1037be3e2a5390dc64f4699167732c6c1ce0766fc3a4d26987949396d53b5414

Sharing

Copy URL

Twitter E-mail

General

Target

1037be3e2a5390dc64f4699167732c6c1ce0766fc3a4d26987949396d53b5414
Size

6.8MB
MD5

64d4511eaff6f0311eb5cf57a6f028bc
SHA1

636df0b59d0d11f1e7d6ae81bd632f3f6edaf5d9
SHA256

1037be3e2a5390dc64f4699167732c6c1ce0766fc3a4d26987949396d53b5414
SHA512

e4c619b7db3e811ebf88775626492ee1bdc0a68e0dbff27670d339f455403864a1da85702667fc02c7df941dc2891c115bba25d856c58ce2a95a67dfc6414b90
SSDEEP

196608:H/J06TVDcZZ2TBeYI/nUnDoSgt840dyC7OylqvlX:HNVDcZcej/nUnsG4qyKblEN

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Redirector.bin
unpack001/RouteHelper.bin
unpack001/aiodns.bin
unpack001/nfapi.dll
unpack001/tun2socks.bin

Files

1037be3e2a5390dc64f4699167732c6c1ce0766fc3a4d26987949396d53b5414
.zip
GeoLite2-Country.mmdb
README.md
Redirector.bin
.dll windows:6 windows x64

ebb1a9b3972bc5c392815a73ccf5e801

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

nfapi

nf_tcpDisableFiltering
nf_unRegisterDriver
nf_registerDriver
nf_adjustProcessPriviledges
nf_addRule
nf_free
nf_init
nf_setIPEventHandler
nf_deleteRules
nf_ipPostReceive
nf_ipPostSend
nf_getProcessNameFromKernel
nf_getProcessNameW
nf_tcpPostSend
nf_udpPostSend
nf_tcpPostReceive
nf_udpDisableFiltering
nf_udpPostReceive

ws2_32

setsockopt
accept
listen
getpeername
getsockname
WSAIoctl
WSAConnectByNameW
send
recv
WSAGetLastError
WSACleanup
WSAStartup
WSAAddressToStringW
htonl
bind
closesocket
select
inet_pton
socket
recvfrom
htons
sendto

kernel32

WriteConsoleW
CreateFileW
HeapSize
ReadConsoleW
SetStdHandle
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
ReadFile
GetConsoleMode
GetConsoleOutputCP
WriteFile
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
HeapReAlloc
GetFileType
GetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
HeapFree
HeapAlloc
GetLongPathNameW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CloseHandle
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
GetModuleFileNameW
GetCurrentThreadId
Sleep
GetStringTypeW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
QueryPerformanceCounter
QueryPerformanceFrequency
CompareStringEx
EncodePointer
DecodePointer
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
RtlUnwind
GetModuleHandleW
GetProcAddress
LCMapStringEx
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InterlockedFlushSList
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
ExitProcess

Exports

Exports

aio_dial
aio_free
aio_getDL
aio_getUP
aio_init
aio_register
aio_unregister

Sections

.text
Size: 246KB - Virtual size: 245KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RouteHelper.bin
.dll windows:6 windows x64

2aebd8be42045a2b4f37cfe2e82233a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ws2_32

inet_pton

iphlpapi

DeleteIpForwardEntry2
NotifyUnicastIpAddressChange
CancelMibChangeNotify2
CreateIpForwardEntry2
AddIPAddress
InitializeUnicastIpAddressEntry
CreateUnicastIpAddressEntry
InitializeIpForwardEntry
ConvertInterfaceLuidToIndex

kernel32

GetCurrentProcessId
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
QueryPerformanceCounter
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InterlockedFlushSList
GetLastError
SetLastError
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
HeapAlloc
HeapFree
LCMapStringW
GetStdHandle
GetFileType
SetFilePointerEx
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
SetStdHandle
GetStringTypeW
HeapSize
HeapReAlloc
CloseHandle
CreateFileW
WriteConsoleW

Exports

Exports

ConvertLuidToIndex
CreateIPv4
CreateRoute
CreateUnicastIP
DeleteRoute
WaitForUnicastIP

Sections

.text
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
aiodns.bin
.dll windows:6 windows x64

a8c5ac845e1670a92b46f4f4aecae94c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileA
CreateIoCompletionPort
CreateThread
CreateWaitableTimerExW
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
ExitProcess
FreeEnvironmentStringsW
FreeLibrary
GetConsoleMode
GetEnvironmentStringsW
GetLastError
GetModuleHandleA
GetProcAddress
GetProcessAffinityMask
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetThreadContext
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
PostQueuedCompletionStatus
ResumeThread
SetConsoleCtrlHandler
SetErrorMode
SetEvent
SetProcessPriorityBoost
SetThreadContext
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SuspendThread
SwitchToThread
TlsGetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_beginthread
_errno
_initterm
_lock
_unlock
abort
calloc
fputc
free
fwrite
localeconv
malloc
memcpy
memset
realloc
strerror
strlen
strncmp
vfprintf
wcslen

Exports

Exports

_cgo_dummy_export
aiodns_dial
aiodns_free
aiodns_init

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 134KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 379KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 145B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
aiodns.conf
nfapi.dll
.dll windows:6 windows x64

5728c90b74457950666147b0a19f4364

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GetCurrentProcessId
OpenProcess
CancelIo
GetTickCount
GetModuleHandleA
GetProcAddress
WaitForMultipleObjects
CreateFileA
GetVersionExA
DeviceIoControl
GetOverlappedResult
SetLastError
GetLastError
CloseHandle
WriteFile
ReadFile
QueryDosDeviceW
GetLogicalDriveStringsW
GetDriveTypeW
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
InitializeCriticalSection
FlushFileBuffers
WriteConsoleW
SetStdHandle
HeapFree
HeapAlloc
EncodePointer
DecodePointer
CreateThread
GetCurrentThreadId
ExitThread
LoadLibraryExW
RtlPcToFileHeader
RaiseException
RtlUnwindEx
RtlLookupFunctionEntry
GetCommandLineA
GetProcessHeap
ExitProcess
GetModuleHandleExW
AreFileApisANSI
MultiByteToWideChar
GetStdHandle
GetModuleFileNameW
IsProcessorFeaturePresent
HeapSize
Sleep
IsDebuggerPresent
GetCurrentThread
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
CreateSemaphoreW
GetFileType
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
WideCharToMultiByte
FatalAppExitA
FreeLibrary
SetConsoleCtrlHandler
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
LoadLibraryW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
GetConsoleCP
GetConsoleMode
SetFilePointerEx
GetStringTypeW
CreateFileW

advapi32

QueryServiceStatus
OpenServiceA
OpenSCManagerA
DeleteService
CreateServiceW
CloseServiceHandle
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
StartServiceA

psapi

GetModuleFileNameExA
GetModuleFileNameExW

Exports

Exports

nf_addBindingRule
nf_addFlowCtl
nf_addRule
nf_addRuleEx
nf_adjustProcessPriviledges
nf_completeTCPConnectRequest
nf_completeUDPConnectRequest
nf_deleteBindingRules
nf_deleteFlowCtl
nf_deleteRules
nf_free
nf_getConnCount
nf_getDriverType
nf_getFlowCtlStat
nf_getProcessNameA
nf_getProcessNameFromKernel
nf_getProcessNameW
nf_getTCPConnInfo
nf_getTCPStat
nf_getUDPConnInfo
nf_getUDPStat
nf_init
nf_ipPostReceive
nf_ipPostSend
nf_modifyFlowCtl
nf_registerDriver
nf_registerDriverEx
nf_setIPEventHandler
nf_setOptions
nf_setRules
nf_setRulesEx
nf_setTCPFlowCtl
nf_setTCPTimeout
nf_setUDPFlowCtl
nf_tcpClose
nf_tcpDisableFiltering
nf_tcpIsProxy
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetSockOpt
nf_udpDisableFiltering
nf_udpPostReceive
nf_udpPostSend
nf_udpSetConnectionState
nf_unRegisterDriver

Sections

.text
Size: 262KB - Virtual size: 262KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 84KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
nfdriver.sys
.sys windows:6 windows x64

1706dee497703c21fceedde9aa0f1135

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09/09/2021, 19:15

Not After

01/09/2022, 19:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:36:1b:56:a5:fa:d6:37:04:b9:5a:de:0c:92:d8:bb:f5:e0:32:a2:d9:9f:b4:6f:b3:68:a1:58:6f:81:37:b0
Signer

Actual PE Digest

5a:36:1b:56:a5:fa:d6:37:04:b9:5a:de:0c:92:d8:bb:f5:e0:32:a2:d9:9f:b4:6f:b3:68:a1:58:6f:81:37:b0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpsFreeNetBufferList0

ndis.sys

NdisFreeGenericObject
NdisFreeNetBufferListPool
NdisRetreatNetBufferDataStart
NdisAdvanceNetBufferDataStart
NdisGetDataBuffer
NdisAllocateGenericObject
NdisInitializeEvent
NdisWaitEvent
NdisAllocateNetBufferListPool

ntoskrnl.exe

RtlCompareMemory
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
ExAllocatePoolWithTag
ExUuidCreate
swprintf_s
__C_specific_handler
RtlInitUnicodeString
MmGetSystemRoutineAddress
RtlAppendUnicodeToString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExFreePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmAllocatePagesForMdl
MmFreePagesFromMdl
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateMdl
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoFreeMdl
IoReleaseCancelSpinLock
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
ZwOpenKey
ZwQueryValueKey
PsGetCurrentProcessId
ZwSetInformationThread
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwSetSecurityObject
SeExports
RtlGetVersion
RtlValidSid
_stricmp
ExAllocatePool
ZwQuerySystemInformation
KeBugCheckEx

Sections

.text
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 524B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
stun.txt
tun2socks.bin
.dll windows:6 windows x64

48668b795f91a48a285b116fb4713f10

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

CryptAcquireContextA
CryptGenRandom

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileA
CreateIoCompletionPort
CreateThread
CreateWaitableTimerExW
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
ExitProcess
FreeEnvironmentStringsW
GetConsoleMode
GetEnvironmentStringsW
GetLastError
GetProcAddress
GetProcessAffinityMask
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetThreadContext
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
ResumeThread
SetConsoleCtrlHandler
SetErrorMode
SetEvent
SetProcessPriorityBoost
SetThreadContext
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SuspendThread
SwitchToThread
TlsAlloc
TlsGetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_beginthread
_errno
_initterm
_lock
_unlock
abort
atoi
calloc
fflush
fputc
free
fwrite
islower
isspace
isxdigit
localeconv
malloc
memcpy
memmove
memset
realloc
strerror
strlen
strncmp
vfprintf
wcslen

Exports

Exports

_cgo_dummy_export
output
tcpAcceptFn
tcpErrFn
tcpPollFn
tcpRecvFn
tcpSentFn
tun_dial
tun_free
tun_getDL
tun_getUP
tun_init
tun_luid
udpRecvFn

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 221KB - Virtual size: 221KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 385KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 85KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
wintun.dll
.dll windows:6 windows x64

fb80e633863ed8c533980106499de45f

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:63:d5:fc:a7:28:88:2f:36:ff:1b:df:5d:85:f0:ba
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/12/2018, 00:00

Not After

14/12/2021, 12:00

Subject

SERIALNUMBER=4227913,CN=WireGuard LLC,O=WireGuard LLC,L=Boulder,ST=Colorado,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13044f68696f,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4c:10:de:e7:af:ba:16:25:93:1d:49:8c:07:df:03:56:ad:e6:c8:26:ad:03:25:f2:28:26:42:04:cb:66:3d:eb
Signer

Actual PE Digest

4c:10:de:e7:af:ba:16:25:93:1d:49:8c:07:df:03:56:ad:e6:c8:26:ad:03:25:f2:28:26:42:04:cb:66:3d:eb

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntdll

RtlUnwindEx
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGetNtVersionNumbers
NtQueryKey
RtlNtStatusToDosError
NtQuerySystemInformation
RtlPcToFileHeader

kernel32

RaiseException
GetConsoleMode
GetConsoleOutputCP
WriteConsoleW
HeapCreate
GetCurrentProcess
LoadLibraryExA
CloseHandle
HeapDestroy
GetProcAddress
LocalFree
GetModuleHandleW
IsWow64Process
HeapFree
SetLastError
DeviceIoControl
RemoveDirectoryW
CreateFileW
Sleep
GetLastError
DeleteFileW
HeapAlloc
FormatMessageW
EnterCriticalSection
CreatePrivateNamespaceW
OpenPrivateNamespaceW
LeaveCriticalSection
InitializeCriticalSection
CreateBoundaryDescriptorW
CreateMutexW
WaitForSingleObject
ReleaseMutex
ClosePrivateNamespace
AddSIDToBoundaryDescriptor
NormalizeString
DeleteCriticalSection
DeleteBoundaryDescriptor
ExpandEnvironmentStringsW
CreateEventW
GetTickCount64
HeapReAlloc
CreateDirectoryW
SizeofResource
WriteFile
LockResource
LoadResource
FindResourceW
GetWindowsDirectoryW
VirtualFree
VirtualAlloc
InitializeCriticalSectionAndSpinCount
SetEvent
ReadFile
SetHandleInformation
GetCommandLineW
GetStdHandle
CreatePipe
GetExitCodeThread
CreateThread
CreateProcessW
FlushFileBuffers
HeapSize
SetStdHandle
SetFilePointerEx
GetProcessHeap
GetSystemInfo
VirtualProtect
VirtualQuery
FreeLibrary
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
InterlockedFlushSList
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EncodePointer
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
GetFileType
GetStringTypeW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW

Exports

Exports

CreateAdapter
DeleteAdapter
DeletePoolDriver
WintunAllocateSendPacket
WintunCreateAdapter
WintunDeleteAdapter
WintunDeletePoolDriver
WintunEndSession
WintunEnumAdapters
WintunFreeAdapter
WintunGetAdapterLUID
WintunGetAdapterName
WintunGetReadWaitEvent
WintunGetRunningDriverVersion
WintunOpenAdapter
WintunReceivePacket
WintunReleaseReceivePacket
WintunSendPacket
WintunSetAdapterName
WintunSetLogger
WintunStartSession

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 66KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 500KB - Virtual size: 499KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ebb1a9b3972bc5c392815a73ccf5e801

Headers

DLL Characteristics

File Characteristics

Imports

nfapi

ws2_32

kernel32

Exports

Exports

Sections

.text Size: 246KB - Virtual size: 245KB

.rdata Size: 94KB - Virtual size: 94KB

.data Size: 6KB - Virtual size: 13KB

.pdata Size: 13KB - Virtual size: 13KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 2KB

2aebd8be42045a2b4f37cfe2e82233a8

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

iphlpapi

kernel32

Exports

Exports

Sections

.text Size: 71KB - Virtual size: 71KB

.rdata Size: 47KB - Virtual size: 47KB

.data Size: 3KB - Virtual size: 8KB

.pdata Size: 5KB - Virtual size: 4KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

a8c5ac845e1670a92b46f4f4aecae94c

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.data Size: 134KB - Virtual size: 134KB

.rdata Size: 1.8MB - Virtual size: 1.8MB

.eh_fram Size: 512B - Virtual size: 4B

.pdata Size: 1KB - Virtual size: 1KB

.xdata Size: 1KB - Virtual size: 1KB

.bss Size: - Virtual size: 379KB

.edata Size: 512B - Virtual size: 145B

.idata Size: 3KB - Virtual size: 2KB

.CRT Size: 512B - Virtual size: 88B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 31KB - Virtual size: 30KB

5728c90b74457950666147b0a19f4364

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

psapi

Exports

Exports

Sections

.text Size: 262KB - Virtual size: 262KB

.rdata Size: 84KB - Virtual size: 83KB

.data Size: 8KB - Virtual size: 21KB

.pdata Size: 14KB - Virtual size: 13KB

.idata Size: 5KB - Virtual size: 5KB

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 246KB - Virtual size: 245KB

.rdata
Size: 94KB - Virtual size: 94KB

.data
Size: 6KB - Virtual size: 13KB

.pdata
Size: 13KB - Virtual size: 13KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 71KB - Virtual size: 71KB

.rdata
Size: 47KB - Virtual size: 47KB

.data
Size: 3KB - Virtual size: 8KB

.pdata
Size: 5KB - Virtual size: 4KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 134KB - Virtual size: 134KB

.rdata
Size: 1.8MB - Virtual size: 1.8MB

.eh_fram
Size: 512B - Virtual size: 4B

.pdata
Size: 1KB - Virtual size: 1KB

.xdata
Size: 1KB - Virtual size: 1KB

.bss
Size: - Virtual size: 379KB

.edata
Size: 512B - Virtual size: 145B

.idata
Size: 3KB - Virtual size: 2KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 31KB - Virtual size: 30KB

.text
Size: 262KB - Virtual size: 262KB

.rdata
Size: 84KB - Virtual size: 83KB

.data
Size: 8KB - Virtual size: 21KB

.pdata
Size: 14KB - Virtual size: 13KB

.idata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

5a:36:1b:56:a5:fa:d6:37:04:b9:5a:de:0c:92:d8:bb:f5:e0:32:a2:d9:9f:b4:6f:b3:68:a1:58:6f:81:37:b0
Signer

.text
Size: 63KB - Virtual size: 62KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 524B

.text
Size: 2.2MB - Virtual size: 2.2MB

.data
Size: 221KB - Virtual size: 221KB

.rdata
Size: 2.0MB - Virtual size: 2.0MB

.pdata
Size: 6KB - Virtual size: 5KB

.xdata
Size: 5KB - Virtual size: 4KB

.bss
Size: - Virtual size: 385KB

.edata
Size: 512B - Virtual size: 336B

.idata
Size: 3KB - Virtual size: 3KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 85KB - Virtual size: 85KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

06:63:d5:fc:a7:28:88:2f:36:ff:1b:df:5d:85:f0:ba
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

4c:10:de:e7:af:ba:16:25:93:1d:49:8c:07:df:03:56:ad:e6:c8:26:ad:03:25:f2:28:26:42:04:cb:66:3d:eb
Signer