:7e:e4:ff:3c:7a:66:71:17:b3:ff:b4:f5:b0:19:10:ff:4d:93:67:34:65:91:bd:a0:97:e4:56Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-cryptoapi-l1-1-0

wincorlib

msvcrt

api-ms-win-security-lsalookup-l1-1-2

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-timezone-l1-1-0

Exports

Exports

Sections

.text Size: 2.4MB - Virtual size: 2.4MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 304KB - Virtual size: 312KB

.pdata Size: 108KB - Virtual size: 108KB

.didat Size: 512B - Virtual size: 304B

.rsrc Size: 89KB - Virtual size: 89KB

.reloc Size: 25KB - Virtual size: 25KB

Password: 2024

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 276KB - Virtual size: 276KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

5a:3a:1d:f1:b8:7e:e4:ff:3c:7a:66:71:17:b3:ff:b4:f5:b0:19:10:ff:4d:93:67:34:65:91:bd:a0:97:e4:56
Signer

.text
Size: 2.4MB - Virtual size: 2.4MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 304KB - Virtual size: 312KB

.pdata
Size: 108KB - Virtual size: 108KB

.didat
Size: 512B - Virtual size: 304B

.rsrc
Size: 89KB - Virtual size: 89KB

.reloc
Size: 25KB - Virtual size: 25KB

.text
Size: 276KB - Virtual size: 276KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B