230919-sxvtlsjwsy_pw_infected[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

230919-sxvtlsjwsy_pw_infected.zip
Size

4.5MB
MD5

0485d5d7c8524ca9145e8af1517041ce
SHA1

e1d95ee4c59ec42d47bb445299e1ea96de582690
SHA256

38b2967e7dbbdd6cc22fdeefae9df87dca41c6dc9656fffbb2633d1fbfa2fca9
SHA512

ba64970121d74111dfaa2f33cfd2f8affbcd2b658b5b105b7aeccd7056d70be370fcced3b7290f02e76380e6ad57d1e0d270d71f93c1cf51e9b5f6e8014f99fa
SSDEEP

98304:IuC6R0rDvYUvUP+aEoVwyn9C0BzPrPYNfcNguC0PSJAn0OBh:JFOrcUcGaDyynM018+xCp47

Score

1^/10

Malware Config

Signatures

Files

230919-sxvtlsjwsy_pw_infected.zip
.zip

Password: infected
230919-rvgcrsny8g_pw_infected.zip
.zip

Password: infected
Rootkit.Win64.Agent.bdr-7a094ad0ef65079505b37da09b647597143ea7fdfac8c838796cf294da3ff388
.sys windows x64

72bf8ee4914ead086ad2ddd3f84911be

Code Sign

13:a6:91:b1:48:e6:d8:d0:89:1f:88:8e:66:05:e0:dd
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

18/10/2012, 00:00

Not After

18/10/2015, 23:59

Subject

CN=Suzhen Zhou,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Individual Developer,O=No Organization Affiliation,L=Wuhan,ST=Hubei,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:c5:0f:e1:4f:38:d4:60:bb:79:cd:09:c4:9a:c8:49:3e:48:3f:8c
Signer

Actual PE Digest

01:c5:0f:e1:4f:38:d4:60:bb:79:cd:09:c4:9a:c8:49:3e:48:3f:8c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeClearEvent
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalReturnToFirmware
HalMakeBeep

fltmgr.sys

FltParseFileNameInformation

Sections

.text
Size: - Virtual size: 160KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 261KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.upx0
Size: - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.upx1
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 892B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

72bf8ee4914ead086ad2ddd3f84911be

Code Sign

13:a6:91:b1:48:e6:d8:d0:89:1f:88:8e:66:05:e0:ddCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

01:c5:0f:e1:4f:38:d4:60:bb:79:cd:09:c4:9a:c8:49:3e:48:3f:8cSigner

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: - Virtual size: 160KB

.rdata Size: - Virtual size: 9KB

.data Size: - Virtual size: 261KB

.pdata Size: - Virtual size: 4KB

INIT Size: - Virtual size: 5KB

.upx0 Size: - Virtual size: 4.5MB

.upx1 Size: 4.5MB - Virtual size: 4.5MB

.reloc Size: 512B - Virtual size: 124B

.rsrc Size: 1024B - Virtual size: 892B

13:a6:91:b1:48:e6:d8:d0:89:1f:88:8e:66:05:e0:dd
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

01:c5:0f:e1:4f:38:d4:60:bb:79:cd:09:c4:9a:c8:49:3e:48:3f:8c
Signer

.text
Size: - Virtual size: 160KB

.rdata
Size: - Virtual size: 9KB

.data
Size: - Virtual size: 261KB

.pdata
Size: - Virtual size: 4KB

INIT
Size: - Virtual size: 5KB

.upx0
Size: - Virtual size: 4.5MB

.upx1
Size: 4.5MB - Virtual size: 4.5MB

.reloc
Size: 512B - Virtual size: 124B

.rsrc
Size: 1024B - Virtual size: 892B