loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.exe
Size

17.2MB
MD5

4581034e6d6a589f2b7c4b58203acbe2
SHA1

1704c6539255434ed0ec8ff7d4d706efc491f891
SHA256

c197c6758edcc0966a33fa80f77227beedd3dc308280cdb2420bd3252cd81dc4
SHA512

3bc0ff9b4bd45e1a9df64ac7d8d93b8b4b3591f7e0d41db2d97eeffb7f87e519f48d331bbc0af19577906a0a45e7abca1af9c03a6696da59e922eff0502ad570
SSDEEP

393216:jAKLp9uQ5RudnitEscwyXM9MgIhNzCIk2/pRbZcC:jAKLDd5UitEsHivX55n

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
loader.exe

Files

loader.exe
.exe windows:6 windows x64 arch:x64

cd6c614ae60e4ae5c7e244f057509133

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\sasaz\Documents\GitHub\web\loader\binary\Production\loader.pdb

Imports

iphlpapi

GetAdaptersAddresses
GetAdaptersInfo
if_nametoindex

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

kernel32

UnregisterWaitEx
WriteConsoleInputW
SetConsoleCursorPosition
ReadConsoleInputW
GetNumberOfConsoleInputEvents
GetNamedPipeHandleStateA
CancelSynchronousIo
CreateNamedPipeW
ConnectNamedPipe
UnregisterWait
RegisterWaitForSingleObject
CancelIo
GetLongPathNameW
ReadDirectoryChangesW
LoadLibraryExA
RtlUnwind
AllocConsole
SetConsoleOutputCP
SetConsoleCP
ExitProcess
GetCommandLineA
CreateProcessA
DeleteFileA
GlobalMemoryStatusEx
GetProcessHeap
HeapAlloc
CreateFileA
GetLastError
DeviceIoControl
CancelIoEx
DebugBreak
HeapFree
GetSystemFirmwareTable
GetSystemTime
CloseHandle
Process32Next
QueueUserWorkItem
SetHandleInformation
GetQueuedCompletionStatus
CreateIoCompletionPort
SetErrorMode
CreateToolhelp32Snapshot
OpenProcess
TerminateProcess
GetCurrentProcess
Process32First
FormatMessageA
GetCurrentThreadId
GetCurrentProcessId
GetConsoleMode
Sleep
GetDynamicTimeZoneInformation
WriteFile
WriteConsoleA
GetStdHandle
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
QueryPerformanceCounter
HeapSize
DeleteFileW
SetEndOfFile
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetOEMCP
IsValidCodePage
CreateProcessW
GetExitCodeProcess
HeapReAlloc
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetCurrentThread
GetConsoleOutputCP
GetModuleFileNameW
GetTimeZoneInformation
SetConsoleCtrlHandler
SetStdHandle
FreeLibraryAndExitThread
ExitThread
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
PostQueuedCompletionStatus
PeekNamedPipe
GetDriveTypeW
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
GetCPInfo
GetStringTypeW
LCMapStringEx
DecodePointer
WriteConsoleW
SetEvent
ResetEvent
CreateEventA
CreateFileW
SetUnhandledExceptionFilter
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreW
CreateThread
TerminateThread
GetProcessId
VirtualQueryEx
LoadLibraryW
DuplicateHandle
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
WaitForMultipleObjects
GetFileType
GetModuleHandleW
GetEnvironmentVariableW
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetSystemInfo
VirtualProtect
VirtualFree
GetACP
GetExitCodeThread
CreateSemaphoreA
SwitchToFiber
DeleteFiber
CreateFiberEx
GetSystemDirectoryA
GetSystemTimeAsFileTime
SystemTimeToFileTime
ConvertFiberToThread
ConvertThreadToFiberEx
SetConsoleMode
ReadConsoleA
ReadConsoleW
FindClose
FindFirstFileW
FindNextFileW
GetFileSize
GetFileSizeEx
ReadFile
SetFilePointerEx
CompareFileTime
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
WakeConditionVariable
TryAcquireSRWLockExclusive
WaitForSingleObjectEx
SwitchToThread
LocalFree
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindFirstFileExW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
SetFileInformationByHandle
AreFileApisANSI
CopyFileW
MoveFileExW
GetFileInformationByHandleEx
CreateSymbolicLinkW
RaiseException
InitializeCriticalSectionEx
EncodePointer

user32

GetCapture
ScreenToClient
LoadCursorA
GetMessageExtraInfo
GetKeyState
MessageBoxW
ClientToScreen
EnumDisplayDevicesW
IsIconic
UpdateWindow
TrackMouseEvent
PeekMessageA
SendMessageA
TranslateMessage
SetLayeredWindowAttributes
MessageBoxA
ShowWindow
RegisterClassExW
UnregisterClassW
GetSystemMetrics
CreateWindowExW
SetWindowPos
DestroyWindow
GetWindowRect
DispatchMessageA
DefWindowProcW
SetClipboardData
GetKeyboardLayout
PostQuitMessage
SetCapture
SetCursor
GetClientRect
SetProcessDPIAware
IsWindowUnicode
ReleaseCapture
SetCursorPos
GetCursorPos
OpenClipboard
GetClipboardData
EmptyClipboard
GetProcessWindowStation
GetUserObjectInformationW
CloseClipboard
GetMessageA
MapVirtualKeyW
GetForegroundWindow

gdi32

DeleteObject
CreateRectRgn

advapi32

CryptEnumProvidersW
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegDeleteKeyA
RegCloseKey
RegDeleteTreeA
OpenServiceA
OpenSCManagerA
CloseServiceHandle
QueryServiceStatus
GetTokenInformation
OpenProcessToken
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
RegOpenKeyExA
CryptGenRandom
CryptAcquireContextA
LookupPrivilegeValueA
AdjustTokenPrivileges
GetUserNameW
ConvertSidToStringSidW

shell32

ShellExecuteA

imm32

ImmSetCandidateWindow
ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

dwmapi

DwmGetColorizationColor
DwmIsCompositionEnabled
DwmExtendFrameIntoClientArea
DwmEnableBlurBehindWindow

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlNtStatusToDosError
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCaptureContext

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

ws2_32

WSAEventSelect
WSASocketW
WSARecv
WSARecvFrom
WSAWaitForMultipleEvents
inet_pton
connect
ioctlsocket
setsockopt
socket
getaddrinfo
freeaddrinfo
getsockname
getsockopt
ntohs
WSAEnumNetworkEvents
htonl
htons
inet_addr
inet_ntoa
gethostbyaddr
getservbyport
getservbyname
accept
bind
listen
shutdown
getpeername
recvfrom
sendto
gethostname
WSAPoll
getprotobyname
WSAIoctl
WSAAddressToStringW
WSAStringToAddressW
WSACreateEvent
WSACloseEvent
WSASetLastError
WSACleanup
WSAStartup
select
__WSAFDIsSet
WSAGetLastError
send
closesocket
gethostbyname
recv

crypt32

CertOpenSystemStoreA
CertGetNameStringA
CertGetIntendedKeyUsage
CertGetEnhancedKeyUsage
CertOpenSystemStoreW
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertFindCertificateInStore
CertDuplicateCertificateContext
CertGetCertificateContextProperty

wininet

HttpAddRequestHeadersW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
InternetSetOptionW
InternetQueryDataAvailable
InternetReadFile
InternetConnectW
InternetCloseHandle
InternetOpenW
InternetCrackUrlW

Sections

.text
Size: 13.6MB - Virtual size: 13.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 610KB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 189KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.fptable
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 402KB - Virtual size: 401KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cd6c614ae60e4ae5c7e244f057509133

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

iphlpapi

d3d11

d3dcompiler_43

kernel32

user32

gdi32

advapi32

shell32

imm32

dwmapi

ntdll

d3dx11_43

ws2_32

crypt32

wininet

Sections

.text Size: 13.6MB - Virtual size: 13.6MB

.rdata Size: 2.4MB - Virtual size: 2.4MB

.data Size: 610KB - Virtual size: 3.2MB

.pdata Size: 189KB - Virtual size: 188KB

.fptable Size: 512B - Virtual size: 256B

.rsrc Size: 402KB - Virtual size: 401KB

.reloc Size: 49KB - Virtual size: 48KB

.text
Size: 13.6MB - Virtual size: 13.6MB

.rdata
Size: 2.4MB - Virtual size: 2.4MB

.data
Size: 610KB - Virtual size: 3.2MB

.pdata
Size: 189KB - Virtual size: 188KB

.fptable
Size: 512B - Virtual size: 256B

.rsrc
Size: 402KB - Virtual size: 401KB

.reloc
Size: 49KB - Virtual size: 48KB