Rootkit[.]Win32[.]Agent[.]elxv-9f32569d88ee2340db23e6548912a63767a6778877bf0576738836beb3f09b62

Sharing

Copy URL Twitter E-mail

General

Target

Rootkit.Win32.Agent.elxv-9f32569d88ee2340db23e6548912a63767a6778877bf0576738836beb3f09b62
Size

456KB
MD5

50905dc12233069af745bb10708f786b
SHA1

a42a371f366935cd460e2b95e38c15dc5be464d5
SHA256

9f32569d88ee2340db23e6548912a63767a6778877bf0576738836beb3f09b62
SHA512

991ae134cd9ff0f3777a5c3d7822d23656cf02e747f98216a7e966197cbde6132a6678ef80f5f5e48eac1e4e36de288f1041d62ac71780841af2f547c4ff07de
SSDEEP

6144:OflfAsiL4lIJjiJcbI03GBc3ucY5DCSjXAflfAsiL4lI2:OflfAsiVGjSGecvXAflfAsi6

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Rootkit.Win32.Agent.elxv-9f32569d88ee2340db23e6548912a63767a6778877bf0576738836beb3f09b62

Files

Rootkit.Win32.Agent.elxv-9f32569d88ee2340db23e6548912a63767a6778877bf0576738836beb3f09b62
.exe windows:5 windows x86 arch:x86

52a948b5de7cc38ae8e6110ce48389ff

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

f:\软件工程\驱动编程\OK\KernelYK\bin\InstallSYS.pdb

Imports

kernel32

GetModuleFileNameW
CreateFileW
MultiByteToWideChar
GetLastError
GetProcAddress
Process32FirstW
ReadFile
Process32NextW
CreateToolhelp32Snapshot
WinExec
CloseHandle
DeleteFileW
GetVersionExW
Sleep
LoadLibraryW
WriteFile
GetTickCount
WaitForSingleObject
GetCurrentProcess
UnmapViewOfFile
MapViewOfFile
GetFileSize
CreateFileA
CreateFileMappingW
ExitProcess
GetFileAttributesA
HeapFree
HeapAlloc
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
GetModuleHandleW
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
RtlUnwind
LoadLibraryA
LCMapStringA
WideCharToMultiByte
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
CreateDirectoryA

advapi32

AdjustTokenPrivileges
ChangeServiceConfigW
StartServiceW
LookupPrivilegeValueW
RegCreateKeyExW
OpenServiceW
OpenSCManagerW
OpenProcessToken
CloseServiceHandle
CreateServiceW
RegSetValueExW

netapi32

NetUserDel

imagehlp

CheckSumMappedFile

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 302KB - Virtual size: 306KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

52a948b5de7cc38ae8e6110ce48389ff

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

netapi32

imagehlp

Sections

.text Size: 32KB - Virtual size: 32KB

.rdata Size: 10KB - Virtual size: 9KB

.data Size: 302KB - Virtual size: 306KB

.rsrc Size: 10KB - Virtual size: 10KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 32KB - Virtual size: 32KB

.rdata
Size: 10KB - Virtual size: 9KB

.data
Size: 302KB - Virtual size: 306KB

.rsrc
Size: 10KB - Virtual size: 10KB

.reloc
Size: 4KB - Virtual size: 4KB