3100ea97d65482e76ba6784cebf4591da888d9793709e7c6fd37939f8c781cbf

Sharing

Copy URL Twitter E-mail

General

Target

3100ea97d65482e76ba6784cebf4591da888d9793709e7c6fd37939f8c781cbf
Size

164KB
MD5

1d0075866c50817ca87b1eac8976749b
SHA1

fe394186489b6595800c1131dcc45661a64da625
SHA256

3100ea97d65482e76ba6784cebf4591da888d9793709e7c6fd37939f8c781cbf
SHA512

0903d405db79b8bbf68b65a3a92939e10cf79651f67e14a919a6c832eb6ebc6941492cc006e007d3a17d9451b102a3008dc5953e50a0fbcef1596817c607f3be
SSDEEP

3072:WLa44TdtZbQOh4HALIWyG0KAnk4vcO9hzXSRNv:WLNGtZbf4HAL5fAnk4vcUV2v

Score

N/A

Malware Config

Signatures

Files

3100ea97d65482e76ba6784cebf4591da888d9793709e7c6fd37939f8c781cbf
.exe windows x64

7cea2ca688aba8dc97b1878c8ea717be

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

74:f2:95:8d:31:d0:3e:b0:42:f9:08:15:55:30:52:77
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

16/03/2010, 00:00

Not After

15/03/2013, 23:59

Subject

CN=360.cn,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=360.cn,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8d:3d:a7:2b:15:10:c6:d7:6d:6c:d3:9d:87:79:72:54:94:90:6f:27
Signer

Actual PE Digest

8d:3d:a7:2b:15:10:c6:d7:6d:6c:d3:9d:87:79:72:54:94:90:6f:27

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=360.cn,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=360.cn,L=Beijing,ST=Beijing,C=CN

20/01/2011, 10:09
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ProbeForRead
__C_specific_handler
DbgPrint
ZwClose
ExFreePoolWithTag
ExAllocatePoolWithTag
IoCreateFile
RtlInitUnicodeString
ObOpenObjectByPointer
PsProcessType
IoGetCurrentProcess
PsGetVersion
IofCallDriver
ObfDereferenceObject
IoBuildDeviceIoControlRequest
KeInitializeEvent
IoGetDeviceObjectPointer
IofCompleteRequest
SeReleaseSubjectContext
SeTokenIsAdmin
SeCaptureSubjectContext
IoDeleteDevice
KeWaitForSingleObject
ProbeForWrite
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
IoGetAttachedDevice
IoFreeIrp
KeSetEvent
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
RtlCompareUnicodeString
MmIsAddressValid
ObQueryNameString
__chkstk
ZwQuerySystemInformation
ZwSetInformationObject
NtClose
ZwWaitForSingleObject
PsCreateSystemThread
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
RtlEqualUnicodeString
ZwDuplicateObject
PsGetCurrentProcessId
ZwOpenProcess
ExGetPreviousMode
IoCreateSymbolicLink
IoCreateDevice
MmUserProbeAddress
ObOpenObjectByName
ExAllocatePoolWithQuotaTag
SeDeleteObjectAuditAlarm
_stricmp
MmGetSystemRoutineAddress
ZwMapViewOfSection
ZwCreateSection
RtlCopyUnicodeString
ZwUnmapViewOfSection
ZwOpenKey
strncmp
KeBugCheckEx
NtBuildNumber
ExReleaseFastMutex
ExAcquireFastMutex
IoCheckEaBufferValidity
SeAppendPrivileges
SePrivilegeCheck
SeExports
ObfReferenceObject
KeDelayExecutionThread
IoQueryFileInformation
IoFreeMdl
IoCancelIrp
KeReadStateEvent
IoEnqueueIrp
KeClearEvent
MmProbeAndLockPages
ExRaiseStatus
IoAllocateMdl
ExEventObjectType
PsGetCurrentProcessWow64Process
RtlVolumeDeviceToDosName
ObCreateObject
SeSetAccessStateGenericMapping
RtlMapGenericMask
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExQueueWorkItem
ObReferenceObjectByName
IoDriverObjectType
SeCaptureSecurityDescriptor
ZwOpenDirectoryObject
ZwOpenSymbolicLinkObject
ObReferenceObjectByPointer
IoDeviceObjectType
SeDeleteAccessState
ObInsertObject
SeCreateAccessState
IoAcquireVpbSpinLock
IoReleaseVpbSpinLock

Exports

Exports

distorm_decode64
distorm_version

Sections

.text
Size: 88KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 105B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7cea2ca688aba8dc97b1878c8ea717be

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

74:f2:95:8d:31:d0:3e:b0:42:f9:08:15:55:30:52:77Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

8d:3d:a7:2b:15:10:c6:d7:6d:6c:d3:9d:87:79:72:54:94:90:6f:27Signer

Signature Validations

Verification

20/01/2011, 10:09 Valid: false

Headers

File Characteristics

Imports

ntoskrnl.exe

Exports

Exports

Sections

.text Size: 88KB - Virtual size: 88KB

.rdata Size: 13KB - Virtual size: 12KB

.data Size: 41KB - Virtual size: 47KB

.pdata Size: 2KB - Virtual size: 2KB

.edata Size: 512B - Virtual size: 105B

INIT Size: 4KB - Virtual size: 3KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 5KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

74:f2:95:8d:31:d0:3e:b0:42:f9:08:15:55:30:52:77
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

8d:3d:a7:2b:15:10:c6:d7:6d:6c:d3:9d:87:79:72:54:94:90:6f:27
Signer

20/01/2011, 10:09
Valid: false

.text
Size: 88KB - Virtual size: 88KB

.rdata
Size: 13KB - Virtual size: 12KB

.data
Size: 41KB - Virtual size: 47KB

.pdata
Size: 2KB - Virtual size: 2KB

.edata
Size: 512B - Virtual size: 105B

INIT
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 5KB