loader.bin

First submission 2024-10-15 22:04:03

File details

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	245.5 KB (251392 bytes)
Compile time:	2024-10-14 17:49:14
MD5:	079caee72a8dac67029b96992050be5b
SHA1:	4f49d9306529385332c5aed5086f0a49dae2195e
SHA256:	e7548ff8c5dac69f9e13dbf0384708490c1482e6f84603f59d8194d78504ec51
Import Hash :	54b907ef88e1152a442e4781bba49bdc
Sections 5	.text .rdata .data .pdata .reloc
Directories 3	import export relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	47/77 VT report date: 2024-10-15 20:20:37
Malware Type 3	trojan downloader pua
Threat Type 3	lazy redcap otcpx

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://176.111.174.140/api/loader.bin	176.111.174.140	2024-10-15 22:04:03

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xe217	58368	00d6971485d7a24c47afe47c0982e44615b4d72b	97cda0e19813c80be03691f8c397d035
.rdata	0x10000	0x6887	27136	13168f2dd98ad04f4b10fbf944fabc96826a3cec	2668061cc558607ac88a74bb1a02c7eb
.data	0x17000	0x28eb0	157696	04912c40e6b035b640c88f245dbce1335e8e7c8c	86328cf5a9d244719f59d0be8582d991
.pdata	0x40000	0xdb0	3584	bb7a0bb2f1887923d6c7cf5d42860d8f329386ab	15f971e0ccde39ac6f445fb5f6a9fe55
.reloc	0x41000	0xda0	3584	820d142c2f6df30715a902314432c95265c6e8b3	f2858f37ca4bf9f965577daccb069e0e

Anti debug functions 11

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
Process32First
Process32FirstW
Process32Next
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Binary
http://176.111.174.140/api/bot64.bin
http://176.111.174.140/api/bot.bin
Loader.bin
Library
KERNEL32.dll
Amscoree.dll
KernelBase.dll
USER32.dll
dKERNEL32.dll
mscoree.dll
WININET.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
ntdll.dll

Strings analysis - Possible IPs found 1

176.111.174.140

Strings analysis - Possible URLs found 3

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://176.111.174.140/api/bot64.bin
http://176.111.174.140/api/bot.bin

Import functions

WININET.dll 5 ADVAPI32.dll 3 KERNEL32.dll 113 SHELL32.dll 1 ntdll.dll 1 SHLWAPI.dll 3 USER32.dll 1

Function	Address	Souspicious	Anti Debug
InternetOpenW	0x1800103f0
HttpQueryInfoA	0x1800103f8
InternetCloseHandle	0x180010400
InternetReadFile	0x180010408
InternetOpenUrlW	0x180010410

Function	Address	Souspicious	Anti Debug
LookupPrivilegeValueA	0x180010000
OpenProcessToken	0x180010008
AdjustTokenPrivileges	0x180010010

Function	Address	Souspicious	Anti Debug
GetConsoleMode	0x180010020
GetConsoleCP	0x180010028
FlushFileBuffers	0x180010030
GetStringTypeW	0x180010038
LCMapStringEx	0x180010040
SetStdHandle	0x180010048
LoadLibraryW	0x180010050
OutputDebugStringW	0x180010058
LoadLibraryExW	0x180010060
SetFilePointerEx	0x180010068
WriteConsoleW	0x180010070
Thread32First	0x180010078
GetCurrentProcess	0x180010080
Process32First	0x180010088
WaitForSingleObject	0x180010090
CreateRemoteThread	0x180010098
OpenProcess	0x1800100a0
VirtualFreeEx	0x1800100a8
GetProcAddress	0x1800100b0
VirtualAllocEx	0x1800100b8
Process32Next	0x1800100c0
GetModuleHandleA	0x1800100c8
CreateToolhelp32Snapshot	0x1800100d0
CloseHandle	0x1800100d8
WriteProcessMemory	0x1800100e0
VirtualProtectEx	0x1800100e8
VirtualProtect	0x1800100f0
GetTempFileNameW	0x1800100f8
CreateFileA	0x180010100
lstrlenA	0x180010108
CreateProcessW	0x180010110
HeapAlloc	0x180010118
CompareFileTime	0x180010120
GetProcessHeap	0x180010128
WriteFile	0x180010130
GetProcessTimes	0x180010138
WideCharToMultiByte	0x180010140
Sleep	0x180010148
TerminateProcess	0x180010150
CreateFileW	0x180010158
lstrcatA	0x180010160
GetTempPathW	0x180010168
GetLastError	0x180010170
lstrcmpiA	0x180010178
Process32FirstW	0x180010180
IsWow64Process	0x180010188
Process32NextW	0x180010190
CreateMutexA	0x180010198
DeleteFileW	0x1800101a0
CreateThread	0x1800101a8
lstrcpyA	0x1800101b0
GetThreadContext	0x1800101b8
GetFileSize	0x1800101c0
SetThreadContext	0x1800101c8
GetNativeSystemInfo	0x1800101d0
CreateProcessA	0x1800101d8
ReadFile	0x1800101e0
MultiByteToWideChar	0x1800101e8
ResumeThread	0x1800101f0
HeapReAlloc	0x1800101f8
HeapFree	0x180010200
GetModuleHandleW	0x180010208
HeapCreate	0x180010210
Thread32Next	0x180010218
FlushInstructionCache	0x180010220
OpenThread	0x180010228
GetCurrentThreadId	0x180010230
GetCurrentProcessId	0x180010238
SuspendThread	0x180010240
VirtualQuery	0x180010248
VirtualFree	0x180010250
VirtualAlloc	0x180010258
GetSystemInfo	0x180010260
EncodePointer	0x180010268
DecodePointer	0x180010270
GetCommandLineA	0x180010278
RtlPcToFileHeader	0x180010280
RaiseException	0x180010288
RtlLookupFunctionEntry	0x180010290
RtlUnwindEx	0x180010298
ExitProcess	0x1800102a0
GetModuleHandleExW	0x1800102a8
HeapSize	0x1800102b0
GetStdHandle	0x1800102b8
GetModuleFileNameW	0x1800102c0
IsProcessorFeaturePresent	0x1800102c8
IsDebuggerPresent	0x1800102d0
IsValidCodePage	0x1800102d8
GetACP	0x1800102e0
GetOEMCP	0x1800102e8
GetCPInfo	0x1800102f0
SetLastError	0x1800102f8
GetFileType	0x180010300
InitializeCriticalSectionAndSpinCount	0x180010308
DeleteCriticalSection	0x180010310
InitOnceExecuteOnce	0x180010318
GetStartupInfoW	0x180010320
GetModuleFileNameA	0x180010328
QueryPerformanceCounter	0x180010330
GetSystemTimeAsFileTime	0x180010338
GetTickCount64	0x180010340
GetEnvironmentStringsW	0x180010348
FreeEnvironmentStringsW	0x180010350
RtlCaptureContext	0x180010358
RtlVirtualUnwind	0x180010360
UnhandledExceptionFilter	0x180010368
SetUnhandledExceptionFilter	0x180010370
FlsAlloc	0x180010378
FlsGetValue	0x180010380
FlsSetValue	0x180010388
FlsFree	0x180010390
EnterCriticalSection	0x180010398
LeaveCriticalSection	0x1800103a0

Function	Address	Souspicious	Anti Debug
SHGetFolderPathA	0x1800103b0

Function	Address	Souspicious	Anti Debug
NtQueryInformationProcess	0x180010420

Function	Address	Souspicious	Anti Debug
PathFindFileNameW	0x1800103c0
PathFileExistsA	0x1800103c8
PathFindFileNameA	0x1800103d0

Function	Address	Souspicious	Anti Debug
wsprintfA	0x1800103e0

PE Exports 1 suspicious

Function	Address
?ReflectiveLoader@@YA_KXZ	0x18000d298

Name	Latest seen	MD5
nuSjygs.pack	2024-10-15 10:21:02	456c9a2f8300d5d3eae53785fb6e4985

loader.bin

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 0 suspicious

Anti debug functions 11

Strings analysis - File found

Strings analysis - Possible IPs found 1

Strings analysis - Possible URLs found 3

Import functions

PE Exports 1 suspicious

Related files by ImpHash 1 54b907ef88e1152a442e4781bba49bdc