b4c5fb8d0b6002226b6f860c77c2dc9471670145dd4bb60715794cb9cc6663aa

Sharing

Copy URL Twitter E-mail

General

Target

b4c5fb8d0b6002226b6f860c77c2dc9471670145dd4bb60715794cb9cc6663aa
Size

325KB
MD5

ac8aa0c1fe3ca4caf6227972feeec31f
SHA1

320d42c98de4be34626a4aa37e14a8a474c73d1f
SHA256

b4c5fb8d0b6002226b6f860c77c2dc9471670145dd4bb60715794cb9cc6663aa
SHA512

8bf088a476359f4574ee0b5d85c580f89674e6208d08641d16c77f5fa29b855d250a41a6015c49b1c5079302bca9af37a169a7c28e706595c23abfbc0ec08f8a
SSDEEP

6144:JhqHasxIRMuheyaE12uzDC0nWJu3K70cHy4Fwiv2gAknu5zfB8VOR6gAc9ObK2H7:WfxIRdtaS2xH5DyrU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b4c5fb8d0b6002226b6f860c77c2dc9471670145dd4bb60715794cb9cc6663aa

Files

b4c5fb8d0b6002226b6f860c77c2dc9471670145dd4bb60715794cb9cc6663aa
.sys windows:6 windows x86

80f1503360150bb984c54590710a82c5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ObQueryNameString
RtlImageNtHeader
RtlMultiByteToUnicodeN
IoGetDeviceObjectPointer
KeInitializeEvent
ProbeForRead
ProbeForWrite
PsSetCreateProcessNotifyRoutine
ExInitializeResourceLite
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlInitializeGenericTable
CmRegisterCallback
MmHighestUserAddress
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
PsLookupThreadByThreadId
PsGetCurrentThreadId
KeDelayExecutionThread
PsCreateSystemThread
MmSystemRangeStart
PsSetLoadImageNotifyRoutine
RtlUpcaseUnicodeString
wcsnlen
ZwDeleteValueKey
ZwCreateKey
ZwSetValueKey
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
wcschr
ZwQueryValueKey
RtlDecompressBuffer
IoGetDeviceAttachmentBaseRef
ZwReadFile
RtlAppendUnicodeStringToString
InterlockedPopEntrySList
InterlockedPushEntrySList
ExDeletePagedLookasideList
ExInitializePagedLookasideList
RtlAppendUnicodeToString
CmUnRegisterCallback
ZwWriteFile
ZwSetInformationFile
ZwDeleteFile
ZwQueryInformationFile
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
MmUnmapLockedPages
ZwOpenFile
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateUnicodeString
_wcsicmp
wcsncpy
wcsncmp
RtlGetVersion
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
ZwEnumerateKey
ZwQueryKey
_allmul
KeTickCount
wcsrchr
ExInitializeRundownProtection
PsIsSystemThread
IoGetTopLevelIrp
RtlPrefixUnicodeString
ZwQuerySymbolicLinkObject
MmIsAddressValid
KeSetEvent
ZwSetInformationThread
ExAcquireRundownProtection
ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
KeResetEvent
KeWaitForSingleObject
KeInitializeSemaphore
KeWaitForMultipleObjects
KeReleaseSemaphore
_alldiv
memmove
ZwQueryInformationProcess
ObOpenObjectByPointer
ExSystemTimeToLocalTime
PsGetVersion
KeQuerySystemTime
RtlInitAnsiString
_wcsnicmp
CmKeyObjectType
MmUserProbeAddress
IoFileObjectType
_chkstk
ZwTerminateProcess
ZwOpenProcess
FsRtlDissectName
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlLookupElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlGetElementGenericTableAvl
KeQueryTimeIncrement
ExSemaphoreObjectType
ExfInterlockedInsertTailList
ExfInterlockedRemoveHeadList
KeBugCheckEx
RtlUnwind
ObfReferenceObject
ZwOpenKey
RtlCompareMemory
KeGetCurrentThread
RtlCopyUnicodeString
RtlCompareUnicodeString
PsTerminateSystemThread
IoGetCurrentProcess
PsInitialSystemProcess
PsProcessType
PsGetProcessId
PsLookupProcessByProcessId
ExGetPreviousMode
PsThreadType
ObReferenceObjectByHandle
ObfDereferenceObject
memcpy
IoThreadToProcess
PsGetProcessInheritedFromUniqueProcessId
RtlHashUnicodeString
PsGetThreadProcessId
RtlEqualUnicodeString
InitSafeBootMode
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoRegisterShutdownNotification
MmGetSystemRoutineAddress
RtlInitUnicodeString
PsGetCurrentProcessId
IofCompleteRequest
ZwCreateFile
ZwDeviceIoControlFile
ZwClose
_vsnwprintf
memset
ZwDeleteKey
PsIsThreadTerminating
KeInsertQueueApc
KeInitializeApc
FsRtlIsNameInExpression
RtlFreeAnsiString
FsRtlIsDbcsInExpression
RtlUnicodeStringToAnsiString
ZwQuerySystemInformation
PsGetProcessCreateTimeQuadPart
KeUnstackDetachProcess
KeStackAttachProcess
PsGetProcessPeb
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
PsGetCurrentThreadTeb
ZwEnumerateValueKey
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
IoFreeIrp
IoCreateFile
ZwSetInformationObject
ZwQueryObject
ZwDuplicateObject
RtlQueryRegistryValues
KeAreApcsDisabled
ExRaiseStatus
IoVolumeDeviceToDosName
IoGetRelatedDeviceObject
IoCreateFileSpecifyDeviceObjectHint
ZwQueryDirectoryFile
_allshl
_aullshr
ExAllocatePoolWithTag
ZwOpenSymbolicLinkObject
ExFreePoolWithTag

hal

KfAcquireSpinLock
KfReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
KeGetCurrentIrql

fltmgr.sys

FltDeletePushLock
FltRegisterFilter
FltGetFileNameInformationUnsafe
FltCreateFile
FltClose
FltSendMessage
FltQueryInformationFile
FltGetDestinationFileNameInformation
FltParseFileNameInformation
FltSetStreamContext
FltAllocateContext
FltGetVolumeContext
FltGetStreamContext
FltGetRequestorProcessId
FltGetRequestorProcess
FltReadFile
FltGetVolumeProperties
FltSetVolumeContext
FltReleaseContext
FltGetVolumeName
FltAcquirePushLockExclusive
FltAcquirePushLockShared
FltReleasePushLock
FltInitializePushLock
FltGetFileNameInformation
FltReleaseFileNameInformation
FltBuildDefaultSecurityDescriptor
FltCreateCommunicationPort
FltFreeSecurityDescriptor
FltCloseClientPort
FltStartFiltering

Sections

.text
Size: 282KB - Virtual size: 281KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

80f1503360150bb984c54590710a82c5

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 282KB - Virtual size: 281KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 13KB - Virtual size: 50KB

INIT Size: 6KB - Virtual size: 6KB

.rsrc Size: 1024B - Virtual size: 800B

.reloc Size: 16KB - Virtual size: 15KB

.text
Size: 282KB - Virtual size: 281KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 13KB - Virtual size: 50KB

INIT
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 1024B - Virtual size: 800B

.reloc
Size: 16KB - Virtual size: 15KB