downloader[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

downloader.exe
Size

6.8MB
MD5

f884829d4502eb2153de034c168863ff
SHA1

8a3ec5a8f807a91c42f670165c8ba95389dec098
SHA256

71f48be1c3ad7c4d5bd8dc87c986b0fbceba81a544cb8fd51e878f7fd18fc4ba
SHA512

1af4e7e22c0848fcf85ee16a87f838d3d191a26cca2ffea211c85040b127cd72133b87745a47f27a04f038fea3f1e1f9f4ea00cfe21ce1a6523ce9e87bf53deb
SSDEEP

98304:LW0F3toYS/tKC8+sZrqbGSoaFNBoyj2UEnVUqu1Y2bMz0jjmqDh6:LpAom6ygObb

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
downloader.exe

Files

downloader.exe
.exe windows:6 windows x64 arch:x64

Password: infected123

d741a77a198b6cd7976ae1888725b9ec

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

cirno_downloader.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
WaitOnAddress
WakeByAddressSingle

shell32

DragFinish
DragQueryFileW
SHCreateItemFromParsingName
ShellExecuteExW
SHGetKnownFolderPath
SHAppBarMessage

kernel32

GetModuleHandleW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
EncodePointer
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LoadLibraryA
lstrlenW
DeleteFileW
MoveFileExW
CreatePipe
GetProcessId
CompareStringOrdinal
CreateEventW
WaitForMultipleObjects
GetOverlappedResult
SetLastError
GetExitCodeProcess
TlsAlloc
SwitchToThread
WakeAllConditionVariable
Sleep
SetWaitableTimer
TlsGetValue
TlsSetValue
SetFilePointerEx
GetQueuedCompletionStatusEx
LCIDToLocaleName
CloseHandle
GetLastError
CreateIoCompletionPort
SetFileCompletionNotificationModes
AcquireSRWLockExclusive
GetUserDefaultUILanguage
FreeLibrary
FlushFileBuffers
LoadLibraryExW
SetFileInformationByHandle
HeapReAlloc
HeapFree
GetCurrentThread
IsDebuggerPresent
OutputDebugStringW
OutputDebugStringA
SetEnvironmentVariableW
LoadLibraryW
LoadLibraryExA
GetFinalPathNameByHandleW
InitializeSListHead
GetProcessHeap
GetSystemTimeAsFileTime
SleepConditionVariableSRW
TerminateProcess
ReadFile
GetProcAddress
GetSystemInfo
SetHandleInformation
HeapAlloc
GetModuleHandleA
SetThreadStackGuarantee
AddVectoredExceptionHandler
GetCommandLineW
ReleaseSRWLockExclusive
WaitForSingleObject
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
ExitProcess
PostQueuedCompletionStatus
CancelIo
WriteFileEx
CreateThread
CreateNamedPipeW
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
UnhandledExceptionFilter
GetCurrentThreadId
QueryPerformanceCounter
QueryPerformanceFrequency
CreateWaitableTimerExW
InitializeProcThreadAttributeList
DuplicateHandle
GetFileAttributesW
CreateProcessW
TlsFree
GetWindowsDirectoryW
GetSystemDirectoryW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SleepEx
ReadFileEx
FormatMessageW
FindClose
GetStdHandle
GetConsoleMode
FindFirstFileW
MultiByteToWideChar
WriteConsoleW
GetCurrentDirectoryW
WaitForSingleObjectEx
GetCurrentProcess
GetCurrentProcessId
CreateMutexA
WideCharToMultiByte
ReleaseMutex
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFullPathNameW
CreateDirectoryW

user32

GetKeyboardLayout
ToUnicodeEx
SetWindowTextW
GetWindowTextLengthW
GetWindowTextW
GetSystemMenu
SetWindowLongW
ShowCursor
GetClipCursor
ClipCursor
ChangeDisplaySettingsExW
SetWindowPlacement
DrawTextW
CreateIcon
FillRect
FindWindowExW
GetWindowDC
SetWindowRgn
GetParent
OffsetRect
MapWindowPoints
GetMenuBarInfo
IsIconic
IsWindowVisible
IsWindowEnabled
GetKeyboardState
GetKeyState
GetMessageA
DispatchMessageA
SetPropW
GetWindowPlacement
SystemParametersInfoA
SetParent
PostQuitMessage
ShowWindow
IsProcessDPIAware
TrackPopupMenu
RemoveMenu
CreateAcceleratorTableW
DestroyAcceleratorTable
DestroyMenu
AdjustWindowRectEx
MonitorFromWindow
RegisterClassExW
InsertMenuW
CreatePopupMenu
GetMenu
RegisterWindowMessageA
CreateMenu
CreateWindowExW
IsWindow
DrawMenuBar
MapVirtualKeyExW
PostMessageW
GetSystemMetrics
SystemParametersInfoW
RegisterTouchWindow
SetMenu
SendMessageW
SetForegroundWindow
ClientToScreen
TranslateAcceleratorW
MsgWaitForMultipleObjectsEx
GetUpdateRect
ValidateRect
GetRawInputData
SetMenuItemInfoW
DrawIconEx
ReleaseDC
GetDC
CheckMenuItem
EnableMenuItem
GetMenuItemInfoW
GetAsyncKeyState
MonitorFromPoint
EnumChildWindows
EnumDisplayMonitors
GetMonitorInfoW
AdjustWindowRect
RedrawWindow
DestroyWindow
GetMessageW
RegisterRawInputDevices
LoadCursorW
PostThreadMessageW
DispatchMessageW
TranslateMessage
PeekMessageW
SetCursor
GetCursorPos
CloseTouchInputHandle
GetTouchInputInfo
TrackMouseEvent
SetCapture
ReleaseCapture
MonitorFromRect
GetWindowLongW
ScreenToClient
EnableWindow
DefWindowProcW
SetWindowLongPtrW
GetWindowLongPtrW
SetCursorPos
GetForegroundWindow
InvalidateRgn
SetWindowPos
GetClientRect
FlashWindowEx
GetActiveWindow
GetWindowRect
AppendMenuW
DestroyIcon
SetWindowDisplayAffinity
SendInput
MapVirtualKeyW

gdi32

CreateSolidBrush
BitBlt
GetDeviceCaps
CombineRgn
CreateRectRgn
SetTextColor
SetBkMode
DeleteObject
DeleteDC
SelectObject
CreateDIBSection
CreateCompatibleDC

dwmapi

DwmGetWindowAttribute
DwmEnableBlurBehindWindow
DwmSetWindowAttribute

oleaut32

SysStringLen
SysFreeString
GetErrorInfo
SetErrorInfo

ole32

RevokeDragDrop
CoInitializeEx
CoTaskMemFree
CoUninitialize
CoCreateInstance
OleInitialize
RegisterDragDrop
CoTaskMemAlloc

comctl32

TaskDialogIndirect
DefSubclassProc
SetWindowSubclass
RemoveWindowSubclass

bcrypt

BCryptGenRandom

advapi32

RegQueryValueExW
EventUnregister
RegGetValueW
SystemFunction036
RegOpenKeyExW
EventWriteTransfer
RegCloseKey
EventSetInformation
EventRegister

ntdll

NtReadFile
RtlNtStatusToDosError
NtCancelIoFileEx
NtDeviceIoControlFile
NtCreateFile
RtlGetVersion
NtWriteFile

shlwapi

SHCreateMemStream

crypt32

CertEnumCertificatesInStore
CertGetCertificateChain
CertAddCertificateContextToStore
CertOpenStore
CertDuplicateCertificateContext
CertFreeCertificateChain
CertDuplicateStore
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy
CertCloseStore
CertFreeCertificateContext

ws2_32

WSAGetLastError
getsockname
shutdown
WSAStartup
WSACleanup
getpeername
getaddrinfo
getsockopt
WSASend
send
recv
closesocket
setsockopt
WSASocketW
ioctlsocket
WSAIoctl
bind
freeaddrinfo
connect

secur32

FreeContextBuffer
DeleteSecurityContext
DecryptMessage
FreeCredentialsHandle
QueryContextAttributesW
InitializeSecurityContextW
AcquireCredentialsHandleA
EncryptMessage
ApplyControlToken
AcceptSecurityContext

api-ms-win-crt-math-l1-1-0

floor
trunc
pow
round
__setusermatherr

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp
wcslen
strlen
wcscmp
_wcsicmp

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
calloc
free
_set_new_mode

api-ms-win-crt-convert-l1-1-0

wcstol
_ultow_s
_wtoi

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
terminate
exit
_exit
_configure_narrow_argv
__p___argc
__p___argv
_set_app_type
abort
_cexit
_seh_filter_exe
_c_exit
_register_thread_local_exe_atexit_callback
_crt_atexit
_register_onexit_function
_initterm_e
_initialize_onexit_table

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 5.1MB - Virtual size: 5.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected123

d741a77a198b6cd7976ae1888725b9ec

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

shell32

kernel32

user32

gdi32

dwmapi

oleaut32

ole32

comctl32

bcrypt

advapi32

ntdll

shlwapi

crypt32

ws2_32

secur32

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 5.1MB - Virtual size: 5.1MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 4KB - Virtual size: 16KB

.pdata Size: 60KB - Virtual size: 59KB

.rsrc Size: 60KB - Virtual size: 60KB

.reloc Size: 26KB - Virtual size: 26KB

.text
Size: 5.1MB - Virtual size: 5.1MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 4KB - Virtual size: 16KB

.pdata
Size: 60KB - Virtual size: 59KB

.rsrc
Size: 60KB - Virtual size: 60KB

.reloc
Size: 26KB - Virtual size: 26KB