0b7c5873f2d5c59e652fbf531d617a80e9391f17227b67b7cf901ce70f3eaac4

Sharing

Copy URL

Twitter E-mail

General

Target

0b7c5873f2d5c59e652fbf531d617a80e9391f17227b67b7cf901ce70f3eaac4
Size

344KB
MD5

8552118178e96b555d52a5c2763776e4
SHA1

611772e891734812b9d84fdfa30b1d917162f87b
SHA256

0b7c5873f2d5c59e652fbf531d617a80e9391f17227b67b7cf901ce70f3eaac4
SHA512

feb0c06626890e10ead5c7b4739ebee83f2131cb0633790e854a81a2bc1fb6a5727d4b19f41c8b4d5dcc7b53338b78fbab27b10c7e9b94d559b23cdd1fc09b24
SSDEEP

3072:oC1BsEcLHK4UKkjACzrS83FBjArSj5/0YYZF2KfeS1SqGVl8KCCMcOi9P65/MoG6:hkHEK98rS282DYZRWS1SJN6KtKiQ

Score

N/A

Malware Config

Signatures

Files

0b7c5873f2d5c59e652fbf531d617a80e9391f17227b67b7cf901ce70f3eaac4
.exe windows x64

4bc410d5cc1d9030bd53c1b684b173a0

Code Sign

0f:a4:c3:1c:aa:9a:8b:97:4d:75:ed:0a:59:d1:4c:61
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

13-06-2013 00:00

Not After

13-06-2014 23:59

Subject

CN=Baoji zhihengtaiye co.\,ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Baoji zhihengtaiye co.\,ltd,L=Baoji,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:25

Not After

22-02-2021 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ae:a5:a4:c2:55:02:84:9e:72:b1:cd:3c:e5:97:73:4f:00:cc:b6:03
Signer

Actual PE Digest

ae:a5:a4:c2:55:02:84:9e:72:b1:cd:3c:e5:97:73:4f:00:cc:b6:03

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Baoji zhihengtaiye co.\,ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Baoji zhihengtaiye co.\,ltd,L=Baoji,ST=Shannxi,C=CN

14-10-2022 22:01
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
KeSetEvent
MmIsAddressValid
strncmp
strstr
strchr
__C_specific_handler
IoDeleteSymbolicLink
IoGetCurrentProcess
PsGetProcessImageFileName
KeInitializeEvent
KeWaitForSingleObject
IoAllocateIrp
IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
ZwFlushBuffersFile
IoFileObjectType
PsTerminateSystemThread
ExAllocatePool
KeUnstackDetachProcess
PsLookupProcessByProcessId
PsGetProcessWow64Process
KeResetEvent
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
strcmp
RtlCompareUnicodeString
ExAllocatePoolWithTag
MmGetSystemRoutineAddress
ZwQuerySystemInformation
RtlImageNtHeader
RtlImageDirectoryEntryToData
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsCreateSystemThread
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
KeSetBasePriorityThread
ZwCreateFile
RtlCompareUnicodeStrings
ExpInterlockedPopEntrySList
ExInitializeNPagedLookasideList
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
RtlGetVersion
ExGetPreviousMode
ExSystemTimeToLocalTime
ZwCreateKey
ZwDeleteKey
ZwEnumerateKey
ZwSetValueKey
ZwOpenEvent
ZwCreateEvent
ZwSetEvent
ExFreePoolWithTag
KeDelayExecutionThread
RtlInitUnicodeString
wcsrchr
wcsncpy
wcsnlen
RtlCopyUnicodeString
wcslen
wcscpy
wcscat
KeStackAttachProcess

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 278KB - Virtual size: 342KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4bc410d5cc1d9030bd53c1b684b173a0

Code Sign

0f:a4:c3:1c:aa:9a:8b:97:4d:75:ed:0a:59:d1:4c:61Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

ae:a5:a4:c2:55:02:84:9e:72:b1:cd:3c:e5:97:73:4f:00:cc:b6:03Signer

Signature Validations

Verification

14-10-2022 22:01 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

fwpkclnt.sys

ntoskrnl.exe

netio.sys

wdfldr.sys

Sections

.text Size: 50KB - Virtual size: 49KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 278KB - Virtual size: 342KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 3KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 40B

0f:a4:c3:1c:aa:9a:8b:97:4d:75:ed:0a:59:d1:4c:61
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ae:a5:a4:c2:55:02:84:9e:72:b1:cd:3c:e5:97:73:4f:00:cc:b6:03
Signer

14-10-2022 22:01
Valid: false

.text
Size: 50KB - Virtual size: 49KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 278KB - Virtual size: 342KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 3KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 40B