8aba6eaedd53589652295f7df6e71a1e7c6583e914f09a60560e10e47c51288d

Sharing

Copy URL

Twitter E-mail

General

Target

8aba6eaedd53589652295f7df6e71a1e7c6583e914f09a60560e10e47c51288d
Size

725KB
MD5

6e3d83e92083221951c973542b7eeaa0
SHA1

59f952957950700066e01dab3d2550252f34865e
SHA256

8aba6eaedd53589652295f7df6e71a1e7c6583e914f09a60560e10e47c51288d
SHA512

db2c042bc068383b5767449ba366029a6a9ec3dda2f98ec66934c0268175a1deb345025c28b61d5b24d816ce9d53de5f17a7afec5aebc4329cc615ac17530040
SSDEEP

12288:WEDL9VTxsRkRG8pC3eLp+1sXVAr8jk5Cv+kYYJTWX72Z1BahCB1rQ3NUf3:pDLCRepC3f1slqI+hYxW41QKrQ03

Score

1^/10

Malware Config

Signatures

Files

8aba6eaedd53589652295f7df6e71a1e7c6583e914f09a60560e10e47c51288d
.exe windows x64

be0dd8b8e045356d600ee55a64d9d197

Code Sign

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/05/2014, 00:00

Not After

16/05/2015, 23:59

Subject

CN=Beijing JoinHope Image Technology Ltd.,O=Beijing JoinHope Image Technology Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

29:f1:ad:eb:d0:a7:73:df:05:31:4e:76:ac:f6:89:15:4a:e9:a1:4b
Signer

Actual PE Digest

29:f1:ad:eb:d0:a7:73:df:05:31:4e:76:ac:f6:89:15:4a:e9:a1:4b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ExFreePoolWithTag
IoRegisterDriverReinitialization
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
KeInitializeEvent
PsCreateSystemThread
PsTerminateSystemThread
ZwClose
IofCompleteRequest
ObReferenceObjectByHandle
KeWaitForSingleObject
PsThreadType
IoIsWdmVersionAvailable
IoCreateSymbolicLink
IoCreateDevice
ZwReadFile
IoCreateFile
ZwSetInformationFile
ZwCreateFile
ZwQueryDirectoryFile
ZwDeleteFile
ZwOpenFile
RtlImageNtHeader
ZwQueryInformationFile
ZwWriteFile
ZwSetValueKey
ZwQueryValueKey
_vsnprintf
ZwFlushKey
ZwDeleteKey
ZwOpenKey
_stricmp
ZwCreateKey
PsSetLoadImageNotifyRoutine
PsGetProcessImageFileName
PsLookupProcessByProcessId
MmGetSystemRoutineAddress
RtlGetVersion
FsRtlIsNameInExpression
wcsrchr
PsRemoveLoadImageNotifyRoutine
MmIsAddressValid
ObfDereferenceObject
KeUnstackDetachProcess
ObOpenObjectByPointer
KeStackAttachProcess
ZwAllocateVirtualMemory
KeClearEvent
_wcsnicmp
ObCreateObject
IoFileObjectType
IoDriverObjectType
MmMapLockedPagesSpecifyCache
IoGetCurrentProcess
_vsnwprintf
KeQueryTimeIncrement
IoGetDeviceAttachmentBaseRef
IoFreeIrp
IoAllocateIrp
RtlCompareUnicodeString
CmRegisterCallback
PsGetCurrentProcessId
RtlCopyUnicodeString
CmCallbackGetKeyObjectID
ZwEnumerateKey
strstr
KeDelayExecutionThread
ExSystemTimeToLocalTime
RtlTimeToTimeFields
RtlMultiByteToUnicodeN
IoBuildDeviceIoControlRequest
IoGetRelatedDeviceObject
IoFreeMdl
IoCancelIrp
MmProbeAndLockPages
IoAllocateMdl
IofCallDriver
ZwMapViewOfSection
ExGetPreviousMode
ZwQuerySystemInformation
ZwUnmapViewOfSection
ZwCreateSection
ExFreePool
KeBugCheckEx
__C_specific_handler

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 660KB - Virtual size: 661KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

be0dd8b8e045356d600ee55a64d9d197

Code Sign

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7cCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

29:f1:ad:eb:d0:a7:73:df:05:31:4e:76:ac:f6:89:15:4a:e9:a1:4bSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 48KB - Virtual size: 48KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 660KB - Virtual size: 661KB

.pdata Size: 1KB - Virtual size: 1KB

PAGE Size: 2KB - Virtual size: 2KB

INIT Size: 3KB - Virtual size: 2KB

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

29:f1:ad:eb:d0:a7:73:df:05:31:4e:76:ac:f6:89:15:4a:e9:a1:4b
Signer

.text
Size: 48KB - Virtual size: 48KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 660KB - Virtual size: 661KB

.pdata
Size: 1KB - Virtual size: 1KB

PAGE
Size: 2KB - Virtual size: 2KB

INIT
Size: 3KB - Virtual size: 2KB