09de762b98fe0596ebc110411115ca553bf071b4243889a6e11f84f53ba53eb8

Sharing

Copy URL

Twitter E-mail

General

Target

09de762b98fe0596ebc110411115ca553bf071b4243889a6e11f84f53ba53eb8
Size

922KB
MD5

1bcf37c39b0d6636b70f77c36ec74ae1
SHA1

b3170ccee0ce4dd6728787617610aeff9369172d
SHA256

09de762b98fe0596ebc110411115ca553bf071b4243889a6e11f84f53ba53eb8
SHA512

69fb83cbf94979f2ecc1835b21cf837bd716be367047ff462f5932d892c01c1d5e9c56b7b7c9b173cb3d4818ff85dd730f0ba5e50416e8e33e706b4731a4762e
SSDEEP

24576:E8Z717dQ9Biw+L9RHhAPF4WANJ6fdO1sUcmN/:EwxGTRwbyev4PUc

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
09de762b98fe0596ebc110411115ca553bf071b4243889a6e11f84f53ba53eb8

Files

09de762b98fe0596ebc110411115ca553bf071b4243889a6e11f84f53ba53eb8
.exe windows:6 windows x64 arch:x64

d4e8ba336eaa04646c2f1bb95b16f555

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Alex\Desktop\loader\x64\Release\loader.pdb

Imports

shell32

ShellExecuteW
ShellExecuteA
SHGetSpecialFolderPathW

kernel32

FormatMessageA
GetFileSizeEx
WideCharToMultiByte
VerifyVersionInfoW
DeviceIoControl
LocalAlloc
GetComputerNameExW
GetDiskFreeSpaceExW
GetComputerNameW
GlobalMemoryStatusEx
GetModuleHandleW
GetSystemWindowsDirectoryW
Wow64DisableWow64FsRedirection
ExpandEnvironmentStringsW
Wow64RevertWow64FsRedirection
GetWindowsDirectoryW
GetFullPathNameW
Thread32Next
Thread32First
OpenProcess
CreateToolhelp32Snapshot
QueueUserAPC
Module32FirstW
Module32NextW
VirtualFreeEx
OpenThread
GetBinaryTypeW
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
QueryPerformanceCounter
VerifyVersionInfoA
VirtualFree
VirtualAlloc
GetWriteWatch
ResetWriteWatch
GlobalGetAtomNameW
HeapQueryInformation
ReadProcessMemory
IsDebuggerPresent
CreateRemoteThread
RaiseException
SetUnhandledExceptionFilter
GetCurrentProcess
CheckRemoteDebuggerPresent
OutputDebugStringW
VirtualProtect
GetSystemInfo
QueryDosDeviceW
GetModuleHandleExW
K32GetModuleFileNameExW
K32GetProcessImageFileNameW
GetSystemDirectoryW
K32GetModuleInformation
K32GetMappedFileNameW
VirtualQuery
GetConsoleScreenBufferInfo
SetLastError
FormatMessageW
LocalSize
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
GetSystemDirectoryA
QueryPerformanceFrequency
SleepEx
DeleteCriticalSection
InitializeCriticalSectionEx
GetExitCodeProcess
SetThreadContext
lstrcpyW
CreateProcessW
LocalFree
VirtualAllocEx
GetThreadContext
CloseHandle
GetCurrentThread
CreateEventW
DeleteFileA
lstrcatW
GetLastError
Sleep
MultiByteToWideChar
ResumeThread
CreateFileW
WaitForSingleObject
GetEnvironmentVariableW
GetModuleFileNameW
GetDriveTypeA
TerminateProcess
GetShortPathNameW
EnterCriticalSection
WriteFile
GetStdHandle
SetConsoleTitleA
SetConsoleTextAttribute
WriteProcessMemory
GetModuleFileNameA
CreateDirectoryW
GetCurrentProcessId
CreateFileA
LeaveCriticalSection
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
ResetEvent
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetEvent
CreateThread
lstrlenW
WaitForMultipleObjects
SwitchToThread
LoadLibraryW
QueryInformationJobObject
HeapFree
GetFileAttributesW
Process32NextW
Process32FirstW
HeapAlloc
HeapSize
GetProcessHeap
HeapReAlloc
HeapDestroy

user32

GetSystemMetrics
MessageBoxA
ReleaseDC
GetDC
SetWindowsHookExW
GetWindowThreadProcessId
GetShellWindow
FindWindowW
MessageBoxW

gdi32

BitBlt
CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
GetBitmapBits
DeleteDC
GetObjectW
DeleteObject

advapi32

RegQueryValueExW
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
GetUserNameW
RegEnumKeyExW
RegQueryInfoKeyW
EnumServicesStatusExW
GetTokenInformation
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
CopySid
GetLengthSid
IsValidSid
ConvertSidToStringSidA
GetSecurityInfo
OpenServiceW
SetSecurityInfo
RegOpenKeyExW
SetEntriesInAclW
OpenSCManagerW
CloseServiceHandle
QueryServiceStatus
RegCloseKey

msvcp140

?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
_Equivalent
_To_wide
_Thrd_detach
_Cnd_do_broadcast_at_thread_exit
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?uncaught_exception@std@@YA_NXZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z

shlwapi

wnsprintfW
StrChrW
PathCombineW
StrStrIW
PathRemoveExtensionW
PathFindFileNameW
StrCmpW
SHDeleteKeyW
PathGetDriveNumberW
StrCmpIW
StrCmpNIW

ntdll

NtClose
RtlReleaseRelativeName
RtlDosPathNameToRelativeNtPathName_U_WithStatus
NtCreateSection
NtQuerySystemInformation
NtUnloadDriver
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
RtlGetFullPathName_UEx
NtDeviceIoControlFile
NtMapViewOfSection
RtlAdjustPrivilege
NtUnmapViewOfSection
NtLoadDriver
VerSetConditionMask
RtlCaptureContext
RtlLookupFunctionEntry
RtlWriteRegistryValue
NtCreateFile
RtlVirtualUnwind
RtlCreateRegistryKey

mpr

WNetGetProviderNameW

iphlpapi

GetAdaptersInfo

setupapi

SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo

powrprof

GetPwrCapabilities

normaliz

IdnToAscii

wldap32

ord41
ord301
ord200
ord30
ord143
ord217
ord46
ord211
ord60
ord45
ord50
ord35
ord22
ord26
ord27
ord32
ord33
ord79

crypt32

CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore

ws2_32

sendto
ntohl
getaddrinfo
recvfrom
gethostname
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
freeaddrinfo

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strstr
__std_terminate
__std_exception_destroy
__std_exception_copy
memcpy
memset
strchr
strrchr
memmove
memcmp
memchr
wcsstr
__C_specific_handler
_CxxThrowException
__current_exception
__current_exception_context

api-ms-win-crt-stdio-l1-1-0

_close
_write
_read
setvbuf
_popen
ungetc
__p__commode
_open
feof
fsetpos
__stdio_common_vsprintf
fopen_s
fwrite
_set_fmode
fread
_fseeki64
_lseeki64
fgetc
_get_stream_buffer_pointers
_pclose
__stdio_common_vswprintf_s
fclose
__stdio_common_vfwprintf
fgets
fseek
fopen
fputs
_wfopen_s
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vsscanf
fflush
__stdio_common_vswprintf
ftell
fputc
fgetpos

api-ms-win-crt-string-l1-1-0

_strdup
strtok_s
wcscat_s
strcspn
strspn
isupper
strncpy
_wcsicmp
isxdigit
strcmp
_stricmp
strncmp
tolower
strpbrk
wcscpy_s

api-ms-win-crt-runtime-l1-1-0

_cexit
_initialize_narrow_environment
_seh_filter_exe
terminate
_set_app_type
__sys_nerr
system
_get_initial_narrow_environment
_getpid
_configure_narrow_argv
_initterm
_beginthreadex
_exit
_resetstkoflw
_invalid_parameter_noinfo
__p___argc
__p___argv
_c_exit
exit
_crt_atexit
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
strerror
_initterm_e
_errno
_invalid_parameter_noinfo_noreturn
_register_onexit_function

api-ms-win-crt-heap-l1-1-0

malloc
realloc
_set_new_mode
free
calloc
_callnewh

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-math-l1-1-0

_dclass
__setusermatherr
_dsign

api-ms-win-crt-time-l1-1-0

_time64
_wasctime_s
_localtime64_s
strftime
_gmtime64

api-ms-win-crt-filesystem-l1-1-0

_splitpath_s
_fstat64
_unlock_file
remove
_lock_file
_unlink
_access
_stat64
rename

api-ms-win-crt-locale-l1-1-0

_get_current_locale
_configthreadlocale
localeconv

api-ms-win-crt-convert-l1-1-0

atoi
strtoul
strtoull
strtod
strtol
strtoll
_wcstoui64_l

ole32

CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitializeEx

oleaut32

SafeArrayGetLBound
SafeArrayAccessData
SafeArrayGetUBound
SysAllocString
SysFreeString
VariantClear
SafeArrayGetElement
SafeArrayUnaccessData

Sections

.text
Size: 597KB - Virtual size: 596KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 165KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 127KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d4e8ba336eaa04646c2f1bb95b16f555

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shell32

kernel32

user32

gdi32

advapi32

msvcp140

shlwapi

ntdll

mpr

iphlpapi

setupapi

powrprof

normaliz

wldap32

crypt32

ws2_32

rpcrt4

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-convert-l1-1-0

ole32

oleaut32

Sections

.text Size: 597KB - Virtual size: 596KB

.rdata Size: 165KB - Virtual size: 164KB

.data Size: 127KB - Virtual size: 130KB

.pdata Size: 24KB - Virtual size: 24KB

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 597KB - Virtual size: 596KB

.rdata
Size: 165KB - Virtual size: 164KB

.data
Size: 127KB - Virtual size: 130KB

.pdata
Size: 24KB - Virtual size: 24KB

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 3KB - Virtual size: 2KB