General

Malware Config

Signatures

Files

• KRNLWRD.rar

  .rar
• KRNLWRD/Bunifu_UI_v1.5.3.dll

  .dll windows:4 windows x86 arch:x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 234KB - Virtual size: 233KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• KRNLWRD/ScintillaNET.dll

  .dll windows:4 windows x86 arch:x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  IMAGE_FILE_DLL

  PDB Paths

  C:\Users\jacob\Documents\Projects\ScintillaNET\src\ScintillaNET\obj\Release\ScintillaNET.pdb

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 1.3MB - Virtual size: 1.3MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• KRNLWRD/autoexec.lnk

  .lnk
• KRNLWRD/injector.dll

  .dll windows:6 windows x86 arch:x86

  d588e0751eeca8d75865b11d7d0b6027

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  PDB Paths

  D:\Archives\repos\krnl_injector\Release\krnl_injector.pdb

  Imports

  kernel32

  OpenProcess

  CreateToolhelp32Snapshot

  GetExitCodeThread

  CloseHandle

  Module32FirstW

  GetProcAddress

  VirtualAllocEx

  GetFileAttributesW

  ReadProcessMemory

  GetModuleHandleW

  WideCharToMultiByte

  CreateRemoteThread

  Module32NextW

  VirtualFreeEx

  SetUnhandledExceptionFilter

  WaitForSingleObject

  LocalFree

  WriteProcessMemory

  GetCurrentProcess

  TerminateProcess

  IsProcessorFeaturePresent

  QueryPerformanceCounter

  UnhandledExceptionFilter

  GetCurrentProcessId

  GetCurrentThreadId

  GetSystemTimeAsFileTime

  DisableThreadLibraryCalls

  InitializeSListHead

  IsDebuggerPresent

  advapi32

  SetNamedSecurityInfoW

  GetNamedSecurityInfoW

  ConvertStringSidToSidW

  SetEntriesInAclW

  msvcp140

  ?_Xout_of_range@std@@YAXPBD@Z

  ?_Xlength_error@std@@YAXPBD@Z

  vcruntime140

  __CxxFrameHandler3

  __std_exception_destroy

  _except_handler4_common

  memset

  __std_type_info_destroy_list

  _CxxThrowException

  __std_exception_copy

  memcpy

  api-ms-win-crt-heap-l1-1-0

  _callnewh

  free

  malloc

  api-ms-win-crt-runtime-l1-1-0

  _cexit

  _initialize_narrow_environment

  _configure_narrow_argv

  _seh_filter_dll

  _initterm_e

  _initterm

  _initialize_onexit_table

  _invalid_parameter_noinfo_noreturn

  _execute_onexit_table

  Exports

  Exports

  _inject_dll@8

  _is_injected@12

  _pass_console_input@16

  _run_script@16

  Sections

  .text

  Size: 11KB - Virtual size: 11KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 4KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 512B - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 512B - Virtual size: 248B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 1024B - Virtual size: 688B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• KRNLWRD/krnl.dll

  .dll windows:6 windows x86 arch:x86

  615138fe2fa1806ffa5686c81568e1f8

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  Imports

  kernel32

  AcquireSRWLockExclusive

  VirtualQuery

  LocalAlloc

  LocalFree

  GetModuleFileNameW

  GetProcessAffinityMask

  SetProcessAffinityMask

  SetThreadAffinityMask

  Sleep

  ExitProcess

  FreeLibrary

  LoadLibraryA

  GetModuleHandleA

  GetProcAddress

  user32

  ClientToScreen

  GetProcessWindowStation

  GetProcessWindowStation

  GetUserObjectInformationW

  ws2_32

  WSACleanup

  crypt32

  CertAddCertificateContextToStore

  api-ms-win-core-winrt-string-l1-1-0

  WindowsCreateStringReference

  api-ms-win-core-winrt-l1-1-0

  RoGetActivationFactory

  shell32

  SHGetFolderPathW

  imm32

  ImmGetContext

  d3dcompiler_47

  D3DCompile

  advapi32

  CryptAcquireContextA

  wldap32

  ord301

  normaliz

  IdnToAscii

  bcrypt

  BCryptGenRandom

  wtsapi32

  WTSSendMessageW

  Exports

  Exports

  queue_script

  send_console_input

  Sections

  .text

  Size: - Virtual size: 3.7MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: - Virtual size: 1.9MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: - Virtual size: 381KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .00cfg

  Size: - Virtual size: 8B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .tls

  Size: - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .voltbl

  Size: - Virtual size: 348B

  .asd10

  Size: - Virtual size: 2.1MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .asd11

  Size: 5.3MB - Virtual size: 5.3MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 7KB - Virtual size: 6KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 512B - Virtual size: 223B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• KRNLWRD/krnl.exe

  .exe windows:4 windows x86 arch:x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Code Sign

  e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c

  Certificate

  Issuer

  CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

  Not Before

  11-09-2018 09:26

  Not After

  11-09-2023 09:26

  Subject

  CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  57:31:0a:52:95:de:1e:ed:32:44:3f:c1:de:14:f1:7d

  Certificate

  Issuer

  CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

  Not Before

  19-07-2022 20:24

  Not After

  18-07-2024 20:24

  Subject

  CN=1305119 B.C. Ltd,O=1305119 B.C. Ltd,L=North Vancouver,ST=British Columbia,C=CA

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  64:33:51:d3:c7:38:9f:08

  Certificate

  Issuer

  CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

  Not Before

  24-06-2016 20:44

  Not After

  24-06-2031 20:44

  Subject

  CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  1a:d6:08:a7:d6:34:b5:cd:de:97:cb:a3:cc:f0:d0:4b

  Certificate

  Issuer

  CN=SSL.com Timestamping Issuing RSA CA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

  Not Before

  09-12-2022 18:30

  Not After

  06-12-2032 18:30

  Subject

  CN=SSL.com Timestamping Unit 2022,O=SSL Corp,L=Houston,ST=Texas,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c

  Certificate

  Issuer

  CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

  Not Before

  11-09-2018 09:26

  Not After

  11-09-2023 09:26

  Subject

  CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  6d:52:18:70:87:e8:23:4d:85:60:00:d0:80:8f:93:56

  Certificate

  Issuer

  CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

  Not Before

  13-11-2019 18:50

  Not After

  12-11-2034 18:50

  Subject

  CN=SSL.com Timestamping Issuing RSA CA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  be:ed:27:5f:b6:df:6b:1f:bf:29:3c:7c:5c:32:ac:8c:58:08:f3:b4:54:c0:06:08:82:cd:e5:3d:50:20:6b:28

  Signer

  Actual PE Digest

  be:ed:27:5f:b6:df:6b:1f:bf:29:3c:7c:5c:32:ac:8c:58:08:f3:b4:54:c0:06:08:82:cd:e5:3d:50:20:6b:28

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  E:\Archives\Documents\krnlss\obj\Release\net472\krnlss.pdb

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 1.0MB - Virtual size: 1.0MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 185KB - Virtual size: 184KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• KRNLWRD/krnlss.exe.config

  .xml
• KRNLWRD/workspace.lnk.lnk

  .lnk