9221e588ff1a4c70fe214df66ebccb2bb45cdccf799501d9fc7d285eb3549e50

Sharing

Copy URL

Twitter E-mail

General

Target

9221e588ff1a4c70fe214df66ebccb2bb45cdccf799501d9fc7d285eb3549e50
Size

1.2MB
MD5

b937e54b17d2a09438c0a21fc0773952
SHA1

349e7cc0feb684f16cf35b705e821cab0f6f77a9
SHA256

9221e588ff1a4c70fe214df66ebccb2bb45cdccf799501d9fc7d285eb3549e50
SHA512

873c5d485e669741d0bcf335085f1dc01079189c1b76afaa097bfc2752582cd43fd107de7040e99da5d2b431f62273838dd69b2c493740b60357060859d24fac
SSDEEP

24576:BTLK6G6jTMI3ltXP49z2c90HHd+IybeoEX3l2VN30niiMRIbPutpfwe56t/Iru5w:lKQFw0HgIuhQlGIW

Score

N/A

Malware Config

Signatures

Files

9221e588ff1a4c70fe214df66ebccb2bb45cdccf799501d9fc7d285eb3549e50
.exe windows x86

59381a2931dd9ae52db625f90164457e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

MmUnlockPages
MmUserProbeAddress
MmLockPagableDataSection
RtlUnwind
RtlAnsiCharToUnicodeChar
PsGetCurrentProcessId
MmProbeAndLockPages
ExAcquireRundownProtectionCacheAwareEx
ExReleaseRundownProtectionCacheAwareEx
ExReInitializeRundownProtectionCacheAware
ExWaitForRundownProtectionReleaseCacheAware
RtlInitializeBitMap
RtlSetBits
ExFreeCacheAwareRundownProtection
ExAllocateCacheAwareRundownProtection
RtlSetBit
ExInitializeLookasideListEx
ExDeleteLookasideListEx
InterlockedExchange
SeSetAuditParameter
SeReportSecurityEventWithSubCategory
MmSizeOfMdl
MmUnmapLockedPages
ObLogSecurityDescriptor
SeCaptureSubjectContextEx
SeLockSubjectContext
IoGetFileObjectGenericMapping
KeBugCheckEx
KeTickCount
EtwWriteTransfer
SeAccessCheck
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlCreateSecurityDescriptor
SeExports
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAceEx
RtlSetDaclSecurityDescriptor
ExInterlockedFlushSList
KeInitializeSemaphore
ExAllocatePoolWithTagPriority
KeExpandKernelStackAndCalloutEx
VerSetConditionMask
RtlVerifyVersionInfo
KeInitializeTimerEx
ExGetCurrentProcessorCounts
KeSetTimerEx
KeQueryInterruptTime
KeCancelTimer
KeFlushQueuedDpcs
RtlExpandHashTable
RtlContractHashTable
RtlCreateHashTable
RtlDeleteHashTable
KeWaitForMultipleObjects
KeQueryGroupAffinity
KeInsertQueueDpc
KeGetProcessorNumberFromIndex
KeInitializeDpc
KeSetTargetProcessorDpcEx
KeSetImportanceDpc
RtlIpv4AddressToStringExW
IoFreeWorkItem
IoQueueWorkItem
MmBuildMdlForNonPagedPool
RtlInitializeGenericTableAvl
KeQuerySystemTime
RtlEnumerateEntryHashTable
RtlInitEnumerationHashTable
RtlEndEnumerationHashTable
RtlLookupElementGenericTableFullAvl
ObDereferenceSecurityDescriptor
RtlRemoveEntryHashTable
RtlInsertEntryHashTable
RtlGetNextEntryHashTable
RtlLookupEntryHashTable
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
ExNotifyCallback
KeIsExecutingDpc
PsGetProcessSessionId
InterlockedPushEntrySList
InterlockedPopEntrySList
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
MmMapLockedPagesSpecifyCache
ZwQuerySystemInformation
ObReferenceSecurityDescriptor
KeReleaseSemaphore
RtlGetVersion
RtlInitWeakEnumerationHashTable
RtlWeaklyEnumerateEntryHashTable
RtlEndWeakEnumerationHashTable
KeQueryMaximumProcessorCountEx
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
KeGetCurrentProcessorNumberEx
KeTestSpinLock
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
PsGetProcessId
ExCreateCallback
EtwWrite
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
ObfReferenceObject
PsGetCurrentProcess
PsIsSystemThread
PsGetThreadProcess
KeGetCurrentThread
KeInitializeEvent
KeSetEvent
RtlIpv6AddressToStringExW
RtlTimeToTimeFields
RtlEnumerateGenericTableLikeADirectory
KeInitializeTimer
KeSetCoalescableTimer
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExfTryToWakePushLock
ExfAcquirePushLockExclusive
RtlValidSid
ZwEnumerateKey
RtlQueryRegistryValues
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
KeDelayExecutionThread
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
ExDeleteNPagedLookasideList
EtwUnregister
EtwRegister
IoGetCurrentProcess
KeInitializeMutex
IoCreateDevice
IoDeleteDevice
KeReadStateEvent
KeWaitForSingleObject
KeQueryActiveProcessorCountEx
KeReleaseMutex
ObfDereferenceObject
ZwOpenEvent
ObReferenceObjectByHandle
ZwClose
IofCallDriver
IofCompleteRequest
IoWMIRegistrationControl
RtlCompareMemory
RtlInitUnicodeString
MmGetSystemRoutineAddress
memset
memcpy
ExAllocatePoolWithTag
ExInitializeNPagedLookasideList
ZwQueryValueKey
RtlPrefixUnicodeString
RtlCopySid
RtlEqualUnicodeString
RtlUnicodeStringToInteger
ZwOpenKey
RtlCompareUnicodeString
RtlLengthRequiredSid
RtlInitializeSid
RtlAddAccessAllowedAce
ObSetSecurityObjectByPointer
PsSetCreateProcessNotifyRoutineEx
SeLocateProcessImageName
ZwCreateFile
RtlDowncaseUnicodeString
ZwOpenProcess
KeStackAttachProcess
ZwDuplicateToken
KeUnstackDetachProcess
IoDeleteSymbolicLink
IoCreateSymbolicLink
KeQueryTimeIncrement
PsReferenceImpersonationToken
KeBugCheck
PsReferencePrimaryToken
PsDereferenceImpersonationToken
ObCloseHandle
RtlSubAuthorityCountSid
RtlSubAuthoritySid
SeQueryInformationToken
ObOpenObjectByPointer
ZwQueryInformationToken
ExGetPreviousMode
ExUuidCreate
RtlEqualSid
ExAllocatePoolWithQuotaTag
RtlIpv4StringToAddressW
IoAllocateWorkItem
RtlFindSetBits
RtlAreBitsClear
RtlFindClearBits
RtlClearBits
ExDeleteResourceLite
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
RtlClearBit
RtlClearAllBits
SeOpenObjectAuditAlarmForNonObObject
ExInitializeResourceLite
RtlTestBit
RtlIpv6StringToAddressW
RtlIntegerToUnicodeString
IoWMIWriteEvent
PsDereferencePrimaryToken
ExFreePoolWithTag

netio.sys

NetioFreeNetBufferListNetBufferMdlAndDataPool
NetioFreeMdl
RtlIndicateTimerWheelEntryTimerStart
RtlResumeTimerWheel
RtlIsTimerWheelSuspended
NetioAllocateNetBufferListNetBufferMdlAndDataPool
NetioAllocateNetBufferMdlAndDataPool
FsbFree
NetioFreeNetBufferList
NetioExtendNetBuffer
NetioFreeNetBuffer
NetioDereferenceNetBufferList
NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData
NetioAllocateNetBufferMdlAndData
NetioDereferenceNetBufferListChain
FsbAllocateAtDpcLevel
NetioShutdownWorkQueue
RtlInitializeTimerWheelEntry
RtlComputeToeplitzHash
RtlSuspendTimerWheel
RtlGetNextExpirationTimerWheelTick
RtlCleanupTimerWheelEntry
RtlReturnTimerWheelEntry
RtlGetNextExpiredTimerWheelEntry
RtlUpdateCurrentTimerWheelTick
RtlDeleteElementGenericTableBasicAvl
NetioInitializeWorkQueue
RtlInsertElementGenericTableBasicAvl
FsbAllocate
NetioAdvanceToLocationInNetBuffer
RtlCopyMdlToMdlIndirect
NetioRegSyncDefaultChangeHandler
NetioRegSyncInterface
RtlCleanupTimerWheel
RtlInitializeTimerWheel
RtlEndTimerWheelEnumeration
RtlEnumerateNextTimerWheelEntry
RtlInitializeTimerWheelEnumeration
NetioFreeOpaquePerProcessorContext
NetioAllocateOpaquePerProcessorContext
NetioSqmWriteEvent
NsiSetAllParameters
TlDefaultRequestQueryDispatchEndpoint
TlDefaultRequestMessage
TlDefaultRequestQueryDispatch
RtlCopyMdlToBuffer
NetioFreeNetBufferAndNetBufferList
NetioAllocateAndReferenceNetBufferAndNetBufferList
RtlCopyBufferToMdl
NmrWaitForClientDeregisterComplete
NmrDeregisterClient
NmrClientDetachProviderComplete
NmrClientAttachProvider
NmrRegisterClient
NmrProviderDetachClientComplete
NmrWaitForProviderDeregisterComplete
NmrDeregisterProvider
NmrRegisterProvider
NetioRetreatNetBufferList
NetioAllocateAndReferenceCopyNetBufferListEx
NetioCompleteCopyNetBufferListChain
NetioFreeCopyNetBufferList
NetioInitializeNetBufferListContext
TlDefaultRequestCancel
TlDefaultRequestConnect
TlDefaultRequestListen
NetioReferenceNetBufferList
TlDefaultRequestIoControl
NetioFreeNetBufferMdlAndDataPool
RtlCleanupToeplitzHash
RtlInitializeToeplitzHash
NsiAllocateAndGetTable
NsiFreeTable
WfpStartStreamShim
WfpStartMacShim
NetioAllocateMdl
NetioInsertWorkQueue
WfpStreamInspectRemoteDisconnect
WfpStreamInspectReceive
WfpStreamInspectDisconnect
WfpStreamInspectSend
WfpStreamEndpointCleanupBegin
WfpStopStreamShim
FsbCreatePool
FsbDestroyPool
NetioStackBlockProcessorAddHandler
NetioFreeStackBlock
NetioInitializeNetBufferListAndFirstNetBufferContext
NsiReferenceDefaultObjectSecurity
NsiDeregisterChangeNotification
NsiRegisterChangeNotification
NetioCompleteNetBufferListChain
NetioAllocateAndReferenceFragmentNetBufferList
SetWfpDeviceObject
IoctlKfdBatchUpdate
IoctlKfdDeleteIndex
IoctlKfdAddIndex
IoctlKfdAddCache
IoctlKfdResetState
IoctlKfdQueryLayerStatistics
IoctlKfdAbortTransaction
IoctlKfdCommitTransaction
IoctlKfdDeleteCache
NetioGetStatsForQoSFlow
NetioDeleteQoSFlow
NetioCreateQoSFlow
NetioAssociateQoSFlowWithNbl
KfdIsActiveCallout
KfdAleUpdateEndpointContextStatus
WfpNblInfoAlloc
WfpPacketTagCountIncrement
WfpNblInfoDestroyIfUnused
HfCreateFactory
HfDestroyFactory
NetioAllocateNetBuffer
NetioAllocateAndReferenceNetBufferList
PtGetNumNodes
PtCreateTable
PtDestroyTable
NsiSetParameter
PtDeleteEntry
PtInsertEntry
PtGetExactMatch
PtEnumOverTable
PtGetLongestMatch
PtGetNextShorterMatch
RtlCompute37Hash
PtGetKey
PtSetData
PtGetData
NetioCompleteNetBufferAndNetBufferListChain
NetioQueryNetBufferListTrafficClass
RtlCopyMdlToMdl
NetioAllocateAndReferenceVacantNetBufferList
NetioAllocateAndReferenceCloneNetBufferListEx
NetioExpandNetBuffer
NetioUpdateNetBufferListContext
NetioAllocateAndReferenceCloneNetBufferList
NetioFreeCloneNetBufferList
NsiResetPersistentSetting
NsiSetObjectSecurity
NsiGetParameter
KfdCheckAcceptBypass
KfdCheckAndCacheAcceptBypass
KfdCheckConnectBypass
KfdCheckAndCacheConnectBypass
KfdGetLayerActionFromEnumTemplate
WfpScavangeLeastRecentlyUsedList
KfdAleRemoveFlowContextTable
WfpSetBucketsToEmptyLru
WfpExpireEntryLru
WfpInsertEntryLru
WfpDeleteEntryLru
KfdAleInitializeFlowTable
FeReleaseCalloutContextList
MatchCondition
KfdEnumLayer
KfdDerefFilterContext
KfdGetNextFilter
KfdFreeEnumHandle
KfdToggleFilterActivation
WfpStreamIsFilterPresent
NsiGetAllParameters
WfpInitializeLeastRecentlyUsedList
KfdAleNotifyFlowDeletion
FwppStreamDeleteDpcQueue
WfpUninitializeLeastRecentlyUsedList
KfdAleUninitializeFlowHandles
KfdAleInitializeFlowHandles
KfdGetOffloadEpoch
KfdIsLsoOffloadPossibleV6
KfdIsLsoOffloadPossibleV4
KfdIsV6InTransportFastEmpty
KfdIsV4InTransportFastEmpty
KfdIsV6OutTransportFastEmpty
KfdIsV4OutTransportFastEmpty
WfpRefreshEntryLru
NetioAdvanceNetBufferList
KfdCheckClassifyNeededAndUpdateEpoch
KfdAleAcquireFlowHandleForFlow
KfdClassify
KfdAleReleaseFlowHandleForFlow
KfdGetLayerCacheEpoch
KfdIsLayerEmpty
KfdDeregisterLayerChangeCallback
FwppStreamInject
FwppStreamContinue
FwppCopyStreamDataToBuffer
FwppAdvanceStreamDataPastOffset
FwppTruncateStreamDataAfterOffset
WfpNblInfoDispatchTableSet
KfdRegisterLayerChangeCallback
WfpNblInfoDispatchTableClear
WfpNblInfoGet
NetioUnRegisterProcessorAddCallback
NetioUnInitializeNetBufferListLibrary
NetioInitializeNetBufferListLibrary
NetioRegisterProcessorAddCallback
NetioSqmInitialize
RtlInvokeStartRoutines
RtlInvokeStopRoutines
NetioSqmTerminate
NsiGetParameterEx
NetioAllocateAndInitializeStackBlock

ndis.sys

NdisInvalidateOffload
NdisUpdateOffload
NdisTerminateOffload
NdisInitiateOffload
NdisQueryOffloadState
NdisDirectOidRequest
NdisInitializeReadWriteLock
NdisGetSessionToCompartmentMappingEpochAndZero
NdisReleaseReadWriteLock
NdisAcquireReadWriteLock
NdisOffloadTcpSend
NdisOffloadTcpForward
NdisOffloadTcpDisconnect
NdisOffloadTcpReceive
NdisOffloadTcpReceiveReturn
NdisGetRssProcessorInformation
NdisCompleteNetPnPEvent
NdisCloseAdapterEx
NdisOpenAdapterEx
NdisOidRequest
NdisDeregisterProtocolDriver
NdisCancelDirectOidRequest
NdisCancelSendNetBufferLists
NdisSendNetBufferLists
NdisRegisterProtocolDriver
NdisReturnNetBufferLists
NdisSetOptionalHandlers
NdisGetDataBuffer
NetDmaRegisterClient
NetDmaDeregisterClient
NetDmaAllocateChannel
NetDmaFreeChannel
NdisGetProcessorInformation
NdisFreeNetBufferList
NetDmaNullTransfer
NetDmaIsDmaCopyComplete
NdisGetSessionCompartmentId
NdisAdjustNetBufferCurrentMdl
NdisGetThreadObjectCompartmentId
NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart

fltmgr.sys

FltGetFileNameInformationUnsafe
FltReleaseFileNameInformation

fwpkclnt.sys

FwpsCalloutUnregisterByKey0
FwpmBfeStateSubscribeChangesWithoutDevice0
FwpmBfeStateUnsubscribeChanges0
FwpsClassifyOptionSet0
FwpmEngineClose0
FwpmEngineOpen0
FwpmSecureSocketDeleteByKeyAsync0
FwpmSecureSocketAddAsync0
FwpmEventProviderIsNetEventTypeEnabled0
FwpsRequestEndpointDeleteNotification0
FwpsForceReclassifyLayer0
FwpsCancelEndpointDeleteNotification0
FwppDispatchDevCtl0
IPsecDriverExpire
IPsecDriverInitiateAcquire
IPsecDriverProcessClearTextResponse
FwpsReassembleForwardFragmentGroup0
FwpsFreeNetBufferList0
FwpmEventProviderFireNetEvent0
FwpsQueryPacketInjectionState0
FwpsInjectionHandleDestroy0
FwpsInjectionHandleCreate0
FwpsAllocateCloneNetBufferList0
FwpsConstructIpHeaderForTransportPacket0
FwpsInjectTransportSendAsync1
FwpsFreeCloneNetBufferList0
FwpmEventProviderCreate0
FwpsTcpIpDispatchTableSet0
FwpsTcpIpDispatchTableClear0
FwpmEventProviderDestroy0
FwppNetBufferListEventNotify
FwpsCalloutRegisterWithoutDevice0

hal

KeGetCurrentIrql
KfLowerIrql
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryPerformanceCounter
KfReleaseSpinLock
KfAcquireSpinLock
KfRaiseIrql
ExReleaseFastMutex
ExAcquireFastMutex
KeRaiseIrqlToDpcLevel

ksecdd.sys

FreeContextBuffer
InitializeSecurityContextW
AcceptSecurityContext
QuerySecurityContextToken
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleW
BCryptHashData
BCryptGetProperty
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDestroyHash
BCryptDecrypt
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptDestroyKey
BCryptFinishHash
BCryptGenRandom

msrpc.sys

NdrMesTypeDecode2
MesHandleFree
I_RpcExceptionFilter
MesDecodeBufferHandleCreate

Sections

.text
Size: 883KB - Virtual size: 883KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEIPSE
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEIDP
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECONS
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

59381a2931dd9ae52db625f90164457e

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

netio.sys

ndis.sys

fltmgr.sys

fwpkclnt.sys

hal

ksecdd.sys

msrpc.sys

Sections

.text Size: 883KB - Virtual size: 883KB

.rdata Size: 44KB - Virtual size: 43KB

.data Size: 31KB - Virtual size: 78KB

PAGE Size: 9KB - Virtual size: 8KB

PAGEIPSE Size: 82KB - Virtual size: 81KB

PAGEIDP Size: 10KB - Virtual size: 9KB

PAGECONS Size: 512B - Virtual size: 120B

INIT Size: 18KB - Virtual size: 18KB

.rsrc Size: 127KB - Virtual size: 126KB

.reloc Size: 41KB - Virtual size: 41KB

.text
Size: 883KB - Virtual size: 883KB

.rdata
Size: 44KB - Virtual size: 43KB

.data
Size: 31KB - Virtual size: 78KB

PAGE
Size: 9KB - Virtual size: 8KB

PAGEIPSE
Size: 82KB - Virtual size: 81KB

PAGEIDP
Size: 10KB - Virtual size: 9KB

PAGECONS
Size: 512B - Virtual size: 120B

INIT
Size: 18KB - Virtual size: 18KB

.rsrc
Size: 127KB - Virtual size: 126KB

.reloc
Size: 41KB - Virtual size: 41KB