{ "id": "f68c653b-355a-448d-bc08-46d48bb79882", "created_at": "2026-04-06T00:18:46.89263Z", "updated_at": "2026-04-10T03:20:47.643237Z", "deleted_at": null, "sha1_hash": "b5f56ea08de8daf20b3380f26040b8c35c2cb1b8", "title": "AresLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48376, "plain_text": "AresLoader\r\nPublished: 2023-04-02 ยท Archived: 2026-04-05 20:41:52 UTC\r\nOverview\r\nAresLoader is a new malware downloader that has been advertised on some underground forums.\r\nReferences\r\nNew loader on the bloc - AresLoader\r\nPrivate Malware for Sale: A Closer Look at AresLoader\r\nSamples\r\n7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb UnpacMe\r\nPanels\r\nThe following were live panels at the time of analysis (thanks @lloydlabs)\r\n 45.80.69[.]193\r\n 37.220.87[.]52\r\nNote From The Developers\r\nFrom the the developers themselves!\r\nDear Customer.\r\nHere will be described the advantages, the rules of using the lowers you are renting.\r\nProduct name: AresLoader.\r\nMonthly lease will cost $300. There are no discounts provided. Price includes: 5 rebuilds ( including the first\r\nIn addition, manual morphing code (for each build it is different).\r\n==============================\r\nThe way AresLoader works is that it presents itself as legitimate software (not a required feature) and then dow\r\nAresLoader can ask the user admin rights (until he allows it) on behalf of cmd.exe and afterwards transfer the r\r\nAres supports the ability to load encrypted payloads using AES/RSA ciphers ( only use your own encoder to avoid\r\nhttps://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html\r\nPage 1 of 3\n\nFor more details about the work and functionality of the builder - contact the team, we are ready to answer any\r\nDue to the fact that the Lauder will be improved and we will be introducing different updates, they may be free\r\n===============================\r\nThere are rules for use. Attempts to change or break them will be treated critically, up to and including blocki\r\n 1. Resale of license is FORBIDDEN.\r\n 2. We are not responsible for any loss to the renter.\r\n 4. It is forbidden to post the Lowder binary file in the public domain.\r\n 5. It is forbidden to upload the loeder to Virus Total.\r\nFor our part, the Development team is ready to ensure the comfortable use of our product. Soon we will be adding\r\nSincerely, developers.\r\nAnalysis\r\nThe first stage is \"packed\" with fake API calls used to obscure a simple shellcode loader. The loader loads the 2nd\r\nstage onto the heap and executes it (yes you read the right, the heap).\r\nStage 2\r\nThe 2nd stage uses a custom decryption algorithm to decrypt the final stage which is loaded into a RWX section\r\nand executed. The decryption algorithm was previously observed in a malware dubbed BUGHATCH by elastic.\r\nThe overlap between the two malware families is currently unclear.\r\nStage 3\r\nThe 3rd and final stage is composed of some shellcode and the AresLoader payload PE file. The shellode is used\r\nto execute the PE file.\r\nBased on the strings in the payload this sample is .... AresLdr_v_3\r\nThe 3rd stage appears to have been around since at least 2021 in some form as this analysis report describes a\r\nmost of the same functionality Anatomy of a simple and popular packer.\r\nThe purpose of the loader is to download and launch a final malware payload (technically making this a\r\ndownloader not a loader). The download URLs are in plain text in the final stage and the payload is executed via\r\nCreateProcessA .\r\nhttps://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html\r\nPage 2 of 3\n\nSource: https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html\r\nhttps://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html" ], "report_names": [ "aresloader.html" ], "threat_actors": [], "ts_created_at": 1775434726, "ts_updated_at": 1775791247, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5f56ea08de8daf20b3380f26040b8c35c2cb1b8.pdf", "text": "https://archive.orkl.eu/b5f56ea08de8daf20b3380f26040b8c35c2cb1b8.txt", "img": "https://archive.orkl.eu/b5f56ea08de8daf20b3380f26040b8c35c2cb1b8.jpg" } }