shxdow[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

shxdow.rar
Size

13.5MB
MD5

0dfe5bcc3a1104cb99838ecb8c0aac51
SHA1

3b3e02c38180246dda4c69d758594f74bc8e9ba8
SHA256

e66e16ee2fa866f580356256b75d5871a448864f11825d2703446ed0a155a568
SHA512

f48fef98e04dd807020a107c5ae0619a075784507cc99e2d398ffd294146d3e6c8ec8eeb3dd6a75efea11741a82992c8aee0fa97a19a33364349efb9b3da2b5e
SSDEEP

393216:hl0n94OGyeJvk6jT/aMfwNj09nVRwi93ZgqVulnXBp:L7ymk63fI09nVuiR+rXD

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/klhk.sys
unpack001/shxdow_client.exe

Files

shxdow.rar
.rar
instructions.txt
klhk.sys
.dll windows x64

61c4b1e5912f76e042ff8eb3b8cd6c1f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExFreePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeLookasideListEx
ExDeleteLookasideListEx
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
KeInitializeApc
KeInsertQueueApc
PsGetCurrentProcessSessionId
MmHighestUserAddress
MmGetSystemRoutineAddress
IoGetCurrentProcess
RtlInitUnicodeString
RtlGetVersion
IoWMIRegistrationControl
_vsnwprintf
LdrFindResource_U
LdrAccessResource
__C_specific_handler
MmUserProbeAddress
RtlCompareMemory
ZwCreateFile
ZwSetInformationFile
ZwClose
ZwCreateKey
ZwDeleteValueKey
ZwFlushBuffersFile
NtBuildNumber
KeInitializeEvent
KeReadStateEvent
KeResetEvent
KeSetEvent
KeDelayExecutionThread
KeWaitForMultipleObjects
KeWaitForSingleObject
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
ObfDereferenceObject
PsThreadType
ExAllocatePoolWithTag
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
RtlImageNtHeader
ZwQuerySystemInformation
RtlUnicodeStringToInteger
RtlAnsiStringToUnicodeString
RtlCompareUnicodeString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlFreeUnicodeString
ExAllocatePool
ZwOpenKey
ZwDeleteKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
_strnicmp
ExQueueWorkItem
MmProtectMdlSystemAddress
MmUnmapLockedPages
IoAllocateIrp
IoCreateFile
IoGetRelatedDeviceObject
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
IoCreateFileSpecifyDeviceObjectHint
KeStackAttachProcess
KeUnstackDetachProcess
IoIsSystemThread
IoThreadToProcess
IoGetDeviceAttachmentBaseRef
MmCreateSection
MmMapViewOfSection
MmUnmapViewOfSection
PsGetThreadWin32Thread
KeAddSystemServiceTable
PsGetProcessWin32Process
IoFileObjectType
PsInitialSystemProcess
RtlCreateSecurityDescriptor
RtlValidSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlCreateAcl
RtlSetOwnerSecurityDescriptor
ObOpenObjectByPointer
ZwCreateEvent
ObFindHandleForObject
ExEventObjectType
SeExports
ExCreateCallback
ExRegisterCallback
ExUnregisterCallback
ExNotifyCallback
KeBugCheckEx
_snwprintf
KeInitializeDpc
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock
PsGetVersion
KeInsertQueueDpc
KeFlushQueuedDpcs
KeSetTargetProcessorDpcEx
KeRegisterProcessorChangeCallback
KeDeregisterProcessorChangeCallback
ExAcquireFastMutex
ExReleaseFastMutex
MmAllocateMappingAddress
MmFreeMappingAddress
MmGetVirtualForPhysical
MmAllocateContiguousMemorySpecifyCache
MmFreeContiguousMemory
RtlInitializeBitMap
RtlSetBit
MmMapIoSpace
MmUnmapIoSpace
MmFreeContiguousMemorySpecifyCache
MmGetPhysicalAddress
MmIsAddressValid
strncmp
_stricmp
ZwLoadDriver
ZwUnloadDriver
ZwDeviceIoControlFile
IofCompleteRequest
_purecall
RtlEqualUnicodeString
FsRtlIsNameInExpression
IoAllocateErrorLogEntry
IoGetBootDiskInformation
IoWriteErrorLogEntry
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoDeleteDevice
IoRegisterShutdownNotification
ObQueryNameString
ZwSetSecurityObject
_wcsnicmp
wcschr
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedAce
RtlLengthSid
IoIsWdmVersionAvailable
IoDeviceObjectType
IoCreateDevice
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetSaclSecurityDescriptor
SeCaptureSecurityDescriptor
RtlLengthSecurityDescriptor

Sections

.text
Size: 205KB - Virtual size: 205KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

bss
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 633KB - Virtual size: 775KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_hvmcode
Size: 341KB - Virtual size: 340KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_hvmuwd
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 185B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
shxdow_client.exe
.exe windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 692KB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 69KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 14KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

shxdow
Size: - Virtual size: 23.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 12.6MB - Virtual size: 12.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

61c4b1e5912f76e042ff8eb3b8cd6c1f

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 205KB - Virtual size: 205KB

bss Size: - Virtual size: 32KB

.rdata Size: 69KB - Virtual size: 68KB

.data Size: 633KB - Virtual size: 775KB

.pdata Size: 55KB - Virtual size: 55KB

_hvmcode Size: 341KB - Virtual size: 340KB

_hvmuwd Size: 4KB - Virtual size: 4KB

PAGE Size: 11KB - Virtual size: 11KB

.edata Size: 512B - Virtual size: 185B

INIT Size: 6KB - Virtual size: 5KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 5KB - Virtual size: 4KB

Headers

DLL Characteristics

File Characteristics

Sections

Size: 692KB - Virtual size: 1.1MB

Size: 69KB - Virtual size: 208KB

Size: 2KB - Virtual size: 19KB

Size: 14KB - Virtual size: 24KB

Size: 512B - Virtual size: 480B

Size: 2KB - Virtual size: 3KB

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

shxdow Size: - Virtual size: 23.0MB

.boot Size: 12.6MB - Virtual size: 12.6MB

.reloc Size: 16B - Virtual size: 4KB

.text
Size: 205KB - Virtual size: 205KB

bss
Size: - Virtual size: 32KB

.rdata
Size: 69KB - Virtual size: 68KB

.data
Size: 633KB - Virtual size: 775KB

.pdata
Size: 55KB - Virtual size: 55KB

_hvmcode
Size: 341KB - Virtual size: 340KB

_hvmuwd
Size: 4KB - Virtual size: 4KB

PAGE
Size: 11KB - Virtual size: 11KB

.edata
Size: 512B - Virtual size: 185B

INIT
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 5KB - Virtual size: 4KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

shxdow
Size: - Virtual size: 23.0MB

.boot
Size: 12.6MB - Virtual size: 12.6MB

.reloc
Size: 16B - Virtual size: 4KB