597bf636df960d0609c09531c5f22873965b4e9cfcf11be82d1cfcd4e1329374

Sharing

Copy URL Twitter E-mail

General

Target

597bf636df960d0609c09531c5f22873965b4e9cfcf11be82d1cfcd4e1329374
Size

185KB
MD5

738309fb6dd434a885f8ad0785a05ca0
SHA1

6f3c52e8490220f05da68cffa054bc318a075a29
SHA256

597bf636df960d0609c09531c5f22873965b4e9cfcf11be82d1cfcd4e1329374
SHA512

5925589bf7abf94e538e7ea056c937e4c3ff0b855bdd13391f07fb0d10ba21647384c5be252e155bd17b525c04ffd835ce4b1f7358de7d8baf288e573fd470b8
SSDEEP

3072:EPlAFQtqMy2o4LUjvGGNtJr9lH3k294lVNM71dyv0GKEZCaiKqO:EPMQtWWoxtJrPH3JelVqdyv0GJq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
597bf636df960d0609c09531c5f22873965b4e9cfcf11be82d1cfcd4e1329374

Files

597bf636df960d0609c09531c5f22873965b4e9cfcf11be82d1cfcd4e1329374
.exe windows x64

40fa992917c86f75100e58bb688b0d4a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

MmGetSystemRoutineAddress
MmHighestUserAddress
ZwDeleteValueKey
ZwSetValueKey
ZwQuerySystemInformation
RtlEqualUnicodeString
IoFreeMdl
KeUnstackDetachProcess
KeDelayExecutionThread
ObQueryNameString
IoFileObjectType
ZwCreateFile
MmMapLockedPagesSpecifyCache
ZwQueryValueKey
PsTerminateSystemThread
_vsnwprintf
KeQueryTimeIncrement
ObReferenceObjectByHandle
MmProbeAndLockPages
ZwOpenProcess
MmUnlockPages
ZwQueryInformationProcess
PsGetCurrentProcessId
ObfDereferenceObject
ZwOpenFile
ZwTerminateProcess
ZwQueryInformationFile
KeStackAttachProcess
IoAllocateMdl
ZwOpenKey
KeSetEvent
ExReleaseFastMutex
ExAcquireFastMutex
ExGetPreviousMode
IoGetCurrentProcess
RtlPrefixUnicodeString
KeWaitForSingleObject
PsInitialSystemProcess
RtlCompareUnicodeString
CmRegisterCallback
RtlCompareMemory
RtlUnicodeStringToInteger
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
PsSetLoadImageNotifyRoutine
IoRegisterDriverReinitialization
ZwQuerySecurityObject
KeEnterCriticalRegion
MmUserProbeAddress
ExReleaseResourceLite
PsRemoveLoadImageNotifyRoutine
PsGetCurrentThreadId
ExInitializeResourceLite
RtlGetOwnerSecurityDescriptor
RtlUpcaseUnicodeString
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
PsSetCreateProcessNotifyRoutine
ZwSetInformationFile
ExQueryDepthSList
ExInitializePagedLookasideList
ExAcquireResourceSharedLite
RtlHashUnicodeString
FsRtlDissectName
ExDeleteResourceLite
RtlCopyUnicodeString
RtlDeleteElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlGetElementGenericTableAvl
RtlAppendUnicodeStringToString
RtlInitializeGenericTableAvl
RtlLookupElementGenericTableAvl
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwCreateSection
RtlImageNtHeader
ZwWriteFile
ZwReadFile
ExInterlockedInsertTailList
KeReleaseSemaphore
ExInterlockedRemoveHeadList
RtlAppendUnicodeToString
FsRtlIsNameInExpression
RtlFreeUnicodeString
CmUnRegisterCallback
_wcsnicmp
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
KeBugCheckEx
PsLookupProcessByProcessId
ExFreePoolWithTag
ZwCreateKey
ProbeForRead
ExAllocatePoolWithTag
PsGetProcessPeb
_wcsicmp
MmUnmapLockedPages
IoCreateDevice
IoCreateSymbolicLink
IofCompleteRequest
ZwClose
InitSafeBootMode
PsCreateSystemThread
KeInitializeEvent
IoDeleteDevice
RtlInitUnicodeString
IoGetDeviceObjectPointer
ZwDeleteKey
vDbgPrintEx
ExSystemTimeToLocalTime
_vsnprintf
RtlTimeToTimeFields
PsProcessType
PsThreadType
IoGetTopLevelIrp
ObOpenObjectByPointer
ExRaiseStatus
KeAreApcsDisabled
RtlQueryRegistryValues
RtlGetVersion
wcslen
IoVolumeDeviceToDosName
IoAllocateIrp
MmIsAddressValid
PsGetCurrentThreadTeb
KeInitializeApc
KeInsertQueueApc
PsIsThreadTerminating
ZwQueryObject
ZwSetInformationObject
IoGetRelatedDeviceObject
ZwQueryDirectoryFile
IoGetDeviceAttachmentBaseRef
IoCreateFileSpecifyDeviceObjectHint
IoGetBaseFileSystemDeviceObject
IoCreateFile
ZwDuplicateObject
IoFreeIrp
ZwEnumerateValueKey
ZwEnumerateKey
strcmp
RtlDeleteElementGenericTable
RtlLookupElementGenericTable
RtlEnumerateGenericTable
RtlIsGenericTableEmpty
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlCompressBuffer
RtlDecompressBuffer
RtlGetCompressionWorkSpaceSize
ExSemaphoreObjectType
IoRegisterShutdownNotification
__C_specific_handler
__chkstk

fltmgr.sys

FltDeletePushLock
FltParseFileNameInformation
FltReleaseFileNameInformation
FltGetFileNameInformation
FltClose
FltQueryInformationFile
FltCreateFile
FltAcquirePushLockShared
FltSendMessage
FltStartFiltering
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor
FltCreateCommunicationPort
FltCloseClientPort
FltAcquirePushLockExclusive
FltReleasePushLock
FltInitializePushLock
FltGetFileNameInformationUnsafe

Sections

.text
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 918B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

40fa992917c86f75100e58bb688b0d4a

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 156KB - Virtual size: 155KB

.rdata Size: 9KB - Virtual size: 8KB

.data Size: 5KB - Virtual size: 91KB

.pdata Size: 6KB - Virtual size: 5KB

INIT Size: 6KB - Virtual size: 5KB

.rsrc Size: 1024B - Virtual size: 856B

.reloc Size: 1024B - Virtual size: 918B

.text
Size: 156KB - Virtual size: 155KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 5KB - Virtual size: 91KB

.pdata
Size: 6KB - Virtual size: 5KB

INIT
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1024B - Virtual size: 856B

.reloc
Size: 1024B - Virtual size: 918B