Windows Analysis Report
Loader.exe

Overview

General Information

Sample name: Loader.exe
Analysis ID: 1561197
MD5: a19206ac176dd5a0a3a02ff70348c1ab
SHA1: 7c9d46c18de701162bdb962618788a0da0872779
SHA256: 3eafeb6f88583eaff49c7bc7e91ddc1a6b0792451465403b07b67e98b447c242
Tags: exeuser-aachum
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Loader.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: JeXhPKdKIKb D7rgFPlKCo34I.PDBr source: Loader.exe
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113E898 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0113E898
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Loader.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036EFE30 NtAllocateVirtualMemory, 0_2_036EFE30
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036F12B0 NtProtectVirtualMemory, 0_2_036F12B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036D85F0 NtContinue, 0_2_036D85F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036E9C30 NtContinue,RtlAddVectoredExceptionHandler, 0_2_036E9C30
Detected potential crypto function
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113100E 0_2_0113100E
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011320B0 0_2_011320B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01131350 0_2_01131350
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0114C3C0 0_2_0114C3C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113322C 0_2_0113322C
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113240F 0_2_0113240F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113276D 0_2_0113276D
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113362F 0_2_0113362F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113B69E 0_2_0113B69E
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011316A1 0_2_011316A1
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011319E3 0_2_011319E3
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0114C810 0_2_0114C810
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01112B76 0_2_01112B76
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01132ADA 0_2_01132ADA
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01131D42 0_2_01131D42
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01132E38 0_2_01132E38
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0114BE90 0_2_0114BE90
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01155EF7 0_2_01155EF7
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_030BD2AB 0_2_030BD2AB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_030D183B 0_2_030D183B
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_030BF8BB 0_2_030BF8BB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_030CE67B 0_2_030CE67B
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_030D2CBB 0_2_030D2CBB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036EFE30 0_2_036EFE30
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036F12B0 0_2_036F12B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036D2740 0_2_036D2740
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036DC320 0_2_036DC320
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036DDEB0 0_2_036DDEB0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036ECC70 0_2_036ECC70
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036D88E0 0_2_036D88E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036DB8A0 0_2_036DB8A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036D6CA0 0_2_036D6CA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 01112720 appears 51 times
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Loader.exe Binary or memory string: Q.slnaqb7Mm09E5x1HrOE
Source: classification engine Classification label: mal56.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: Loader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Loader.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Loader.exe ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: wtsapi32.dll Jump to behavior
Source: Loader.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Loader.exe Static file information: File size 6990848 > 1048576
Source: Loader.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39fe00
Source: Loader.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x19b600
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: JeXhPKdKIKb D7rgFPlKCo34I.PDBr source: Loader.exe
PE file contains sections with non-standard names
Source: Loader.exe Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011184B7 push edi; ret 0_2_011184C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01112770 push ecx; ret 0_2_01112783
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01158FB1 push ecx; ret 0_2_01158FC4
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Loader.exe API coverage: 5.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113E898 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0113E898
Source: Loader.exe Binary or memory string: HEfOycLtTmHjqEmUcfzh6M
Source: Loader.exe Binary or memory string: rxRGjC4C5U2tncdvNASs8tqeMu3

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Loader.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036DF790 LdrLoadDll,RtlCreateUserThread, 0_2_036DF790
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011124C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_011124C9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_02F60470 mov eax, dword ptr fs:[00000030h] 0_2_02F60470
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036D88E0 mov eax, dword ptr fs:[00000030h] 0_2_036D88E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011110A0 GetProcessHeap,RtlAllocateHeap, 0_2_011110A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_011124C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_011124C9
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01112659 SetUnhandledExceptionFilter, 0_2_01112659
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0113DAD6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0113DAD6
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01112EF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01112EF9
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_036E9C30 NtContinue,RtlAddVectoredExceptionHandler, 0_2_036E9C30
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_0115111E
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_011511B9
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_01141049
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_011510B5
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_01151244
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_011515C0
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_01151497
Source: C:\Users\user\Desktop\Loader.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0115179C
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_011516C6
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_01141990
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_01140EAA
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_01112061 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_01112061
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561197 Sample: Loader.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 56 11 Multi AV Scanner detection for submitted file 2->11 13 AI detected suspicious sample 2->13 6 Loader.exe 1 2->6         started        process3 signatures4 15 Found potential dummy code loops (likely to delay analysis) 6->15 9 conhost.exe 6->9         started        process5
No contacted IP infos