MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
Size

12KB
MD5

7c24e00bc50a76c4ff2378d389beb864
SHA1

f73f4b21edc6cc29e3b0bc684b5a8b971127fb74
SHA256

afade859321400e5e4138f7bdf5dd3bd436e97f2b9e1c3b1a179154f7d5e0ed5
SHA512

f7198c6284f6da78d1c1680fcee215850663feb2a9861b9ffb9446aa650a49c25aa92a4ada55b301e8245871b77b9158777d941ac280b96f4dcd7fa86c26ed38
SSDEEP

192:W9sIsf7XYPw94Tv1w/BbFlipI56nk9gXcmxURd3WRtMHl0fow:W9QGauMBb3iS56nk95N0MHl0v

Score

1^/10

Malware Config

Signatures

Files

MDE_File_Sample_66e95daee3d1244a029d7f3d91915f1f233d1916.zip
.zip

Password: infected
RwDrv.sys
.sys windows:6 windows x64 arch:x64

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

31/07/2012, 20:41

Not After

01/08/2013, 20:41

Subject

CN=ChongKim Chan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

Actual PE Digest

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\src\rw\rwxe3\rw\driver\objfre_win7_amd64\amd64\RwDrv.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
ExFreePoolWithTag
IoRegisterPlugPlayNotification
MmFreeContiguousMemorySpecifyCache
RtlInitUnicodeString
IoDeleteDevice
IoFreeWorkItem
KeInitializeEvent
RtlQueryRegistryValues
KeReleaseSpinLock
MmUnmapIoSpace
IoFreeMdl
MmGetPhysicalAddress
IoGetDeviceObjectPointer
IoBuildAsynchronousFsdRequest
ExInterlockedInsertTailList
IoBuildDeviceIoControlRequest
MmMapIoSpace
IoUnregisterPlugPlayNotification
IofCompleteRequest
KeWaitForSingleObject
IoFreeIrp
RtlCompareMemory
MmUnlockPages
IoCreateSymbolicLink
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
IoQueueWorkItem
MmAllocateContiguousMemorySpecifyCache
IofCallDriver
KeAcquireSpinLockRaiseToDpc
KeBugCheckEx
IoAllocateWorkItem
ExAllocatePoolWithTag

hal

KeStallExecutionProcessor

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 764B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ffCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 764B

.data Size: 512B - Virtual size: 272B

.pdata Size: 512B - Virtual size: 276B

INIT Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 880B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 764B

.data
Size: 512B - Virtual size: 272B

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 880B