RWSafe0816[.]sys

Sharing

Copy URL Twitter E-mail

General

Target

RWSafe0816.sys
Size

28KB
MD5

2621fd59deaf3f7a698f584db7443b81
SHA1

93823725eaa58047445fd6bca8073c3885cb5b1c
SHA256

7c34b51d76b199778fac96d1688e26356317fe8a064b3a6568e61a219f9d529e
SHA512

cc36c503442987eaa7a2a1c8a9fee83ebb83eef13ddfd68043910b807abd212effd91014eaa27276e462119e6a483456c0716d5b3416fe299ba7178efa7ffc94
SSDEEP

384:NjaZ4/urbxA7obKom5d0mhjHyOIx5ShzK7MH2KP1nJZvh3BcYR9z+TSR:FD/uJ8omr0mhj7+7MWk1n13Bn9zoA

Score

1^/10

Malware Config

Signatures

Files

RWSafe0816.sys
.exe windows x64

10b679e8878465a73bbbefd6c5f9a15a

Code Sign

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/04/2023, 19:16

Not After

03/04/2024, 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

88:85:ad:3e:08:f4:45:18:d4:39:cf:8f:e2:62:75:29:28:6e:5c:1e:d9:aa:b1:3f:38:0c:f1:d5:96:f1:39:00
Signer

Actual PE Digest

88:85:ad:3e:08:f4:45:18:d4:39:cf:8f:e2:62:75:29:28:6e:5c:1e:d9:aa:b1:3f:38:0c:f1:d5:96:f1:39:00

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

_stricmp
strstr
RtlInitAnsiString
RtlInitUnicodeString
RtlAnsiStringToUnicodeString
RtlCompareUnicodeString
RtlEqualUnicodeString
DbgPrint
RtlGetVersion
ExAllocatePool
ExFreePoolWithTag
MmBuildMdlForNonPagedPool
MmMapLockedPages
MmUnmapLockedPages
MmCreateMdl
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoFreeMdl
ObReferenceObjectByHandleWithTag
ObCloseHandle
ObfDereferenceObject
ZwOpenFile
ZwClose
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlCompareString
MmIsAddressValid
PsGetProcessCreateTimeQuadPart
IoRegisterDriverReinitialization
IoCreateFileEx
ZwTerminateProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
PsLookupThreadByThreadId
MmFlushImageSection
ObOpenObjectByPointer
ObMakeTemporaryObject
ZwDeleteFile
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
ZwQueryVirtualMemory
KeInitializeApc
KeInsertQueueApc
PsGetProcessPeb
PsSuspendProcess
PsResumeProcess
PsGetProcessWow64Process
RtlImageNtHeader
ObReferenceObjectByName
ZwQuerySystemInformation
IoFileObjectType
PsInitialSystemProcess
IoDriverObjectType
MmGetSystemRoutineAddress
IoAllocateMdl
RtlPcToFileHeader

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

10b679e8878465a73bbbefd6c5f9a15a

Code Sign

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

88:85:ad:3e:08:f4:45:18:d4:39:cf:8f:e2:62:75:29:28:6e:5c:1e:d9:aa:b1:3f:38:0c:f1:d5:96:f1:39:00Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 160B

.pdata Size: 1024B - Virtual size: 516B

INIT Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 20B

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

88:85:ad:3e:08:f4:45:18:d4:39:cf:8f:e2:62:75:29:28:6e:5c:1e:d9:aa:b1:3f:38:0c:f1:d5:96:f1:39:00
Signer

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 160B

.pdata
Size: 1024B - Virtual size: 516B

INIT
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 20B