Rootkit[.]Win64[.]Agent[.]gen-5514d7c5a672b1366933d12a087b74a77ce4ac5c736eef9220da7673605f4e3b

Sharing

Copy URL Twitter E-mail

General

Target

Rootkit.Win64.Agent.gen-5514d7c5a672b1366933d12a087b74a77ce4ac5c736eef9220da7673605f4e3b
Size

28KB
MD5

ae367ad7aed971d0ef310dd4ae7d9dbc
SHA1

9e7d47695d277e923ded0e922d03528a337f939e
SHA256

5514d7c5a672b1366933d12a087b74a77ce4ac5c736eef9220da7673605f4e3b
SHA512

3ada040280e3b64e8751e822ee82dcedbe078339be9f3c415589fbfcfafa6a803e47f08a6a034e958714b5c7639f32965d623c6dd3d243fc106a25fdc5b55cad
SSDEEP

768:bD6uJ8omr0mhj7+7MWk1ZbCvMmlENAMxbf:b2XDKoWkpCvDmx

Score

1^/10

Malware Config

Signatures

Files

Rootkit.Win64.Agent.gen-5514d7c5a672b1366933d12a087b74a77ce4ac5c736eef9220da7673605f4e3b
.sys windows:10 windows x64 arch:x64

10b679e8878465a73bbbefd6c5f9a15a

Code Sign

11:ea:9b:47:ed:c5:35:77:34:0f:a1:4e:14:7e:91:32
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

22/02/2010, 00:00

Not After

22/02/2012, 23:59

Subject

CN=Xtreaming Technology Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xtreaming Technology Inc.,L=Taichung,ST=Taiwan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

13:63:76:b7:1d:40:3e:07:3a:db:05:17:1d:59:ac:43:9b:0f:54:36
Signer

Actual PE Digest

13:63:76:b7:1d:40:3e:07:3a:db:05:17:1d:59:ac:43:9b:0f:54:36

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Baat\Desktop\GPT 1.6\x64\Release\RWSafe.pdb

Imports

ntoskrnl.exe

_stricmp
strstr
RtlInitAnsiString
RtlInitUnicodeString
RtlAnsiStringToUnicodeString
RtlCompareUnicodeString
RtlEqualUnicodeString
DbgPrint
RtlGetVersion
ExAllocatePool
ExFreePoolWithTag
MmBuildMdlForNonPagedPool
MmMapLockedPages
MmUnmapLockedPages
MmCreateMdl
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoFreeMdl
ObReferenceObjectByHandleWithTag
ObCloseHandle
ObfDereferenceObject
ZwOpenFile
ZwClose
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlCompareString
MmIsAddressValid
PsGetProcessCreateTimeQuadPart
IoRegisterDriverReinitialization
IoCreateFileEx
ZwTerminateProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
PsLookupThreadByThreadId
MmFlushImageSection
ObOpenObjectByPointer
ObMakeTemporaryObject
ZwDeleteFile
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
ZwQueryVirtualMemory
KeInitializeApc
KeInsertQueueApc
PsGetProcessPeb
PsSuspendProcess
PsResumeProcess
PsGetProcessWow64Process
RtlImageNtHeader
ObReferenceObjectByName
ZwQuerySystemInformation
IoFileObjectType
PsInitialSystemProcess
IoDriverObjectType
MmGetSystemRoutineAddress
IoAllocateMdl
RtlPcToFileHeader

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

10b679e8878465a73bbbefd6c5f9a15a

Code Sign

11:ea:9b:47:ed:c5:35:77:34:0f:a1:4e:14:7e:91:32Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

13:63:76:b7:1d:40:3e:07:3a:db:05:17:1d:59:ac:43:9b:0f:54:36Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 160B

.pdata Size: 1024B - Virtual size: 516B

INIT Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 20B

11:ea:9b:47:ed:c5:35:77:34:0f:a1:4e:14:7e:91:32
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

13:63:76:b7:1d:40:3e:07:3a:db:05:17:1d:59:ac:43:9b:0f:54:36
Signer

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 160B

.pdata
Size: 1024B - Virtual size: 516B

INIT
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 20B