2a56a02083527851d0c63c1a8bf74a20dd5d9734b9cea292c9b8fb9c66aed695

Sharing

Copy URL Twitter E-mail

General

Target

2a56a02083527851d0c63c1a8bf74a20dd5d9734b9cea292c9b8fb9c66aed695
Size

62KB
MD5

34151df8616845706ace6c2a6a0230da
SHA1

777a515b10fcbfbb8f6e6a4141a518edd36fcda1
SHA256

2a56a02083527851d0c63c1a8bf74a20dd5d9734b9cea292c9b8fb9c66aed695
SHA512

09e868ad946268a9f20fb80b9f9f291a9f6b6da251ea7c6359ed354650e0c4df58351af8860849bccc08bdc12bbcc1d37903fb737713370b6e85b3b602829aa4
SSDEEP

768:XmOExkg2BhqrTyyKlqUq7IwCwQljc84wvKsHpz2yCGEqXpl+7TRayddds:X0n2B8rTyuwlljc8pvJJ2nxqXploQyd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2a56a02083527851d0c63c1a8bf74a20dd5d9734b9cea292c9b8fb9c66aed695

Files

2a56a02083527851d0c63c1a8bf74a20dd5d9734b9cea292c9b8fb9c66aed695
.exe windows x86

db70466a8ea8467e2d66033256b48dd9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

RtlUnwind
KeTickCount
memcpy
ProbeForRead
ProbeForWrite
PsGetCurrentProcessId
InitSafeBootMode
PsGetVersion
IoCreateDevice
IoCreateSymbolicLink
KeInitializeEvent
ExAllocatePool
MmIsAddressValid
RtlEqualUnicodeString
MmUnlockPages
IoFreeMdl
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
DbgPrint
MmGetSystemRoutineAddress
KeQueryTimeIncrement
_alldiv
_allmul
KeDelayExecutionThread
RtlAppendUnicodeStringToString
ExRaiseStatus
IoVolumeDeviceToDosName
ZwClose
ZwReadFile
ZwQueryInformationFile
ZwOpenFile
RtlQueryRegistryValues
ObfDereferenceObject
IoGetDeviceObjectPointer
_wcsnicmp
memmove
ObOpenObjectByPointer
PsProcessType
KeInitializeMutex
KeReleaseMutex
KeWaitForSingleObject
IoFreeWorkItem
IoQueueWorkItem
ObfReferenceObject
IoAllocateWorkItem
RtlInitUnicodeString
PsLookupProcessByProcessId
KeSetEvent
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByHandle
PsCreateSystemThread
RtlGetVersion
MmMapLockedPages
IoReleaseRemoveLockEx
IoAcquireRemoveLockEx
IoInitializeRemoveLockEx
RtlHashUnicodeString
ZwQueryValueKey
ZwOpenKey
ZwQuerySystemInformation
RtlFreeUnicodeString
RtlCompareMemory
KeClearEvent
KeReadStateEvent
KeWaitForMultipleObjects
_vsnprintf
_vsnwprintf
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ExInitializeResourceLite
ExDeleteResourceLite
ZwCreateFile
ZwWriteFile
ZwSetInformationFile
RtlRandom
ObQueryNameString
ZwQueryInformationProcess
RtlVolumeDeviceToDosName
RtlPrefixUnicodeString
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExReleaseResourceLite
RtlAnsiStringToUnicodeString
ZwEnumerateKey
_allshr
KeQueryInterruptTime
InterlockedPopEntrySList
InterlockedPushEntrySList
ExInitializeNPagedLookasideList
KeInitializeSemaphore
IoFreeIrp
IoCancelIrp
KeReadStateSemaphore
KeReleaseSemaphore
IoAllocateIrp
ExDeleteNPagedLookasideList
KeBugCheckEx
RtlCompareUnicodeString
IoDeleteSymbolicLink
IoDeleteDevice
IofCompleteRequest
ExFreePoolWithTag
memset
PsTerminateSystemThread
ExAllocatePoolWithTag

hal

KfReleaseSpinLock
KeGetCurrentIrql
KfAcquireSpinLock
ExAcquireFastMutex
ExReleaseFastMutex

fwpkclnt.sys

FwpsCalloutRegister0
FwpmEngineClose0
FwpmCalloutDeleteById0
FwpsCalloutUnregisterById0
FwpmBfeStateUnsubscribeChanges0
FwpmFilterAdd0
FwpmCalloutAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmBfeStateSubscribeChanges0
FwpmBfeStateGet0
FwpmEngineOpen0

fltmgr.sys

FltBuildDefaultSecurityDescriptor
FltStartFiltering
FltFreeSecurityDescriptor
FltCloseClientPort
FltCreateCommunicationPort
FltRegisterFilter
FltUnregisterFilter
FltCloseCommunicationPort

netio.sys

WskDeregister
WskReleaseProviderNPI
WskCaptureProviderNPI
WskRegister

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

db70466a8ea8467e2d66033256b48dd9

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

fwpkclnt.sys

fltmgr.sys

netio.sys

Sections

.text Size: 48KB - Virtual size: 47KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 2KB

INIT Size: 4KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 864B

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 48KB - Virtual size: 47KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 2KB

INIT
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 864B

.reloc
Size: 4KB - Virtual size: 3KB