eb920fc158b0ea0b5f01a8c0d96071892c1d95ab44b2bc1fadd75e34e1dfeec4

Sharing

Copy URL Twitter E-mail

General

Target

eb920fc158b0ea0b5f01a8c0d96071892c1d95ab44b2bc1fadd75e34e1dfeec4
Size

1.5MB
MD5

8734af100e5dd3a1a40579320a2bbeaf
SHA1

cefed1c08c80030e383ad9f4e6a951b6f4910c09
SHA256

eb920fc158b0ea0b5f01a8c0d96071892c1d95ab44b2bc1fadd75e34e1dfeec4
SHA512

0254167bbe37f8b3fef247746c632ef3665c806386c1db8153b359d46cb6c32291e974f2f4f9bf933fc74f16ae8f9e646290c673b4891057e466b789a2ab6c6e
SSDEEP

24576:vk6zLqo4ez+wjebMNp9dJteOdn26Ib9/PU3pZiOs27Wp99dGm0gbv4S2gOZSLV90:vk6zeovz3H9dJtLHI63hA95jt5OADZcn

Score

1^/10

Malware Config

Signatures

Files

eb920fc158b0ea0b5f01a8c0d96071892c1d95ab44b2bc1fadd75e34e1dfeec4
.exe windows x64

ea8b2cd388fc47e0feb0921ce15c391b

Code Sign

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:fb:60:03:f3:0c:b2:fe:25:16:b5:ee:e3:f0:c4:99
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

22/08/2019, 00:00

Not After

21/08/2022, 23:59

Subject

SERIALNUMBER=91510100394487762T,CN=成都奇鲁科技有限公司,OU=IT Dept,O=成都奇鲁科技有限公司,L=成都,ST=四川,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13074368656e676475,1.3.6.1.4.1.311.60.2.1.2=#13075369636875616e,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:00:46:69:50:a6:04:a9:d9:70:e8:1d:d2:4d:41:9f
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

27/05/2021, 09:55

Not After

28/06/2032, 09:55

Subject

CN=Globalsign TSA for Advanced - G4,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

20/02/2019, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/06/2021, 17:55

Not After

16/06/2022, 17:55

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7
Signer

Actual PE Digest

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7

Digest Algorithm

sha256

PE Digest Matches

false

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7
Signer

Actual PE Digest

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExSystemTimeToLocalTime
ZwQueryValueKey
PsTerminateSystemThread
RtlRandomEx
KeQueryTimeIncrement
ZwClose
RtlAppendUnicodeStringToString
KeWaitForSingleObject
RtlTimeToTimeFields
RtlFreeAnsiString
ZwOpenProcess
ZwQueryInformationProcess
RtlCopyUnicodeString
MmIsAddressValid
ObfDereferenceObject
ZwOpenFile
ZwEnumerateKey
ZwQueryKey
ZwOpenKey
RtlGetVersion
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoDeleteDevice
MmGetSystemRoutineAddress
PsSetCreateProcessNotifyRoutine
KeUnstackDetachProcess
IoUnregisterShutdownNotification
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
wcsncmp
KeStackAttachProcess
PsSetCreateThreadNotifyRoutine
ZwQuerySystemInformation
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
ZwCreateKey
_vsnwprintf
_strnicmp
_wcsnicmp
ZwReadFile
RtlCheckRegistryKey
ZwDeleteValueKey
wcsncat
RtlWriteRegistryValue
ZwQueryInformationFile
RtlAnsiStringToUnicodeString
_stricmp
IoCreateFile
KeDetachProcess
ZwWaitForSingleObject
RtlImageNtHeader
ZwAllocateVirtualMemory
RtlInitAnsiString
RtlFreeUnicodeString
IoReuseIrp
KeResetEvent
KeSetEvent
KeInitializeEvent
IoFreeIrp
IoAllocateIrp
_vsnprintf
ObReferenceObjectByHandle
PsThreadType
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
KeBugCheckEx
PsCreateSystemThread
ZwCreateFile
KeDelayExecutionThread
tolower
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlQueryRegistryValues
RtlInitUnicodeString
PsLookupProcessByProcessId
PsGetProcessImageFileName
ExFreePoolWithTag
ProbeForRead
ExAllocatePoolWithTag
ExAllocatePool
towlower
PsGetVersion
__C_specific_handler

fltmgr.sys

FltUnregisterFilter
FltCloseCommunicationPort

netio.sys

WskCaptureProviderNPI
WskDeregister
WskReleaseProviderNPI
WskRegister

Sections

.text
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 24.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

W0
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ea8b2cd388fc47e0feb0921ce15c391b

Code Sign

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49Certificate

Extended Key Usages

Key Usages

01:fb:60:03:f3:0c:b2:fe:25:16:b5:ee:e3:f0:c4:99Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

01:00:46:69:50:a6:04:a9:d9:70:e8:1d:d2:4d:41:9fCertificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fcCertificate

Key Usages

04:00:00:00:00:01:21:58:53:08:a2Certificate

Key Usages

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7Signer

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

netio.sys

Sections

.text Size: 104KB - Virtual size: 103KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 6KB - Virtual size: 24.6MB

.pdata Size: 2KB - Virtual size: 1KB

INIT Size: 3KB - Virtual size: 2KB

W0 Size: 1.3MB - Virtual size: 1.3MB

.reloc Size: 512B - Virtual size: 208B

.rsrc Size: 1024B - Virtual size: 732B

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

01:fb:60:03:f3:0c:b2:fe:25:16:b5:ee:e3:f0:c4:99
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

01:00:46:69:50:a6:04:a9:d9:70:e8:1d:d2:4d:41:9f
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

04:00:00:00:00:01:21:58:53:08:a2
Certificate

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7
Signer

c2:c9:7d:c2:44:62:bf:4f:2b:09:f0:6d:88:aa:cf:f6:28:d5:9c:b1:e8:d0:7a:e4:8a:49:b2:cc:0e:29:cf:c7
Signer

.text
Size: 104KB - Virtual size: 103KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 6KB - Virtual size: 24.6MB

.pdata
Size: 2KB - Virtual size: 1KB

INIT
Size: 3KB - Virtual size: 2KB

W0
Size: 1.3MB - Virtual size: 1.3MB

.reloc
Size: 512B - Virtual size: 208B

.rsrc
Size: 1024B - Virtual size: 732B