f5f4625de0d2ed0af1aa3cab57b95a5462b07d03bd792779bae99d4d308b748d

Sharing

Copy URL Twitter E-mail

General

Target

f5f4625de0d2ed0af1aa3cab57b95a5462b07d03bd792779bae99d4d308b748d
Size

1.2MB
MD5

b30258463363aabf342e1a0770b596e8
SHA1

17d8a43a0f657573770048f52975ff8908e83f32
SHA256

f5f4625de0d2ed0af1aa3cab57b95a5462b07d03bd792779bae99d4d308b748d
SHA512

117e645e181de7cb596ed328236492991badc218769acf8b2e4b699b9c509eaf87c6ee0de2148b98ebb3c79ad434e7bb02ed14904a3ae516decf16f2c8e53aa6
SSDEEP

24576:fnvuuO/YmFyHPX+gSmfwlYNFxE4LSG+M4XG8nKozV6shstB8x:a/NFyHv+0oGN3XE3aB8x

Score

N/A

Malware Config

Signatures

Files

f5f4625de0d2ed0af1aa3cab57b95a5462b07d03bd792779bae99d4d308b748d
.exe windows x86

5b3d433b93a8e3b41e74295030727e94

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

MmUserProbeAddress
MmLockPagableDataSection
RtlUnwind
RtlAnsiCharToUnicodeChar
PsGetCurrentProcessId
MmProbeAndLockPages
ExAcquireRundownProtectionCacheAwareEx
ExReleaseRundownProtectionCacheAwareEx
ExReInitializeRundownProtectionCacheAware
ExWaitForRundownProtectionReleaseCacheAware
RtlInitializeBitMap
RtlSetBits
ExFreeCacheAwareRundownProtection
ExAllocateCacheAwareRundownProtection
RtlSetBit
ExInitializeLookasideListEx
ExDeleteLookasideListEx
InterlockedExchange
SeReportSecurityEventWithSubCategory
ZwOpenKey
ZwQueryValueKey
MmSizeOfMdl
MmUnmapLockedPages
ObLogSecurityDescriptor
SeCaptureSubjectContextEx
SeLockSubjectContext
KeBugCheckEx
KeTickCount
EtwWriteTransfer
IoGetFileObjectGenericMapping
SeAccessCheck
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlCreateSecurityDescriptor
SeExports
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAceEx
RtlSetDaclSecurityDescriptor
ExInterlockedFlushSList
KeInitializeSemaphore
ExAllocatePoolWithTagPriority
KeExpandKernelStackAndCalloutEx
VerSetConditionMask
RtlVerifyVersionInfo
KeInitializeTimerEx
ExGetCurrentProcessorCounts
KeSetTimerEx
KeQueryInterruptTime
KeCancelTimer
KeFlushQueuedDpcs
RtlExpandHashTable
RtlContractHashTable
RtlCreateHashTable
RtlDeleteHashTable
KeWaitForMultipleObjects
KeQueryGroupAffinity
KeInsertQueueDpc
KeGetProcessorNumberFromIndex
KeInitializeDpc
KeSetTargetProcessorDpcEx
KeSetImportanceDpc
MmUnlockPages
IoFreeWorkItem
IoQueueWorkItem
MmBuildMdlForNonPagedPool
RtlInitializeGenericTableAvl
KeQuerySystemTime
RtlEnumerateEntryHashTable
RtlInitEnumerationHashTable
RtlEndEnumerationHashTable
RtlLookupElementGenericTableFullAvl
ObDereferenceSecurityDescriptor
RtlRemoveEntryHashTable
RtlInsertEntryHashTable
RtlGetNextEntryHashTable
RtlLookupEntryHashTable
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
ExNotifyCallback
KeIsExecutingDpc
PsGetProcessSessionId
InterlockedPushEntrySList
InterlockedPopEntrySList
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
MmMapLockedPagesSpecifyCache
ZwQuerySystemInformation
ObReferenceSecurityDescriptor
KeReleaseSemaphore
RtlInitWeakEnumerationHashTable
RtlWeaklyEnumerateEntryHashTable
RtlEndWeakEnumerationHashTable
KeQueryMaximumProcessorCountEx
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
KeGetCurrentProcessorNumberEx
RtlGetVersion
KeTestSpinLock
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
PsGetProcessId
ExCreateCallback
EtwWrite
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
ObfReferenceObject
PsGetCurrentProcess
PsIsSystemThread
PsGetThreadProcess
KeGetCurrentThread
KeInitializeEvent
KeSetEvent
RtlIpv4AddressToStringExW
RtlIpv6AddressToStringExW
RtlTimeToTimeFields
RtlEnumerateGenericTableLikeADirectory
KeInitializeTimer
KeSetCoalescableTimer
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExfTryToWakePushLock
ExfAcquirePushLockExclusive
RtlValidSid
ZwEnumerateKey
RtlQueryRegistryValues
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
SeSetAuditParameter
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
EtwUnregister
EtwRegister
IoGetCurrentProcess
KeInitializeMutex
IoCreateDevice
IoDeleteDevice
KeReadStateEvent
KeWaitForSingleObject
KeQueryActiveProcessorCountEx
KeReleaseMutex
ObfDereferenceObject
ZwOpenEvent
ObReferenceObjectByHandle
ZwClose
IofCallDriver
IofCompleteRequest
IoWMIRegistrationControl
RtlCompareMemory
RtlInitUnicodeString
MmGetSystemRoutineAddress
memset
memcpy
ExAllocatePoolWithTag
ExDeleteNPagedLookasideList
ExInitializeNPagedLookasideList
RtlPrefixUnicodeString
RtlCopySid
RtlEqualUnicodeString
RtlUnicodeStringToInteger
RtlCompareUnicodeString
RtlLengthRequiredSid
RtlInitializeSid
RtlAddAccessAllowedAce
ObSetSecurityObjectByPointer
PsSetCreateProcessNotifyRoutineEx
SeLocateProcessImageName
ZwCreateFile
RtlDowncaseUnicodeString
ZwOpenProcess
KeStackAttachProcess
ZwDuplicateToken
KeUnstackDetachProcess
IoDeleteSymbolicLink
IoCreateSymbolicLink
KeQueryTimeIncrement
PsReferenceImpersonationToken
PsDereferencePrimaryToken
KeDelayExecutionThread
PsDereferenceImpersonationToken
ObCloseHandle
RtlSubAuthorityCountSid
RtlSubAuthoritySid
SeQueryInformationToken
ObOpenObjectByPointer
ZwQueryInformationToken
ExGetPreviousMode
ExUuidCreate
RtlEqualSid
ExAllocatePoolWithQuotaTag
RtlIpv4StringToAddressW
RtlIpv6StringToAddressW
IoAllocateWorkItem
RtlFindSetBits
RtlAreBitsClear
RtlFindClearBits
RtlClearBits
ExDeleteResourceLite
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
RtlClearBit
RtlClearAllBits
SeOpenObjectAuditAlarmForNonObObject
ExInitializeResourceLite
RtlTestBit
KeBugCheck
RtlIntegerToUnicodeString
IoWMIWriteEvent
PsReferencePrimaryToken
ExFreePoolWithTag

netio.sys

NetioFreeNetBufferListNetBufferMdlAndDataPool
NetioFreeMdl
RtlIndicateTimerWheelEntryTimerStart
RtlResumeTimerWheel
RtlIsTimerWheelSuspended
NetioAllocateNetBufferListNetBufferMdlAndDataPool
NetioAllocateNetBufferMdlAndDataPool
FsbFree
NetioFreeNetBufferList
NetioExtendNetBuffer
NetioFreeNetBuffer
NetioDereferenceNetBufferList
NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData
NetioAllocateNetBufferMdlAndData
NetioDereferenceNetBufferListChain
FsbAllocateAtDpcLevel
NetioShutdownWorkQueue
RtlInitializeTimerWheelEntry
RtlComputeToeplitzHash
RtlSuspendTimerWheel
RtlGetNextExpirationTimerWheelTick
RtlCleanupTimerWheelEntry
RtlReturnTimerWheelEntry
RtlGetNextExpiredTimerWheelEntry
RtlUpdateCurrentTimerWheelTick
RtlDeleteElementGenericTableBasicAvl
NetioInitializeWorkQueue
RtlInsertElementGenericTableBasicAvl
FsbAllocate
NetioAdvanceToLocationInNetBuffer
RtlCopyMdlToMdlIndirect
NetioRegSyncDefaultChangeHandler
NetioRegSyncInterface
RtlCleanupTimerWheel
RtlInitializeTimerWheel
RtlEndTimerWheelEnumeration
RtlEnumerateNextTimerWheelEntry
RtlInitializeTimerWheelEnumeration
NetioFreeOpaquePerProcessorContext
NetioAllocateOpaquePerProcessorContext
NetioSqmWriteEvent
NsiSetAllParameters
TlDefaultRequestQueryDispatchEndpoint
TlDefaultRequestMessage
TlDefaultRequestQueryDispatch
RtlCopyMdlToBuffer
NetioFreeNetBufferAndNetBufferList
NetioAllocateAndReferenceNetBufferAndNetBufferList
RtlCopyBufferToMdl
NmrWaitForClientDeregisterComplete
NmrDeregisterClient
NmrClientDetachProviderComplete
NmrClientAttachProvider
NmrRegisterClient
NmrProviderDetachClientComplete
NmrWaitForProviderDeregisterComplete
NmrDeregisterProvider
NmrRegisterProvider
NetioRetreatNetBufferList
NetioAllocateAndReferenceCopyNetBufferListEx
NetioCompleteCopyNetBufferListChain
NetioFreeCopyNetBufferList
NetioInitializeNetBufferListContext
TlDefaultRequestCancel
TlDefaultRequestConnect
TlDefaultRequestListen
NetioReferenceNetBufferList
TlDefaultRequestIoControl
NetioFreeNetBufferMdlAndDataPool
RtlCleanupToeplitzHash
RtlInitializeToeplitzHash
NsiAllocateAndGetTable
NsiFreeTable
WfpStartStreamShim
WfpStartMacShim
NetioAllocateMdl
NetioInsertWorkQueue
WfpStreamInspectRemoteDisconnect
WfpStreamInspectReceive
WfpStreamInspectDisconnect
WfpStreamInspectSend
WfpStreamEndpointCleanupBegin
WfpStopStreamShim
FsbCreatePool
FsbDestroyPool
NetioStackBlockProcessorAddHandler
NetioFreeStackBlock
NetioInitializeNetBufferListAndFirstNetBufferContext
NsiReferenceDefaultObjectSecurity
NsiDeregisterChangeNotification
NsiRegisterChangeNotification
NetioCompleteNetBufferListChain
NetioAllocateAndReferenceFragmentNetBufferList
SetWfpDeviceObject
IoctlKfdBatchUpdate
IoctlKfdDeleteIndex
IoctlKfdAddIndex
IoctlKfdAddCache
IoctlKfdResetState
IoctlKfdQueryLayerStatistics
IoctlKfdAbortTransaction
IoctlKfdCommitTransaction
IoctlKfdDeleteCache
NetioGetStatsForQoSFlow
NetioDeleteQoSFlow
NetioCreateQoSFlow
NetioAssociateQoSFlowWithNbl
KfdIsActiveCallout
KfdAleUpdateEndpointContextStatus
WfpNblInfoAlloc
WfpPacketTagCountIncrement
WfpNblInfoDestroyIfUnused
HfCreateFactory
HfDestroyFactory
NetioAllocateNetBuffer
NetioAllocateAndReferenceNetBufferList
PtGetNumNodes
PtCreateTable
PtDestroyTable
NsiSetParameter
PtDeleteEntry
PtInsertEntry
PtGetExactMatch
PtEnumOverTable
PtGetLongestMatch
PtGetNextShorterMatch
RtlCompute37Hash
PtGetKey
PtSetData
PtGetData
NetioCompleteNetBufferAndNetBufferListChain
NetioQueryNetBufferListTrafficClass
RtlCopyMdlToMdl
NetioAllocateAndReferenceVacantNetBufferList
NetioAllocateAndReferenceCloneNetBufferListEx
NetioExpandNetBuffer
NetioUpdateNetBufferListContext
NetioAllocateAndReferenceCloneNetBufferList
NetioFreeCloneNetBufferList
NsiResetPersistentSetting
NsiSetObjectSecurity
NsiGetParameter
KfdCheckAcceptBypass
KfdCheckAndCacheAcceptBypass
KfdCheckConnectBypass
KfdCheckAndCacheConnectBypass
KfdGetLayerActionFromEnumTemplate
WfpScavangeLeastRecentlyUsedList
KfdAleRemoveFlowContextTable
WfpSetBucketsToEmptyLru
WfpExpireEntryLru
WfpInsertEntryLru
WfpDeleteEntryLru
KfdAleInitializeFlowTable
FeReleaseCalloutContextList
MatchCondition
KfdEnumLayer
KfdDerefFilterContext
KfdGetNextFilter
KfdFreeEnumHandle
KfdToggleFilterActivation
WfpStreamIsFilterPresent
NsiGetAllParameters
WfpInitializeLeastRecentlyUsedList
KfdAleNotifyFlowDeletion
FwppStreamDeleteDpcQueue
WfpUninitializeLeastRecentlyUsedList
KfdAleUninitializeFlowHandles
KfdAleInitializeFlowHandles
KfdGetOffloadEpoch
KfdIsLsoOffloadPossibleV6
KfdIsLsoOffloadPossibleV4
KfdIsV6InTransportFastEmpty
KfdIsV4InTransportFastEmpty
KfdIsV6OutTransportFastEmpty
KfdIsV4OutTransportFastEmpty
WfpRefreshEntryLru
NetioAdvanceNetBufferList
KfdCheckClassifyNeededAndUpdateEpoch
KfdAleAcquireFlowHandleForFlow
KfdClassify
KfdAleReleaseFlowHandleForFlow
KfdGetLayerCacheEpoch
KfdIsLayerEmpty
KfdDeregisterLayerChangeCallback
FwppStreamInject
FwppStreamContinue
FwppCopyStreamDataToBuffer
FwppAdvanceStreamDataPastOffset
FwppTruncateStreamDataAfterOffset
WfpNblInfoDispatchTableSet
KfdRegisterLayerChangeCallback
WfpNblInfoDispatchTableClear
FeGetWfpGlobalPtr
WfpNblInfoGet
NetioUnRegisterProcessorAddCallback
NetioUnInitializeNetBufferListLibrary
NetioInitializeNetBufferListLibrary
NetioRegisterProcessorAddCallback
NetioSqmInitialize
RtlInvokeStartRoutines
RtlInvokeStopRoutines
NetioSqmTerminate
NsiGetParameterEx
NetioAllocateAndInitializeStackBlock

ndis.sys

NdisInvalidateOffload
NdisUpdateOffload
NdisTerminateOffload
NdisInitiateOffload
NdisQueryOffloadState
NdisDirectOidRequest
NdisInitializeReadWriteLock
NdisGetSessionToCompartmentMappingEpochAndZero
NdisReleaseReadWriteLock
NdisAcquireReadWriteLock
NdisOffloadTcpSend
NdisOffloadTcpForward
NdisOffloadTcpDisconnect
NdisOffloadTcpReceive
NdisOffloadTcpReceiveReturn
NdisGetRssProcessorInformation
NdisCompleteNetPnPEvent
NdisCloseAdapterEx
NdisOpenAdapterEx
NdisOidRequest
NdisDeregisterProtocolDriver
NdisCancelDirectOidRequest
NdisCancelSendNetBufferLists
NdisSendNetBufferLists
NdisRegisterProtocolDriver
NdisReturnNetBufferLists
NdisSetOptionalHandlers
NdisGetDataBuffer
NetDmaRegisterClient
NetDmaDeregisterClient
NetDmaAllocateChannel
NetDmaFreeChannel
NdisGetProcessorInformation
NdisFreeNetBufferList
NetDmaNullTransfer
NetDmaIsDmaCopyComplete
NdisGetSessionCompartmentId
NdisAdjustNetBufferCurrentMdl
NdisGetThreadObjectCompartmentId
NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart

fltmgr.sys

FltGetFileNameInformationUnsafe
FltReleaseFileNameInformation

fwpkclnt.sys

FwpsCalloutUnregisterByKey0
FwpmBfeStateSubscribeChangesWithoutDevice0
FwpmBfeStateUnsubscribeChanges0
FwpsClassifyOptionSet0
FwpmEngineClose0
FwpmEngineOpen0
FwpmSecureSocketDeleteByKeyAsync0
FwpmSecureSocketAddAsync0
FwpmEventProviderIsNetEventTypeEnabled0
FwpsRequestEndpointDeleteNotification0
FwpsForceReclassifyLayer0
FwpsCancelEndpointDeleteNotification0
FwppDispatchDevCtl0
IPsecDriverExpire
IPsecDriverInitiateAcquire
IPsecDriverProcessClearTextResponse
FwpsReassembleForwardFragmentGroup0
FwpsFreeNetBufferList0
FwpmEventProviderFireNetEvent0
FwpsQueryPacketInjectionState0
FwpsInjectionHandleDestroy0
FwpsInjectionHandleCreate0
FwpsAllocateCloneNetBufferList0
FwpsConstructIpHeaderForTransportPacket0
FwpsInjectTransportSendAsync1
FwpsFreeCloneNetBufferList0
FwpmEventProviderCreate0
FwpsTcpIpDispatchTableSet0
FwpsTcpIpDispatchTableClear0
FwpmEventProviderDestroy0
FwppNetBufferListEventNotify
FwpsCalloutRegisterWithoutDevice0

hal

KeGetCurrentIrql
KfLowerIrql
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryPerformanceCounter
KfReleaseSpinLock
KfAcquireSpinLock
KfRaiseIrql
ExReleaseFastMutex
ExAcquireFastMutex
KeRaiseIrqlToDpcLevel

ksecdd.sys

FreeContextBuffer
InitializeSecurityContextW
AcceptSecurityContext
QuerySecurityContextToken
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleW
BCryptHashData
BCryptGetProperty
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDestroyHash
BCryptDecrypt
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptDestroyKey
BCryptFinishHash
BCryptGenRandom

msrpc.sys

NdrMesTypeDecode2
MesHandleFree
I_RpcExceptionFilter
MesDecodeBufferHandleCreate

Sections

.text
Size: 894KB - Virtual size: 894KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEIPSE
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEIDP
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECONS
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5b3d433b93a8e3b41e74295030727e94

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

netio.sys

ndis.sys

fltmgr.sys

fwpkclnt.sys

hal

ksecdd.sys

msrpc.sys

Sections

.text Size: 894KB - Virtual size: 894KB

.rdata Size: 44KB - Virtual size: 44KB

.data Size: 31KB - Virtual size: 78KB

PAGE Size: 9KB - Virtual size: 8KB

PAGEIPSE Size: 82KB - Virtual size: 81KB

PAGEIDP Size: 10KB - Virtual size: 9KB

PAGECONS Size: 512B - Virtual size: 120B

INIT Size: 19KB - Virtual size: 18KB

.rsrc Size: 132KB - Virtual size: 131KB

.reloc Size: 42KB - Virtual size: 41KB

.text
Size: 894KB - Virtual size: 894KB

.rdata
Size: 44KB - Virtual size: 44KB

.data
Size: 31KB - Virtual size: 78KB

PAGE
Size: 9KB - Virtual size: 8KB

PAGEIPSE
Size: 82KB - Virtual size: 81KB

PAGEIDP
Size: 10KB - Virtual size: 9KB

PAGECONS
Size: 512B - Virtual size: 120B

INIT
Size: 19KB - Virtual size: 18KB

.rsrc
Size: 132KB - Virtual size: 131KB

.reloc
Size: 42KB - Virtual size: 41KB