rootkit[.]zip | Triage

General

Target

rootkit.zip
Size

13KB
MD5

90709796f14d2ffbaa00e7f1d97ed5da
SHA1

56b8596f79b8987a90c85733e99ec6e9512548ba
SHA256

3369eae3352a191fa1e7e7cd309c8e131b2c4b67dab79e189f4a4f7c98a3e5f9
SHA512

27fa1eea7e10a1848a2f0ec35d8becb97b97fd17379710f8251b432abd834e1e95317c5c50ea2bb4d598bfed1c40391132341e5b331bd076f16e924cf56d86b1
SSDEEP

384:mi1yv9IOKMCYFZp6tbsvbm3O+8KUVNZJk1e+ekR:mGy9M5IetI63vVUVNHk1B

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/2adf06babe9d56ec5c8ba2eec576bd2625ebd3353892be4c9d7b51b4a8dbe473.exe

Files

rootkit.zip
.zip
2adf06babe9d56ec5c8ba2eec576bd2625ebd3353892be4c9d7b51b4a8dbe473.exe
.sys windows:6 windows x86 arch:x86

c00e20f56d65068b81a1a5324d461344

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

IoDeleteDevice
IoFreeWorkItem
MmUnmapIoSpace
MmGetPhysicalAddress
ExAllocatePool
IoAllocateWorkItem
MmMapIoSpace
IoAttachDeviceToDeviceStack
IoCreateSymbolicLink
IoInitializeRemoveLockEx
IoCreateDevice
IoQueueWorkItem
RtlInitUnicodeString
ZwClose
ZwOpenFile
ZwQueryInformationFile
KdDebuggerEnabled
InitSafeBootMode
IofCompleteRequest
RtlDeleteElementGenericTable
KeGetCurrentThread
RtlLookupElementGenericTable
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlUpcaseUnicodeChar
IoRegisterDriverReinitialization
ExFreePoolWithTag
ZwReadFile
IoDeleteSymbolicLink
ZwAllocateVirtualMemory
KeInitializeMutex
KeReleaseMutex
KeWaitForSingleObject
ZwQueryValueKey
ZwOpenKey
_stricmp
MmGetSystemRoutineAddress
PsGetVersion
ZwQueryInformationProcess
ObOpenObjectByPointer
PsLookupProcessByProcessId
ObfDereferenceObject
memcpy
_except_handler3
memset

hal

KfAcquireSpinLock
KeGetCurrentIrql
KfReleaseSpinLock

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 640B - Virtual size: 628B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 964B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c00e20f56d65068b81a1a5324d461344

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 12KB - Virtual size: 12KB

.rdata Size: 7KB - Virtual size: 7KB

.data Size: 640B - Virtual size: 628B

INIT Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 904B

.reloc Size: 1024B - Virtual size: 964B

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 640B - Virtual size: 628B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 904B

.reloc
Size: 1024B - Virtual size: 964B