loader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.exe
Size

15.9MB
MD5

3ea2381d1e7dab5f89d6a89f5cbb5216
SHA1

c8aef0c1b9312c9ef534a728bd147523762335fe
SHA256

c861348fee6cb15d4ade022d1a064078901cf1658ca901ac405dbafa5531f355
SHA512

72ae6d41c7b7a553fd095aaa9ab708aa33f8b3ab4f83bc30191dbb24ce5b1cef64c2781b904078eb531b71478df19323f0b641f2c310f5112a37b949cba281d3
SSDEEP

393216:HP6+mnKrp/OxBP+Inkat8fLUq42kPiMPeR+6/SR/LyTY/eXi:Hi+1pmxR/nVEHsicCKy5S

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
loader.exe

Files

loader.exe
.exe windows:6 windows x64 arch:x64

3c93b52e7f8dfd517c3bc558e79ee567

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSAGetLastError
getsockname
ioctlsocket
WSACleanup
closesocket
gethostbyname
WSAStartup
send
socket
connect
recv
select
getsockopt
htonl
htons
inet_addr
inet_ntoa
getaddrinfo
gethostbyaddr
getservbyport
getservbyname
WSASetLastError
setsockopt
shutdown
getpeername
recvfrom
sendto
ntohs
freeaddrinfo

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertOpenSystemStoreW
CertDuplicateCertificateContext

advapi32

CryptReleaseContext
RegCreateKeyW
RegDeleteTreeW
RegCloseKey
RegSetKeyValueW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptAcquireContextW
RegOpenKeyW

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation

kernel32

FreeLibrary
LoadLibraryA
FormatMessageA
LoadLibraryW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
ReleaseSemaphore
WaitForSingleObject
GetExitCodeThread
CreateSemaphoreA
FindClose
FindFirstFileW
FindNextFileW
GetSystemTime
SystemTimeToFileTime
ReadConsoleA
OutputDebugStringW
InitializeSListHead
QueryPerformanceCounter
IsDebuggerPresent
GetSystemDirectoryA
GetACP
WideCharToMultiByte
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
ReadConsoleW
Sleep
GetStdHandle
SetConsoleMode
GetConsoleMode
SetConsoleTitleW
VirtualFree
DeviceIoControl
VirtualAlloc
InitializeCriticalSectionEx
CreateFileW
GetCurrentThreadId
GetModuleHandleA
GetLastError
CloseHandle
GetProcAddress
DeleteCriticalSection
GetCurrentProcessId
GetTempPathW
SetConsoleTextAttribute
GetCurrentProcess
ReadProcessMemory
GetFileType
WriteFile
GetModuleHandleW
MultiByteToWideChar
RtlVirtualUnwind
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetSystemTimeAsFileTime
GetEnvironmentVariableW
LocalFree
GetSystemTimeAsFileTime
CreateEventA
GetModuleHandleA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
LoadLibraryA
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
HeapAlloc
HeapFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
MultiByteToWideChar
GetModuleHandleW
LoadResource
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
FlsSetValue
GetCommandLineA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RaiseException
RtlPcToFileHeader
RtlUnwindEx
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA

ole32

CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
VariantClear

msvcp140

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??7ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bid@locale@std@@QEAA_KXZ

ntdll

RtlInitUnicodeString
NtQuerySystemInformation
RtlLookupFunctionEntry
RtlCaptureContext

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strstr
strrchr
memmove
strchr
memcmp
wcsstr
memset
memcpy
__std_terminate
__std_exception_copy
__std_exception_destroy
__current_exception_context
__C_specific_handler
_CxxThrowException
__current_exception
memchr

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
system
terminate
exit
_exit
_cexit
raise
strerror_s
signal
_seh_filter_exe
_set_app_type
_register_thread_local_exe_atexit_callback
_c_exit
_errno
_get_initial_narrow_environment
_initterm
_initterm_e
_beginthreadex
_invalid_parameter_noinfo_noreturn
__p___argc
__p___argv

api-ms-win-crt-heap-l1-1-0

free
_callnewh
calloc
realloc
_set_new_mode
malloc

api-ms-win-crt-math-l1-1-0

_dsign
__setusermatherr

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

ftell
fseek
_set_fmode
_fileno
__stdio_common_vsprintf_s
__stdio_common_vsprintf
fgets
ferror
_wfopen
fopen
feof
__stdio_common_vfprintf
__acrt_iob_func
fputc
fflush
fclose
__stdio_common_vsscanf
fputs
__p__commode
__stdio_common_vswprintf
_setmode
fgetc
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
fwrite
fgetpos
setvbuf

api-ms-win-crt-convert-l1-1-0

strtol
atoi
strtoul

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_time64

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_lock_file
_unlock_file
_wremove

api-ms-win-crt-string-l1-1-0

_stricmp
strspn
strcspn
isdigit
tolower
strncpy_s
strcat_s
strcpy_s
strncmp
strcmp
isspace
strncpy

api-ms-win-crt-environment-l1-1-0

getenv

Sections

.text
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 801KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.k]>
Size: - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pym
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.migel
Size: - Virtual size: 6.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wr[
Size: - Virtual size: 6.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.?$/
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.K\}
Size: 15.9MB - Virtual size: 15.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3c93b52e7f8dfd517c3bc558e79ee567

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

crypt32

advapi32

user32

kernel32

ole32

oleaut32

msvcp140

ntdll

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

Sections

.text Size: - Virtual size: 2.8MB

.rdata Size: - Virtual size: 801KB

.data Size: - Virtual size: 128KB

.pdata Size: - Virtual size: 100KB

.k]> Size: - Virtual size: 488B

.pym Size: - Virtual size: 36KB

.migel Size: - Virtual size: 6.6MB

.wr[ Size: - Virtual size: 6.7MB

.?$/ Size: 4KB - Virtual size: 4KB

.K\} Size: 15.9MB - Virtual size: 15.9MB

.reloc Size: 512B - Virtual size: 272B

.rsrc Size: 512B - Virtual size: 480B

.text
Size: - Virtual size: 2.8MB

.rdata
Size: - Virtual size: 801KB

.data
Size: - Virtual size: 128KB

.pdata
Size: - Virtual size: 100KB

.k]>
Size: - Virtual size: 488B

.pym
Size: - Virtual size: 36KB

.migel
Size: - Virtual size: 6.6MB

.wr[
Size: - Virtual size: 6.7MB

.?$/
Size: 4KB - Virtual size: 4KB

.K\}
Size: 15.9MB - Virtual size: 15.9MB

.reloc
Size: 512B - Virtual size: 272B

.rsrc
Size: 512B - Virtual size: 480B