d447bf5ad04c088d6eeaaa13158fa64a8674b8345d79c9678411378327eef7ce

Sharing

Copy URL Twitter E-mail

General

Target

d447bf5ad04c088d6eeaaa13158fa64a8674b8345d79c9678411378327eef7ce
Size

378KB
MD5

24482a8183ea36843e7afae201530c7f
SHA1

48382db4ed1c7131906c68ed747331ed7aeba079
SHA256

d447bf5ad04c088d6eeaaa13158fa64a8674b8345d79c9678411378327eef7ce
SHA512

f53113223a46bd04b84f83e2da6be14898d0753a611a60a6aabdf52ead2467a8ecc543bcdc972644c367debded107c37743a14c1c61dfaf88dd5e95d9e6c9cc3
SSDEEP

6144:YcDVVF61Dp915xOQKFp/op6XlnJlNOB5AhpFy8:3JL015xv4n1OQjv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d447bf5ad04c088d6eeaaa13158fa64a8674b8345d79c9678411378327eef7ce

Files

d447bf5ad04c088d6eeaaa13158fa64a8674b8345d79c9678411378327eef7ce
.exe windows x64

c547cd2428b98f2331d32cfad1c6556c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltmgr.sys

FltSetCallbackDataDirty
FltDoCompletionProcessingWhenSafe
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltFreePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltGetDestinationFileNameInformation
FltIsDirectory
FltCreateFile
FltReadFile
FltQueryInformationFile
FltSetInformationFile
FltClose
FltLockUserBuffer
FltGetRequestorProcessId

ndis.sys

NdisGetDataBuffer

ntoskrnl.exe

wcscat_s
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlCompareUnicodeStrings
RtlCompareUnicodeString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlFreeUnicodeString
RtlFreeAnsiString
RtlTimeToTimeFields
KeInitializeEvent
KeSetEvent
KeDelayExecutionThread
KeWaitForSingleObject
ExAllocatePool
ExAllocatePoolWithTag
ExFreePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExSystemTimeToLocalTime
MmLockPagableDataSection
MmUnlockPagableImageSection
IoAllocateIrp
IofCallDriver
IoCreateFile
IoFreeIrp
IoGetCurrentProcess
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwCreateFile
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
MmLockPagableSectionByHandle
PsGetProcessCreateTimeQuadPart
IoVolumeDeviceToDosName
ZwOpenProcess
RtlCreateUnicodeString
RtlDowncaseUnicodeString
KeAttachProcess
KeDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
SeLocateProcessImageName
PsLookupProcessByProcessId
PsLookupThreadByThreadId
IoThreadToProcess
ObOpenObjectByPointer
ZwQueryObject
ZwDeleteFile
ZwDuplicateObject
ZwOpenDirectoryObject
ZwAllocateVirtualMemory
sprintf_s
swprintf_s
ZwQueryInformationProcess
PsGetProcessImageFileName
RtlImageNtHeader
ZwQuerySystemInformation
PsReferenceProcessFilePointer
PsGetProcessPeb
PsGetProcessWow64Process
ObSetHandleAttributes
ZwQueryDirectoryObject
ObReferenceObjectByName
PsGetProcessInheritedFromUniqueProcessId
IoFileObjectType
PsThreadType
PsInitialSystemProcess
IoDriverObjectType
IoDeviceObjectType
RtlUnicodeStringToInteger
KeInitializeDpc
strcpy_s
KeSetTimerEx
KeQueryTimeIncrement
PsTerminateSystemThread
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
PsGetProcessExitStatus
PsGetProcessId
RtlGetVersion
MmProbeAndLockPages
MmUnlockPages
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
PsGetCurrentProcessId
PsGetCurrentThreadId
NtAllocateVirtualMemory
ZwQueryVirtualMemory
strcat_s
strncpy_s
RtlEqualUnicodeString
ProbeForRead
MmMapLockedPages
MmUnmapLockedPages
MmCreateMdl
PsSetLoadImageNotifyRoutine
PsGetThreadProcessId
LpcPortObjectType
ExGetPreviousMode
NtTraceControl
MmUserProbeAddress
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
MmSystemRangeStart
ExRaiseAccessViolation
ZwWaitForSingleObject
ZwQueryInformationThread
_vsnprintf_s
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
wcscpy_s
RtlIntegerToUnicodeString
KeBugCheckEx
ExQueueWorkItem
ObfReferenceObject
ZwCreateKey
PsGetThreadId
FsRtlGetFileSize
_snprintf_s
ObRegisterCallbacks
ObGetFilterVersion
PsProcessType
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
ExAcquireSpinLockShared
ExReleaseSpinLockShared
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
RtlRandomEx
PsSetCreateThreadNotifyRoutine
PsGetThreadProcess
PsIsSystemThread
KeInitializeApc
KeInsertQueueApc
PsGetVersion
PsGetThreadExitStatus
RtlIpv6AddressToStringA
RtlIpv4StringToAddressA
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN
RtlInitUnicodeString
__C_specific_handler
PsSetCreateProcessNotifyRoutineEx
MmIsAddressValid
PsCreateSystemThread
MmGetSystemRoutineAddress
DbgPrint
KeInitializeTimerEx

fwpkclnt.sys

FwpmFilterAdd0
FwpmCalloutAdd0
FwpmSubLayerAdd0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineOpen0
FwpmBfeStateSubscribeChanges0
FwpmBfeStateGet0
FwpsFlowAssociateContext0
FwpsCalloutRegister1

Sections

.text
Size: 278KB - Virtual size: 277KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c547cd2428b98f2331d32cfad1c6556c

Headers

DLL Characteristics

File Characteristics

Imports

fltmgr.sys

ndis.sys

ntoskrnl.exe

fwpkclnt.sys

Sections

.text Size: 278KB - Virtual size: 277KB

.rdata Size: 36KB - Virtual size: 36KB

.data Size: 24KB - Virtual size: 123KB

.pdata Size: 9KB - Virtual size: 8KB

INIT Size: 6KB - Virtual size: 6KB

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 512B - Virtual size: 472B

.text
Size: 278KB - Virtual size: 277KB

.rdata
Size: 36KB - Virtual size: 36KB

.data
Size: 24KB - Virtual size: 123KB

.pdata
Size: 9KB - Virtual size: 8KB

INIT
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 512B - Virtual size: 472B