daxin | 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530

Sharing

Copy URL Twitter E-mail

General

Target

49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
Size

59KB
MD5

62c18d61ed324088f963510bae43b831
SHA1

8302802b709ad242a81b939b6c90b3230e1a1f1e
SHA256

49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
SHA512

c5a8c86f6c8d9ec7e41c2fde094193497db624367458386a4304f3ae62649c78f35ed825f3ca4184d1b471d61bef5ba373dfbab4368d17c1a50824cb3e5ee947
SSDEEP

768:S1l1z3gUgbjth0lC02LYYS4eUnS8nBzpX+NW7aNTfHskVgeKF35uYC9DEVIY9JOW:ig8N2cCtLZES2JEBSj6

Score

10^/10

daxin

Malware Config

Signatures

Daxin family
daxin

Daxin payload 1 IoCs

resource	yara_rule
sample	family_daxin

Files

49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
.sys windows:6 windows x64 arch:x64

e80759049c541c1982d3e8bb9178612e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

28/06/2011, 00:00

Not After

27/06/2014, 23:59

Subject

CN=Anhua Xinda (Beijing) Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Anhua Xinda (Beijing) Technology Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

57:39:1d:4c:4e:30:f9:1e:3e:78:0d:52:42:fd:98:a1:78:ec:67:ac
Signer

Actual PE Digest

57:39:1d:4c:4e:30:f9:1e:3e:78:0d:52:42:fd:98:a1:78:ec:67:ac

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

wcsncmp
DbgPrint
IoAllocateMdl
_stricmp
sprintf
RtlLengthRequiredSid
ExAllocatePoolWithTag
vsprintf
IoDeleteSymbolicLink
ExFreePoolWithTag
RtlAnsiStringToUnicodeString
NtWriteFile
RtlCreateAcl
PsLookupProcessByProcessId
NtQuerySystemInformation
_wcsnicmp
ZwReadFile
RtlSetDaclSecurityDescriptor
KeInitializeApc
IoDeleteDevice
NtFsControlFile
KeInsertQueueApc
MmGetSystemRoutineAddress
IoCreateFile
ZwQuerySystemInformation
KeReleaseSpinLock
RtlAddAccessAllowedAce
RtlImageDirectoryEntryToData
KeDetachProcess
ZwOpenFile
ZwWaitForSingleObject
ZwCreateFile
PsCreateSystemThread
ZwQueryValueKey
PsTerminateSystemThread
ZwFreeVirtualMemory
KeQueryTimeIncrement
ObReferenceObjectByHandle
KeWaitForSingleObject
KeAttachProcess
PsGetVersion
PsThreadType
RtlCompareUnicodeString
ZwOpenProcess
ZwQueryInformationProcess
IoCreateSymbolicLink
ObfDereferenceObject
IoCreateDevice
ZwTerminateProcess
ZwQueryInformationFile
KeWaitForMultipleObjects
ZwWriteFile
NtReadFile
PsLookupThreadByThreadId
RtlLengthSid
RtlCreateSecurityDescriptor
ZwAllocateVirtualMemory
ZwOpenKey
KeAcquireSpinLockRaiseToDpc
RtlUnicodeStringToInteger
MmIsAddressValid
PsGetCurrentProcessId
ZwDeviceIoControlFile
IofCompleteRequest
ZwClose
MmMapLockedPagesSpecifyCache
MmUserProbeAddress
MmBuildMdlForNonPagedPool
memchr
KeDelayExecutionThread
RtlInitUnicodeString

ndis.sys

NdisAllocateMemoryWithTag
NdisAllocateNetBufferAndNetBufferList
NdisMSendNetBufferListsComplete
NdisReturnNetBufferLists
NdisAllocateNetBufferListPool
NdisFreeMemory
NdisCopyFromNetBufferToNetBuffer
NdisFreeMdl
NdisFreeNetBufferListPool
NdisFreeNetBufferList
NdisSendNetBufferLists

Sections

.text
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

e80759049c541c1982d3e8bb9178612e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

57:39:1d:4c:4e:30:f9:1e:3e:78:0d:52:42:fd:98:a1:78:ec:67:acSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

ndis.sys

Sections

.text Size: 42KB - Virtual size: 42KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 1.6MB

.pdata Size: 2KB - Virtual size: 1KB

INIT Size: 3KB - Virtual size: 3KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

57:39:1d:4c:4e:30:f9:1e:3e:78:0d:52:42:fd:98:a1:78:ec:67:ac
Signer

.text
Size: 42KB - Virtual size: 42KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 1.6MB

.pdata
Size: 2KB - Virtual size: 1KB

INIT
Size: 3KB - Virtual size: 3KB