MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
Size

12KB
MD5

3da3e710a04ffb57c59039d580f45566
SHA1

992392724910608d194be3269204e778ee3671f2
SHA256

eb88f0cd2317640f0c3faf4ab56a342b89b32df8dc7694804a6f2d2103ebf0e3
SHA512

080472861658bee6d929ee4c2f8d80c6b48f94dedbc601fcf793cead56145a8a0432382cd8546ac23dfe82f20bc1731943f9135de26227b86ec348c2ebc0dad8
SSDEEP

192:5i3nBX98r5FCUBU1PyEnF7Xr84gVYUpAc/+3IXVsVEZRXzhSYhO9CWYV9ofD2m:g3i7s1P1Bg45kAc/+YFseZJWY62m

Score

1^/10

Malware Config

Signatures

Files

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
.zip

Password: Rooter123
RwDrv.sys
.sys windows:6 windows x64 arch:x64

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

31/07/2012, 20:41

Not After

01/08/2013, 20:41

Subject

CN=ChongKim Chan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

Actual PE Digest

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\src\rw\rwxe3\rw\driver\objfre_win7_amd64\amd64\RwDrv.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
ExFreePoolWithTag
IoRegisterPlugPlayNotification
MmFreeContiguousMemorySpecifyCache
RtlInitUnicodeString
IoDeleteDevice
IoFreeWorkItem
KeInitializeEvent
RtlQueryRegistryValues
KeReleaseSpinLock
MmUnmapIoSpace
IoFreeMdl
MmGetPhysicalAddress
IoGetDeviceObjectPointer
IoBuildAsynchronousFsdRequest
ExInterlockedInsertTailList
IoBuildDeviceIoControlRequest
MmMapIoSpace
IoUnregisterPlugPlayNotification
IofCompleteRequest
KeWaitForSingleObject
IoFreeIrp
RtlCompareMemory
MmUnlockPages
IoCreateSymbolicLink
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
IoQueueWorkItem
MmAllocateContiguousMemorySpecifyCache
IofCallDriver
KeAcquireSpinLockRaiseToDpc
KeBugCheckEx
IoAllocateWorkItem
ExAllocatePoolWithTag

hal

KeStallExecutionProcessor

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 764B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: Rooter123

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ffCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 764B

.data Size: 512B - Virtual size: 272B

.pdata Size: 512B - Virtual size: 276B

INIT Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 880B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 764B

.data
Size: 512B - Virtual size: 272B

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 880B