Loader[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Loader.zip
Size

665KB
MD5

1a43099fdb2d1010637e9843d6eccf7b
SHA1

1d79217cc40ec4309c97b237ecf6bc6b57780ab4
SHA256

30dc3712d8f7e09957f914ffcb36da9e2f4a5f801f4a48fd304aee4c6fb2dad6
SHA512

da11484f9ff90199753fdaceb51dd93198c5f67416e7a1256472d12568925c5c6dd13bffe4206733ba6aa44f2124e7d415ee66a5f035e661c88741c2519a8d27
SSDEEP

12288:8r5y/1f10ZsbTciy1WP//AfISlqFJIVibvwSUMlg1nAV/bKKBbO52IuZQ+5P:8r5yNmZsMiy1i/AfISlqC08wliKbbb0U

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Loader/Loader.exe
unpack001/Loader/likodi/NotificationController.dll.mui
unpack001/Loader/wdi.dll

Files

Loader.zip
.zip
Loader/Loader.exe
.exe windows:6 windows x86 arch:x86

285f07c66f98861b92460fa57c11d967

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\x7qk998\Literally.pdb

Imports

kernel32

WaitForSingleObject
CloseHandle
CreateThread
MultiByteToWideChar
FormatMessageA
GetStringTypeW
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LocalFree
GetLocaleInfoEx
LCMapStringEx
CompareStringEx
GetCPInfo
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
CreateFileW
RaiseException
RtlUnwind
InterlockedPushEntrySList
InterlockedFlushSList
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetCurrentThread
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadFile
GetFileSizeEx
SetFilePointerEx
ReadConsoleW
SetConsoleCtrlHandler
HeapReAlloc
GetTimeZoneInformation
OutputDebugStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetProcessHeap
HeapSize
WriteConsoleW

Sections

.text
Size: 542KB - Virtual size: 542KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 349KB - Virtual size: 355KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Loader/dmxmlhelputils.dll
Loader/likodi/NotificationController.dll.mui
.dll windows:10 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rdata
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Loader/likodi/SmiEngine.dll.mui
Loader/likodi/netid.dll.mui
Loader/likodi/wfascim.dll.mui
Loader/mqutil.dll.mui
Loader/samlib.dll
Loader/wdi.dll
.dll windows:10 windows x86 arch:x86

d2c5ad65de7676505e640af8a127b32b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

wdi.pdb

Imports

msvcrt

_except_handler4_common
memcpy
memcmp
_amsg_exit
_XcptFilter
free
_callnewh
_vsnwprintf
malloc
_wcsicmp
swscanf_s
wcsrchr
_initterm
memset

ntdll

EtwEventEnabled
EtwEventUnregister
EtwEventRegister
NtSetInformationThread
NtQueryInformationThread
NtAlpcConnectPort
RtlInitUnicodeString
NtAlpcAcceptConnectPort
NtAlpcCancelMessage
NtAlpcSendWaitReceivePort
AlpcInitializeMessageAttribute
EtwEventWrite
TpReleaseAlpcCompletion
EtwEventActivityIdControl
NtAlpcImpersonateClientOfPort
NtQueryInformationProcess
AlpcMaxAllowedMessageLength
TpWaitForAlpcCompletion
NtAlpcQueryInformation
NtAlpcDisconnectPort
RtlNtStatusToDosError
AlpcGetMessageAttribute
TpAllocAlpcCompletion

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
SetEvent
InitializeCriticalSection
WaitForSingleObject
DeleteCriticalSection
CreateEventW
WaitForMultipleObjectsEx
ResetEvent
LeaveCriticalSection

api-ms-win-eventing-controller-l1-1-0

ControlTraceW

api-ms-win-core-file-l2-1-0

CopyFileExW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-file-l1-1-0

CreateFileW
CreateDirectoryW
CompareFileTime

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcessId
GetCurrentProcess
GetCurrentThread
CreateThread
GetCurrentThreadId

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemTimeAsFileTime

api-ms-win-security-base-l1-1-0

GetLengthSid
IsValidSid
CreateWellKnownSid
CopySid
RevertToSelf

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadStringW
DisableThreadLibraryCalls
FreeLibrary
GetModuleHandleExW
LoadLibraryExW
FreeLibraryAndExitThread

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryInfoKeyW
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-debug-l1-1-0

OutputDebugStringW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

kernelbase

WTSGetServiceSessionId

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetClassObject
ServiceMain
WdiAddFileToInstance
WdiAddParameter
WdiCancel
WdiCloseInstance
WdiCreateInstance
WdiDeleteQueuedResolution
WdiDiagnose
WdiGetClientActivityId
WdiGetClientLCID
WdiGetDiagnosticModuleId
WdiGetEvent
WdiGetInstanceFilePath
WdiGetInstanceId
WdiGetLoggerSnapshotPath
WdiGetParameterByIndex
WdiGetParameterByName
WdiGetParameterCount
WdiGetParameterData
WdiGetParameterDataLength
WdiGetParameterDiagnosticModuleId
WdiGetParameterFlags
WdiGetParameterName
WdiGetProgress
WdiGetQueuedResolutionAudience
WdiGetQueuedResolutionExpirationDate
WdiGetQueuedResolutionId
WdiGetQueuedResolutionName
WdiGetQueuedResolutionPriority
WdiGetResult
WdiGetScenarioIcon
WdiGetScenarioInfo
WdiGetScenarioInstanceCreatedDate
WdiGetScenarioInstanceFilePath
WdiGetScenarioInstanceId
WdiGetScenarioInstances
WdiGetScenarioSourceName
WdiGetScenarioTypeName
WdiImpersonateClient
WdiIsQueuedResolutionAdmin
WdiLaunchQueuedResolution
WdiOpenInstance
WdiQueueCurrentResolution
WdiResolve
WdiRevertToSelf
WdiSetFeedback
WdiSetProblemDetectionResult
WdiSetProgress
WdiSetResolution
WdipLaunchLocalHost
WdipLaunchRunDLLUserHost

Sections

.text
Size: 73KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

285f07c66f98861b92460fa57c11d967

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

Sections

.text Size: 542KB - Virtual size: 542KB

.rdata Size: 67KB - Virtual size: 67KB

.data Size: 349KB - Virtual size: 355KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 19KB - Virtual size: 18KB

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 176B

.rsrc Size: 3KB - Virtual size: 4KB

d2c5ad65de7676505e640af8a127b32b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-profile-l1-1-0

kernelbase

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 73KB - Virtual size: 72KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 4KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 80B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 542KB - Virtual size: 542KB

.rdata
Size: 67KB - Virtual size: 67KB

.data
Size: 349KB - Virtual size: 355KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 19KB - Virtual size: 18KB

.rdata
Size: 512B - Virtual size: 176B

.rsrc
Size: 3KB - Virtual size: 4KB

.text
Size: 73KB - Virtual size: 72KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 4KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 80B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 5KB