c30971c4c13f1862622031f4a4aa8f80

Sharing

Copy URL Twitter E-mail

General

Target

c30971c4c13f1862622031f4a4aa8f80
Size

353KB
MD5

c30971c4c13f1862622031f4a4aa8f80
SHA1

2bd2155cd1b457d43042db129dacc884bb4d1cbb
SHA256

5cf4edb3af917b1ad94fa3c7fc812611c5da24361ec3f88542f10aefdd0278b7
SHA512

a3481188970b517e4086f216a72f16a42182e5a322479bac0464735fb348adf8dba8e84af27396b1b36ef5026616d56d77561ac15e425df1a0e5abbe9f737c3a
SSDEEP

6144:bJVxTJMCOHOcecOeaVrith/CC/LxGh5wCQCzKLQ/xyBzo:bDxTl2OzryZCAQ4CQDQ/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c30971c4c13f1862622031f4a4aa8f80

Files

c30971c4c13f1862622031f4a4aa8f80
.sys windows:5 windows x86 arch:x86

be8f8048c4b29418508dc0c6096b5227

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

tcpip.pdb

Imports

hal

KfLowerIrql
KeRaiseIrqlToDpcLevel
KfReleaseSpinLock
KfAcquireSpinLock
KfRaiseIrql
KeGetCurrentIrql
KeQueryPerformanceCounter
ExAcquireFastMutex
ExReleaseFastMutex

ndis.sys

NdisCloseAdapter
NdisCancelSendPackets
NdisFreePacket
NdisUnchainBufferAtFront
NdisCompletePnPEvent
NdisFreePacketPool
NdisRequest
NdisAllocatePacket
NdisFreeMemory
NdisQueryAdapterInstanceName
NdisGetDriverHandle
NdisOpenAdapter
NdisAllocatePacketPoolEx
NdisGetReceivedPacket
NdisRegisterProtocol
NdisAllocateBuffer
NdisSetPacketPoolProtocolId
NdisReturnPackets
NdisCopyBuffer
NdisAllocateBufferPool
NdisFreeBufferPool
NdisReEnumerateProtocolBindings
NdisCompleteBindAdapter

ntoskrnl.exe

IoCreateDevice
_wcsicmp
wcscpy
wcsncpy
wcschr
ZwSetInformationThread
KeLeaveCriticalRegion
KeEnterCriticalRegion
KeQueryTimeIncrement
KeSetEvent
IoDeleteSymbolicLink
ExDeleteNPagedLookasideList
KeDelayExecutionThread
ZwOpenKey
KeSetTimerEx
KeInitializeTimer
KeInitializeDpc
ExInitializeNPagedLookasideList
MmLockPagableSectionByHandle
ZwQueryValueKey
ZwSetValueKey
InterlockedPopEntrySList
InterlockedPushEntrySList
ExIsProcessorFeaturePresent
RtlAddAccessAllowedAce
RtlCreateAcl
RtlLengthSid
SeExports
RtlMapGenericMask
IoGetFileObjectGenericMapping
ObReleaseObjectSecurity
SeSetSecurityDescriptorInfo
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
ObGetObjectSecurity
IofCallDriver
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
ObfDereferenceObject
RtlAddAce
RtlGetAce
IoCreateSymbolicLink
RtlInitializeSid
RtlLengthRequiredSid
ObSetSecurityObjectByPointer
RtlSelfRelativeToAbsoluteSD
RtlGetSaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlVerifyVersionInfo
VerSetConditionMask
IoWMIRegistrationControl
IoGetCurrentProcess
KeInitializeTimerEx
RtlExtendedIntegerMultiply
KeQueryInterruptTime
_aulldiv
DbgBreakPoint
KeSetTargetProcessorDpc
RtlSetBit
SeUnlockSubjectContext
SeAccessCheck
SeLockSubjectContext
ObDereferenceSecurityDescriptor
PsGetCurrentProcessId
RtlWalkFrameChain
ExNotifyCallback
ExCreateCallback
ObReferenceObjectByHandle
MmUnlockPages
SeFreePrivileges
SeAppendPrivileges
ObLogSecurityDescriptor
SeAssignSecurity
IoFileObjectType
MmProbeAndLockPages
IoAllocateMdl
_except_handler3
ProbeForWrite
ObfReferenceObject
PsGetCurrentProcess
RtlPrefetchMemoryNonTemporal
KeInitializeMutex
MmIsThisAnNtAsSystem
KeWaitForSingleObject
KeReleaseMutex
KeReadStateEvent
IoDeleteDevice
ZwEnumerateValueKey
RtlUnicodeStringToInteger
RtlIpv4StringToAddressW
RtlTimeToTimeFields
ExLocalTimeToSystemTime
RtlExtendedMagicDivide
RtlAppendUnicodeToString
ZwClose
_allmul
MmQuerySystemSize
RtlCompareUnicodeString
RtlInitializeBitMap
RtlClearAllBits
RtlSetBits
wcslen
RtlAreBitsSet
RtlClearBits
RtlFindClearBitsAndSet
RtlFindClearRuns
DbgPrint
memmove
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
ZwLoadDriver
KeResetEvent
IoAcquireCancelSpinLock
IoReleaseCancelSpinLock
IofCompleteRequest
ExfInterlockedAddUlong
MmMapLockedPagesSpecifyCache
IoFreeMdl
ExfInterlockedInsertTailList
RtlInitUnicodeString
MmMapLockedPages
KeNumberProcessors
RtlUnicodeStringToAnsiString
MmLockPagableDataSection
MmUnlockPagableImageSection
RtlCompareMemory
ExAllocatePoolWithTag
KeCancelTimer
KeClearEvent
RtlAnsiStringToUnicodeString
IoRaiseInformationalHardError
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTagPriority
KeInitializeSpinLock
_alldiv
KeQuerySystemTime
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
KeBugCheckEx
RtlSubAuthoritySid
KeTickCount
MmBuildMdlForNonPagedPool
ZwDeviceIoControlFile
ZwCreateFile

tdi.sys

CTESystemUpTime
CTEBlock
CTELogEvent
CTESignal
CTEBlockWithTracker
CTEStartTimer
CTEInitEvent
CTEScheduleDelayedEvent
CTEInitTimer
TdiProviderReady
CTEInitialize
TdiDeregisterNetAddress
TdiRegisterNetAddress
TdiDeregisterDeviceObject
TdiRegisterDeviceObject
TdiDeregisterProvider
TdiRegisterProvider
TdiPnPPowerRequest
TdiCopyMdlChainToMdlChain
TdiInitialize
TdiDeregisterPnPHandlers
TdiRegisterPnPHandlers
CTEScheduleEvent
TdiCopyBufferToMdl
CTERemoveBlockTracker
CTEInsertBlockTracker
TdiMapUserRequest
TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

Exports

Exports

ARPRcv
ARPRcvPacket
FreeIprBuff
GetIFAndLink
IPAddInterface
IPAllocBuff
IPDelInterface
IPDelayedNdisReEnumerateBindings
IPDeregisterARP
IPDisableSniffer
IPEnableSniffer
IPFreeBuff
IPGetAddrType
IPGetBestInterface
IPGetInfo
IPInjectPkt
IPProxyNdisRequest
IPRcvComplete
IPRcvPacket
IPRegisterARP
IPRegisterProtocol
IPSetIPSecStatus
IPTransmit
LookupRoute
LookupRouteInformation
LookupRouteInformationWithBuffer
SendICMPErr
SetIPSecPtr
UnSetIPSecPtr
UnSetIPSecSendPtr
tcpxsum

Sections

.text
Size: 252KB - Virtual size: 252KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGELK
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEIPMc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 896B - Virtual size: 833B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

be8f8048c4b29418508dc0c6096b5227

Headers

File Characteristics

PDB Paths

Imports

hal

ndis.sys

ntoskrnl.exe

tdi.sys

Exports

Exports

Sections

.text Size: 252KB - Virtual size: 252KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 41KB - Virtual size: 41KB

PAGE Size: 8KB - Virtual size: 7KB

PAGELK Size: 1KB - Virtual size: 1KB

PAGEIPMc Size: 10KB - Virtual size: 9KB

.edata Size: 896B - Virtual size: 833B

INIT Size: 22KB - Virtual size: 22KB

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 13KB - Virtual size: 13KB

.text
Size: 252KB - Virtual size: 252KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 41KB - Virtual size: 41KB

PAGE
Size: 8KB - Virtual size: 7KB

PAGELK
Size: 1KB - Virtual size: 1KB

PAGEIPMc
Size: 10KB - Virtual size: 9KB

.edata
Size: 896B - Virtual size: 833B

INIT
Size: 22KB - Virtual size: 22KB

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 13KB - Virtual size: 13KB