CheckHider_protected[.]sys

Sharing

Copy URL Twitter E-mail

General

Target

CheckHider_protected.sys
Size

2.0MB
MD5

fabe7ad78f3ba4382a93ef776b5966e6
SHA1

c1976e8076e1a84ce43f7624b7b0dfb74db3e14c
SHA256

dcf31722ab453bd7ba2d1d0bc6edd6b16c95f22c10f263d1a060ab48bcba111f
SHA512

de0666e156260eee62be02bb5515648ff30041561c9a3e325e57cce49588711b70fc0cb6d43db1176c59d993d4f08fa4d00d166f701eb4ffb03d05643e3b27b7
SSDEEP

49152:N5WiIvmR3NZp1gnDo9YFg3pT6h1r0cFERVQCK:vWiIvmDp1gD+YFgZT6h1r0SEYp

Score

1^/10

Malware Config

Signatures

Files

CheckHider_protected.sys
.exe windows x64

05b36f2933dcc4bd08841fe8cafee131

Code Sign

38:de:06:b8:be:15:18:7f:10:7e:04:f8:b1:13:89:77
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

02/03/2018, 00:00

Not After

28/11/2018, 23:59

Subject

CN=Bopsoft,O=Bopsoft,L=Zaozhuang,ST=Shandong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:31

Not After

22/02/2021, 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:78:14:1b:89:85:e7:7e:f3:5b:05:40:97:40:e7:55:c6:35:3e:13
Signer

Actual PE Digest

0b:78:14:1b:89:85:e7:7e:f3:5b:05:40:97:40:e7:55:c6:35:3e:13

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeSetEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
ExFreePoolWithTag
MmUnlockPages
IoFreeMdl
ObReferenceObjectByHandleWithTag
ObCloseHandle
ObfDereferenceObject
ZwClose
IoCreateFileEx
MmFlushImageSection
ZwDeleteFile
IoFileObjectType
_strnicmp
RtlUpperChar
MmHighestUserAddress
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
PsGetVersion
IoAllocateMdl
IoGetCurrentProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ZwAllocateVirtualMemory
__C_specific_handler
ExQueueWorkItem
IoGetDeviceObjectPointer
MmIsAddressValid
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
ExAcquireRundownProtection
ExReleaseRundownProtection
KeInitializeEvent
PsGetThreadProcessId
ZwTerminateProcess
ObOpenObjectByPointer
ZwQuerySystemInformation
ZwQueryInformationProcess
PsProcessType
PsThreadType
PsInitialSystemProcess
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
_stricmp
KeQueryActiveProcessorCountEx
ObfReferenceObject
MmSystemRangeStart
towlower
strncpy
RtlWriteRegistryValue
RtlCreateRegistryKey
KeDelayExecutionThread
ExInitializeResourceLite
ExEnterCriticalRegionAndAcquireResourceShared
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
ObRegisterCallbacks
ObGetFilterVersion
ExUuidCreate
PsSetCreateProcessNotifyRoutine
_vsnwprintf
RtlPcToFileHeader
PsGetProcessSectionBaseAddress
IoCreateDriver
KdDebuggerEnabled
KeBugCheckEx

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 588B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.vlizer
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

05b36f2933dcc4bd08841fe8cafee131

Code Sign

38:de:06:b8:be:15:18:7f:10:7e:04:f8:b1:13:89:77Certificate

Extended Key Usages

Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

0b:78:14:1b:89:85:e7:7e:f3:5b:05:40:97:40:e7:55:c6:35:3e:13Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 29KB - Virtual size: 28KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 3KB

.pdata Size: 1024B - Virtual size: 588B

INIT Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 28B

.vlizer Size: 2.0MB - Virtual size: 2.0MB

38:de:06:b8:be:15:18:7f:10:7e:04:f8:b1:13:89:77
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

0b:78:14:1b:89:85:e7:7e:f3:5b:05:40:97:40:e7:55:c6:35:3e:13
Signer

.text
Size: 29KB - Virtual size: 28KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 3KB

.pdata
Size: 1024B - Virtual size: 588B

INIT
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 28B

.vlizer
Size: 2.0MB - Virtual size: 2.0MB