Offlical_0[.]6[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Offlical_0.6.zip
Size

26KB
MD5

0ddf82ab134dae239e9e6e3f677fdf07
SHA1

b9f2b4d27931f9a876ae9279ad6755491abbfb63
SHA256

f082fdf9514e1d6cbeb44443cc98b26568bd4c6d190f8efcb288e6aeb4787d2f
SHA512

e42a98c4d3028d0286284eafc621bf84227edcd74b540586d44ed309060dc410a11382e25276185d0a0dd5e831469721c5a88f85220992b960ea76678049bd6a
SSDEEP

384:86OXoaZ2NQ0XQVqzI+c8wRf4wOU4yAmzB4q9k0gnXO6VrRyKLEUifSQH0G:nECRXQVAIgwRAwKgzrgXOcRyKLUH/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/x64/WinDivert.dll

Files

Offlical_0.6.zip
.zip
x64/WinDivert.dll
.dll windows:4 windows x64 arch:x64

4b5b0fb09f29ed8e5306bbb27b5ae668

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

CloseServiceHandle
ControlService
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW

kernel32

CloseHandle
CreateEventW
CreateFileW
DeviceIoControl
GetLastError
GetModuleFileNameW
GetOverlappedResult
SetLastError
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue

msvcrt

isalnum
isspace
isxdigit
strcmp
tolower

Exports

Exports

DivertClose
DivertGetParam
DivertHelperCalcChecksums
DivertHelperParseIPv4Address
DivertHelperParseIPv6Address
DivertHelperParsePacket
DivertOpen
DivertRecv
DivertSend
DivertSetParam
WinDivertClose
WinDivertDllEntry
WinDivertGetParam
WinDivertHelperCalcChecksums
WinDivertHelperParseIPv4Address
WinDivertHelperParseIPv6Address
WinDivertHelperParsePacket
WinDivertOpen
WinDivertRecv
WinDivertRecvEx
WinDivertSend
WinDivertSendEx
WinDivertSetParam

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 512B - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 16B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 730B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/WinDivert64.sys
.sys windows:6 windows x64 arch:x64

5c9956100a10f17fd6cacca768f3c364

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:42:f1:e3:68:68:b7:25:06:ea:50:77:bf:7b:bc:5b
Certificate

Issuer

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/08/2014, 00:00

Not After

09/09/2015, 12:00

Subject

CN=Nemea Mjukvaruutveckling AB,O=Nemea Mjukvaruutveckling AB,L=Stockholm,ST=Vastra Gotaland,C=SE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00
Signer

Actual PE Digest

97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\windivert\install\WDDK\amd64\WinDivert64.pdb

Imports

ntoskrnl.exe

RtlCopyUnicodeString
KeBugCheckEx
IoAllocateMdl
MmMapLockedPagesSpecifyCache
IoFreeMdl
MmBuildMdlForNonPagedPool
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
ExFreePoolWithTag
ExUuidCreate
ExAllocatePoolWithTag

ndis.sys

NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart
NdisAllocateNetBufferListPool
NdisGetDataBuffer
NdisFreeNetBufferListPool

fwpkclnt.sys

FwpmCalloutDeleteByKey0
FwpsInjectNetworkReceiveAsync0
FwpmSubLayerAdd0
FwpsCalloutUnregisterByKey0
FwpsFreeCloneNetBufferList0
FwpsQueryPacketInjectionState0
FwpsFreeNetBufferList0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmFilterAdd0
FwpmEngineOpen0
FwpmTransactionAbort0
FwpsCalloutRegister0
FwpsInjectForwardAsync0
FwpmFilterDeleteByKey0
FwpmCalloutAdd0
FwpsInjectNetworkSendAsync0
FwpmTransactionCommit0
FwpsInjectionHandleCreate0
FwpsAllocateNetBufferAndNetBufferList0
FwpsInjectionHandleDestroy0
FwpmSubLayerDeleteByKey0

wdfldr.sys

WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionBind
WdfVersionUnbind

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 246B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/config.txt

Sharing

General

Malware Config

Signatures

Files

4b5b0fb09f29ed8e5306bbb27b5ae668

Headers

File Characteristics

Imports

advapi32

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 8KB

.data Size: 1024B - Virtual size: 992B

.rdata Size: 1024B - Virtual size: 1024B

.pdata Size: 512B - Virtual size: 360B

.xdata Size: 512B - Virtual size: 288B

.bss Size: - Virtual size: 16B

.edata Size: 1024B - Virtual size: 730B

.idata Size: 1024B - Virtual size: 1016B

.reloc Size: 512B - Virtual size: 132B

5c9956100a10f17fd6cacca768f3c364

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

0a:42:f1:e3:68:68:b7:25:06:ea:50:77:bf:7b:bc:5bCertificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5fCertificate

Extended Key Usages

Key Usages

97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ndis.sys

fwpkclnt.sys

wdfldr.sys

Sections

.text Size: 17KB - Virtual size: 16KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1KB - Virtual size: 4KB

.pdata Size: 1024B - Virtual size: 540B

INIT Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 512B - Virtual size: 246B

.text
Size: 8KB - Virtual size: 8KB

.data
Size: 1024B - Virtual size: 992B

.rdata
Size: 1024B - Virtual size: 1024B

.pdata
Size: 512B - Virtual size: 360B

.xdata
Size: 512B - Virtual size: 288B

.bss
Size: - Virtual size: 16B

.edata
Size: 1024B - Virtual size: 730B

.idata
Size: 1024B - Virtual size: 1016B

.reloc
Size: 512B - Virtual size: 132B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

0a:42:f1:e3:68:68:b7:25:06:ea:50:77:bf:7b:bc:5b
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00
Signer

.text
Size: 17KB - Virtual size: 16KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1KB - Virtual size: 4KB

.pdata
Size: 1024B - Virtual size: 540B

INIT
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 512B - Virtual size: 246B