Shadow-Loader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Shadow-Loader.exe
Size

1.9MB
MD5

b9cb4076250575176c02387e6bd384b7
SHA1

398d7c28197b51b3e486e2b5a520197eafd77669
SHA256

1d80050ced5a904870567c2272de54c7613a9ef25be950595ee4d3c00b413bf7
SHA512

fbae0f0c48adbf42ed5fb975a25f4a8657e95f5fcd7c718b2bb0436763e56b1a8a0baaab42082323f9d536363e600840389f208350eceb214838b906fb2a5c75
SSDEEP

49152:8R/r/XVSG6ffu3SIeWF/lnl0tkCt/ZnsSQdasS+0co:Q9SIeWF/lnl0tkCh

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Shadow-Loader.exe

Files

Shadow-Loader.exe
.exe windows:6 windows x64 arch:x64

Password: Shadow123

c91c29b2a372ec21c3af38edcc5d3b06

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Anthony\Downloads\um new\Observation\x64\Debug\kzk drv.pdb

Imports

kernel32

HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
AddVectoredExceptionHandler
GetTickCount
MoveFileExW
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
InitializeCriticalSectionEx
DeleteCriticalSection
VirtualProtect
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
WaitForMultipleObjects
GetCurrentProcessId
VerifyVersionInfoW
GetFileSizeEx
SleepConditionVariableSRW
GetModuleHandleW
FormatMessageA
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
WakeAllConditionVariable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
QueryFullProcessImageNameW
SetLastError
FormatMessageW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
LocalFree
GetSystemDirectoryW
LoadLibraryW
SleepEx
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
MoveFileW
GetPrivateProfileStringA
lstrcmpiW
GetPrivateProfileIntA
GetConsoleWindow
GetSystemInfo
WideCharToMultiByte
ExitProcess
Beep
CreateThread
WritePrivateProfileStringA
CloseHandle
Process32FirstW
Process32NextW
GetLastError
Sleep
MultiByteToWideChar
CreateToolhelp32Snapshot
CreateFileW
SetConsoleWindowInfo
GetModuleFileNameW
DeviceIoControl
GetStdHandle
SetConsoleScreenBufferSize
GetCurrentProcess
GetProcessHeap
SetConsoleTitleA
SetConsoleTextAttribute
GetCurrentThreadId

user32

FindWindowA
PeekMessageA
mouse_event
TranslateMessage
SetLayeredWindowAttributes
UpdateWindow
GetCursorPos
MessageBoxA
ScreenToClient
SetWindowLongA
ClientToScreen
GetForegroundWindow
LoadCursorW
SetCursor
GetClientRect
SetCursorPos
DispatchMessageW
OpenClipboard
CloseClipboard
GetKeyState
GetAsyncKeyState
ShowWindow
GetSystemMetrics
MessageBoxW
SetWindowPos
DestroyWindow
SetClipboardData
GetClipboardData
EmptyClipboard

advapi32

OpenProcessToken
CopySid
ConvertSidToStringSidA
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
SystemFunction036
CryptDestroyKey
CryptImportKey
CryptEncrypt
RegCreateKeyExA
IsValidSid
InitializeAcl
GetLengthSid
AddAccessAllowedAce
GetTokenInformation
SetSecurityInfo

d3d11

D3D11CreateDeviceAndSwapChain

msvcp140

?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Xtime_get_ticks
?_Xinvalid_argument@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Thrd_detach
_Mtx_unlock
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??Bid@locale@std@@QEAA_KXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ

imm32

ImmGetContext
ImmReleaseContext
ImmSetCandidateWindow
ImmSetCompositionWindow

d3dcompiler_47

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertOpenStore
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore

ws2_32

WSAIoctl
socket
htonl
setsockopt
recv
htons
listen
getaddrinfo
getpeername
freeaddrinfo
connect
bind
WSACleanup
WSAStartup
recvfrom
__WSAFDIsSet
inet_ntop
WSASetLastError
ntohs
inet_pton
WSAGetLastError
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEnumNetworkEvents
WSACreateEvent
ioctlsocket
WSACloseEvent
send
getsockopt
gethostname
select
sendto
accept
getsockname
WSAEventSelect

shlwapi

PathFindFileNameW

psapi

GetModuleInformation

userenv

UnloadUserProfile

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
__std_exception_copy
__std_terminate
strstr
__current_exception_context
__current_exception
wcschr
strchr
strrchr
memset
_CxxThrowException
memchr
memmove
__C_specific_handler
memcpy
memcmp

api-ms-win-crt-runtime-l1-1-0

__sys_nerr
exit
system
terminate
_invalid_parameter_noinfo_noreturn
_errno
__sys_errlist
abort
_invalid_parameter_noinfo
_resetstkoflw
_beginthreadex
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-string-l1-1-0

wcsncpy
strncmp
strpbrk
wcsncmp
strtok_s
_wcsdup
_strdup
strcspn
wcspbrk
strspn
strcmp

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc
realloc
calloc
_callnewh
free

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_wstat64
remove
_unlink
_fstat64
_unlock_file

api-ms-win-crt-stdio-l1-1-0

_lseeki64
__stdio_common_vsprintf
__stdio_common_vsprintf_s
_set_fmode
_wopen
ftell
__acrt_iob_func
fflush
feof
fputs
fclose
__p__commode
fseek
_read
_write
__stdio_common_vfprintf
fwrite
_fileno
_wfopen
fread
__stdio_common_vsscanf
ungetc
setvbuf
_popen
_pclose
_fseeki64
fsetpos
fputc
fgets
fgetpos
fgetc
_get_stream_buffer_pointers
_close

api-ms-win-crt-convert-l1-1-0

strtod
strtol
strtoll
strtoull
atoi
atof
wcstombs
strtoul

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

tanf
cosf
sin
sqrtf
_dsign
_fdopen
_dclass
powf
acosf
asin
atan2
atan2f
__setusermatherr
ceilf
cos
sinf

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_time64
strftime
_localtime64
_gmtime64

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_configthreadlocale

shell32

ShellExecuteA

Sections

.text
Size: 984KB - Virtual size: 983KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 241KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 628KB - Virtual size: 636KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: Shadow123

c91c29b2a372ec21c3af38edcc5d3b06

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

d3d11

msvcp140

imm32

d3dcompiler_47

dwmapi

crypt32

ws2_32

shlwapi

psapi

userenv

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

shell32

Sections

.text Size: 984KB - Virtual size: 983KB

.rdata Size: 241KB - Virtual size: 241KB

.data Size: 628KB - Virtual size: 636KB

.pdata Size: 40KB - Virtual size: 40KB

_RDATA Size: 512B - Virtual size: 464B

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 984KB - Virtual size: 983KB

.rdata
Size: 241KB - Virtual size: 241KB

.data
Size: 628KB - Virtual size: 636KB

.pdata
Size: 40KB - Virtual size: 40KB

_RDATA
Size: 512B - Virtual size: 464B

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 3KB - Virtual size: 3KB