MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
Size

12KB
MD5

977286f138aa7aa0a11928c9abb7dece
SHA1

33b08f612ef1ddb9b0e866cd2b74942874b9dab3
SHA256

d3e99a61a2f3b5fa24c48216dcc38fe4972e8acf7d3cae1f3366f0c429dd7742
SHA512

44f00fd2ebedf25193d6fab3635cf5ae953bb749be41cf265dcbf0b7b5423e1a0d81bd5dabbac5baa8b7f4907c2846acec19e341bee5ac6bf412d543b889daf0
SSDEEP

192:2KO5rs3KudipvZktLlrignd2gJpG6ktuOeXOzrJtOJk+JZZSfvWjW3ztLGgp7K:2KWGKuWcGgdHJpM/XJtQJhq3FGgpK

Score

1^/10

Malware Config

Signatures

Files

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
.zip

Password: P@ssw0rd
RwDrv.sys
.sys windows:6 windows x64 arch:x64

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

31/07/2012, 20:41

Not After

01/08/2013, 20:41

Subject

CN=ChongKim Chan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

Actual PE Digest

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\src\rw\rwxe3\rw\driver\objfre_win7_amd64\amd64\RwDrv.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
ExFreePoolWithTag
IoRegisterPlugPlayNotification
MmFreeContiguousMemorySpecifyCache
RtlInitUnicodeString
IoDeleteDevice
IoFreeWorkItem
KeInitializeEvent
RtlQueryRegistryValues
KeReleaseSpinLock
MmUnmapIoSpace
IoFreeMdl
MmGetPhysicalAddress
IoGetDeviceObjectPointer
IoBuildAsynchronousFsdRequest
ExInterlockedInsertTailList
IoBuildDeviceIoControlRequest
MmMapIoSpace
IoUnregisterPlugPlayNotification
IofCompleteRequest
KeWaitForSingleObject
IoFreeIrp
RtlCompareMemory
MmUnlockPages
IoCreateSymbolicLink
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
IoQueueWorkItem
MmAllocateContiguousMemorySpecifyCache
IofCallDriver
KeAcquireSpinLockRaiseToDpc
KeBugCheckEx
IoAllocateWorkItem
ExAllocatePoolWithTag

hal

KeStallExecutionProcessor

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 764B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: P@ssw0rd

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ffCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 764B

.data Size: 512B - Virtual size: 272B

.pdata Size: 512B - Virtual size: 276B

INIT Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 880B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 764B

.data
Size: 512B - Virtual size: 272B

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 880B