Release[.]rar | Triage

Resubmissions

24/08/2024, 12:32

240824-pq5tfszfjh 8

24/08/2024, 12:29

240824-pn6yqszekb 8

24/08/2024, 12:27

240824-pm1ekazdmg 8

Sharing

Copy URL Twitter E-mail

General

Target

Release.rar
Size

1.8MB
MD5

dc378d8293b582cbc9a8d06ce4875c8f
SHA1

c2073b5c67cc50739497695920affaa206b2b8eb
SHA256

a275aa99709d2832d39e64638bea5ef0691871837f068ffef28523d8d5d54856
SHA512

5325a167a08d12e28614696f46615946506e843e4ca5e26b35af3695ea3c5494ad2217dae8ec5cb72cc7502d7595efc5d4cda9803c06c285a818a2268e9e5e27
SSDEEP

49152:E+uBvSUM6xujVh6MLtW3iKqEQjLro8d/iX8w5hU:sBqUM6xuj5/ieroMiMR

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Release/GeforceNOW.exe
unpack001/Release/mapper.exe

Files

Release.rar
.rar
Release/GeforceNOW.exe
.exe windows:6 windows x64 arch:x64

426ca4659c25f40c32df2b82ae4835eb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\lunar\Downloads\AEVanta (1)\x64\Release\GeforceNOW.pdb

Imports

d3d9

Direct3DCreate9Ex

kernel32

FreeLibrary
QueryPerformanceCounter
Process32First
VirtualProtect
GetConsoleScreenBufferInfo
VirtualFree
SetConsoleTitleA
SetConsoleScreenBufferSize
GetStdHandle
DeviceIoControl
VirtualAlloc
TerminateProcess
SetConsoleWindowInfo
CreateFileW
CreateToolhelp32Snapshot
Sleep
Process32Next
Beep
GetConsoleWindow
lstrcmpiA
GetTickCount
GetProcAddress
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
GetCurrentThreadId
IsDebuggerPresent
GetModuleHandleW
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
UnhandledExceptionFilter
CloseHandle

user32

SetCursor
GetClientRect
GetForegroundWindow
DispatchMessageA
GetWindowRect
DestroyWindow
GetSystemMetrics
ShowWindow
SetWindowLongA
MessageBoxA
TranslateMessage
PeekMessageA
GetDesktopWindow
FindWindowA
SetForegroundWindow
SendInput
GetAsyncKeyState
GetKeyState
LoadCursorA
ScreenToClient
GetClipboardData
ClientToScreen
SetCursorPos
SetClipboardData
EmptyClipboard
CloseClipboard
GetCursorPos
OpenClipboard

shell32

Shell_NotifyIconA

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow

msvcp140

?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??Bid@locale@std@@QEAA_KXZ
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Mtx_unlock
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

xinput1_4

ord2

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strstr
__std_exception_destroy
__std_exception_copy
__std_terminate
__C_specific_handler
__current_exception
__current_exception_context
_CxxThrowException
memset
memchr
memcpy
memcmp
memmove

api-ms-win-crt-stdio-l1-1-0

fflush
fclose
fseek
__stdio_common_vfprintf
__acrt_iob_func
ftell
fwrite
__stdio_common_vsnprintf_s
_wfopen
__stdio_common_vsprintf
fread
_set_fmode
__stdio_common_vsscanf
__stdio_common_vsprintf_s
__p__commode

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strcmp
strncmp
strncpy

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
_callnewh
malloc

api-ms-win-crt-convert-l1-1-0

atof

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_invalid_parameter_noinfo_noreturn
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_beginthreadex
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
terminate
system
exit

api-ms-win-crt-math-l1-1-0

atan2
atan2f
ceilf
cosf
fmodf
asin
_dclass
sqrt
sinf
powf
pow
acosf
sqrtf
__setusermatherr
tanf

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 379KB - Virtual size: 378KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Release/GeforceNOW.pdb
Release/mapper.exe
.exe windows:6 windows x64 arch:x64

87877434cc5ccb8c3f984e3dd6b73bb9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\bizzy\Downloads\kdmapper\kdmapper-master\x64\Debug\kdmapper.pdb

Imports

kernel32

HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
DeviceIoControl
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentProcessId
HeapDestroy
VirtualAlloc
VirtualFree
GetModuleHandleA
GetProcAddress
SetUnhandledExceptionFilter
GetTempPathW
VirtualQuery
InitializeSListHead
GetSystemTimeAsFileTime
SetLastError
GetLastError
CloseHandle
DecodePointer
GetCurrentThreadId
CreateFileW
QueryPerformanceCounter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RaiseException
OutputDebugStringW
IsDebuggerPresent
WideCharToMultiByte
MultiByteToWideChar
CreateSymbolicLinkW
GetFileInformationByHandleEx
CreateHardLinkW
MoveFileExW
CopyFileW
CreateDirectoryExW
GetModuleHandleW
AreFileApisANSI
SetFileTime
SetFileInformationByHandle
SetFileAttributesW
GetFullPathNameW
GetFinalPathNameByHandleW
GetFileInformationByHandle
GetFileAttributesExW
GetFileAttributesW
GetDiskFreeSpaceExW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
FreeLibrary

user32

UnregisterClassW

advapi32

RegSetKeyValueW
RegOpenKeyW
RegCreateKeyW
RegCloseKey
RegDeleteTreeW

msvcp140d

??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ
?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0_Lockit@std@@QEAA@H@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1_Lockit@std@@QEAA@XZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
_Mbrtowc
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getdays@_Locinfo@std@@QEBAPEBDXZ
?_Getmonths@_Locinfo@std@@QEBAPEBDXZ
?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ
?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ
??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??7ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?flags@ios_base@std@@QEBAHXZ
?setf@ios_base@std@@QEAAHHH@Z
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z

ntdll

NtQuerySystemInformation
RtlInitUnicodeString

vcruntime140d

__std_type_info_destroy_list
__C_specific_handler_noexcept
__current_exception_context
__current_exception
memcmp
__C_specific_handler
__std_exception_destroy
__std_exception_copy
memset
memmove
memcpy
__vcrt_GetModuleHandleW
__vcrt_GetModuleFileNameW
_CxxThrowException
__vcrt_LoadLibraryExW

vcruntime140_1d

__CxxFrameHandler4

ucrtbased

__setusermatherr
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
exit
_exit
_set_fmode
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
_configthreadlocale
_set_new_mode
__p__commode
strcpy_s
strcat_s
__stdio_common_vsprintf_s
_wmakepath_s
_wsplitpath_s
_set_app_type
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_callnewh
_recalloc
_errno
_invalid_parameter_noinfo
terminate
_seh_filter_exe
_malloc_dbg
_free_dbg
system
_wcsicmp
_unlock_file
_lock_file
ungetc
setvbuf
fwrite
_fseeki64
fsetpos
fread
fputc
fgetpos
fgetc
fflush
fclose
_get_stream_buffer_pointers
__stdio_common_vsnwprintf_s
__stdio_common_vswprintf_s
__stdio_common_vswprintf
_wremove
_CrtDbgReportW
_CrtDbgReport
_calloc_dbg
rand
srand
malloc
free
strlen
_stricmp
wcslen
wcscpy_s
_invalid_parameter
_cexit
_crt_at_quick_exit
_crt_atexit
___lc_codepage_func
_execute_onexit_table
_time64

Sections

.textbss
Size: - Virtual size: 159KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 359KB - Virtual size: 359KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 1024B - Virtual size: 777B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 373B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Release/racballs.sys
.sys windows:10 windows x64 arch:x64

dab06766af6787054a656ec789a0ae81

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

10/11/2021, 00:00

Not After

09/11/2024, 23:59

Subject

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fe:6b:16:07:bc:67:3c:07:db:ae:2f:bb:c3:11:05:58:52:75:1a:8c
Signer

Actual PE Digest

fe:6b:16:07:bc:67:3c:07:db:ae:2f:bb:c3:11:05:58:52:75:1a:8c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Racmaster32\Desktop\SkarDriver-Ioctl-main\x64\Release\racballs.pdb

Imports

ntoskrnl.exe

RtlInitUnicodeString
RtlGetVersion
ExAllocatePool
ExAllocatePoolWithTag
ExFreePoolWithTag
MmUnmapIoSpace
MmMapIoSpaceEx
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
ObfDereferenceObject
MmCopyMemory
PsLookupProcessByProcessId
IoCreateDriver
PsGetProcessSectionBaseAddress
ZwQuerySystemInformation

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 128B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 600B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

426ca4659c25f40c32df2b82ae4835eb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

shell32

imm32

msvcp140

ntdll

xinput1_4

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 379KB - Virtual size: 378KB

.rdata Size: 65KB - Virtual size: 65KB

.data Size: 27KB - Virtual size: 32KB

.pdata Size: 13KB - Virtual size: 13KB

.msvcjmc Size: 512B - Virtual size: 152B

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1024B - Virtual size: 648B

87877434cc5ccb8c3f984e3dd6b73bb9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

msvcp140d

ntdll

vcruntime140d

vcruntime140_1d

ucrtbased

Sections

.textbss Size: - Virtual size: 159KB

.text Size: 359KB - Virtual size: 359KB

.rdata Size: 141KB - Virtual size: 140KB

.data Size: 2KB - Virtual size: 15KB

.pdata Size: 27KB - Virtual size: 27KB

.idata Size: 16KB - Virtual size: 16KB

.msvcjmc Size: 2KB - Virtual size: 2KB

.tls Size: 1024B - Virtual size: 777B

.00cfg Size: 512B - Virtual size: 373B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 3KB

dab06766af6787054a656ec789a0ae81

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45Certificate

Extended Key Usages

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

fe:6b:16:07:bc:67:3c:07:db:ae:2f:bb:c3:11:05:58:52:75:1a:8cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

.text
Size: 379KB - Virtual size: 378KB

.rdata
Size: 65KB - Virtual size: 65KB

.data
Size: 27KB - Virtual size: 32KB

.pdata
Size: 13KB - Virtual size: 13KB

.msvcjmc
Size: 512B - Virtual size: 152B

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1024B - Virtual size: 648B

.textbss
Size: - Virtual size: 159KB

.text
Size: 359KB - Virtual size: 359KB

.rdata
Size: 141KB - Virtual size: 140KB

.data
Size: 2KB - Virtual size: 15KB

.pdata
Size: 27KB - Virtual size: 27KB

.idata
Size: 16KB - Virtual size: 16KB

.msvcjmc
Size: 2KB - Virtual size: 2KB

.tls
Size: 1024B - Virtual size: 777B

.00cfg
Size: 512B - Virtual size: 373B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 3KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

fe:6b:16:07:bc:67:3c:07:db:ae:2f:bb:c3:11:05:58:52:75:1a:8c
Signer

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 128B

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 1024B - Virtual size: 600B

.reloc
Size: 512B - Virtual size: 36B