2bae23248991b39a968cb698b029d57d86178ac0a40b008c157fbb315ee15ca5

Sharing

Copy URL Twitter E-mail

General

Target

2bae23248991b39a968cb698b029d57d86178ac0a40b008c157fbb315ee15ca5
Size

499KB
MD5

722118d42ec101d34f5cf9eeecb0a93c
SHA1

2f42469a13e2e3e85538e5c5fc28c38c88186b25
SHA256

2bae23248991b39a968cb698b029d57d86178ac0a40b008c157fbb315ee15ca5
SHA512

433dfc87a49175b0ed86396940d629af696309e1d412603950253bd100fb566bc98f3fcf785be40958ab270005733371a9a3f2009001991eb8009d9448c2ee75
SSDEEP

12288:eodKiCLCMQkAm47nM2oFDLPonDlAf9g2d9g8SZjPRfy:LEp4LMbtoDOlg2dhyZa

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/CmdColor.exe
unpack001/drv10/rxfcv.sys
unpack001/drv7/rxfcv.sys

Files

2bae23248991b39a968cb698b029d57d86178ac0a40b008c157fbb315ee15ca5
.zip
CmdColor.exe
.exe windows:4 windows x86 arch:x86

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetStdHandle
SetErrorMode
RaiseException
RtlUnwind
ExitProcess
TerminateProcess
GetCurrentProcess
GetLastError
SetConsoleCtrlHandler
HeapFree
GetCommandLineA
GetVersion
HeapReAlloc
HeapAlloc
HeapSize
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleA
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
WriteFile
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetFilePointer
FlushFileBuffers
CloseHandle
IsValidLocale
IsValidCodePage
GetLocaleInfoA
EnumSystemLocalesA
GetUserDefaultLCID
ReadFile
SetStdHandle
GetLocaleInfoW

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
PrimoCache.reg
TestCertificate.cer
drv.bak/win10-11_srv2016-2022/rxfcv.cat
drv.bak/win10-11_srv2016-2022/rxfcv.inf
drv.bak/win10-11_srv2016-2022/rxfcv.sys
.sys windows:10 windows x64 arch:x64

e47a7ca085c8d28af059a3defa00723f

Code Sign

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/04/2023, 19:16

Not After

03/04/2024, 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8d:30:04:fc:66:c0:bf:4e:c1:d7:5c:05:f9:f6:5a:37:56:e6:9b:e6:74:1c:e3:a3:9c:e3:a8:0c:f4:d5:8b:64
Signer

Actual PE Digest

8d:30:04:fc:66:c0:bf:4e:c1:d7:5c:05:f9:f6:5a:37:56:e6:9b:e6:74:1c:e3:a3:9c:e3:a8:0c:f4:d5:8b:64

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyCache\release\drv\win10\amd64\rxfcv_srv.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsStartHyperSystem
RxbsGetHyperSystemState
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem

ntoskrnl.exe

KeSetPriorityThread
KeWaitForSingleObject
ExFreePoolWithTag
ExInterlockedRemoveHeadList
PsTerminateSystemThread
KeInitializeEvent
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoFreeMdl
RtlCompareMemory
ExUuidCreate
RtlInitUnicodeString
KeClearEvent
KeSetEvent
ExInterlockedInsertTailList
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoRegisterLastChanceShutdownNotification
IoUnregisterShutdownNotification
ObfDereferenceObject
MmGetSystemRoutineAddress
RtlCopyUnicodeString
RtlIsNtDdiVersionAvailable
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IoBuildSynchronousFsdRequest
IofCallDriver
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoRegisterDeviceInterface
ZwClose
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
IoGetAttachedDevice
KdDebuggerEnabled
InitSafeBootMode
NtBuildNumber
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeInsertQueue
RtlFreeUnicodeString
RtlStringFromGUID
ZwEnumerateValueKey
ZwSetValueKey
KeReadStateEvent
KeReadStateTimer
KeSetTimer
KeWaitForMultipleObjects
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryActiveProcessorCountEx
KeDelayExecutionThread
IoAllocateIrp
IoBuildPartialMdl
IoFreeIrp
KeRemoveQueue
ExAllocatePoolWithTagPriority
ZwQueryValueKey
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDetachDevice
IoSetDeviceInterfaceState
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
_vsnwprintf
_strnicmp
RtlGUIDFromString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwOpenKey
ZwDeleteValueKey
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
KeGetCurrentIrql
IoGetStackLimits
ExEventObjectType
ExWindowStationObjectType
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmBuildMdlForNonPagedPool
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
PsCreateSystemThread
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
wcschr
RtlUnicodeStringToInteger
RtlEqualUnicodeString
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoOpenDeviceRegistryKey
IoGetDevicePropertyData
ObfReferenceObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlQueryRegistryValues
RtlCompareUnicodeString
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
drv.bak/win7-8.1_srv2008-2012/rxfcv.cat
drv.bak/win7-8.1_srv2008-2012/rxfcv.inf
drv.bak/win7-8.1_srv2008-2012/rxfcv.sys
.sys windows:10 windows x64 arch:x64

9653b3b7b9a2698ec8e96dd8b2ddea07

Code Sign

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/04/2023, 19:16

Not After

03/04/2024, 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c5:d4:fb:cf:05:7b:48:dd:fd:23:e5:a7:17:68:04:38:82:5d:f3:a9:c5:02:e4:78:54:1e:16:64:e4:d1:c7:c1
Signer

Actual PE Digest

c5:d4:fb:cf:05:7b:48:dd:fd:23:e5:a7:17:68:04:38:82:5d:f3:a9:c5:02:e4:78:54:1e:16:64:e4:d1:c7:c1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyCache\release\drv\win7\amd64\rxfcv_srv_raw.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsStartHyperSystem
RxbsGetHyperSystemState
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem

ntoskrnl.exe

KeSetPriorityThread
KeWaitForSingleObject
ExFreePoolWithTag
ExInterlockedRemoveHeadList
PsTerminateSystemThread
KeInitializeEvent
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoFreeMdl
RtlCompareMemory
ExUuidCreate
RtlInitUnicodeString
KeClearEvent
KeSetEvent
ExInterlockedInsertTailList
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoRegisterLastChanceShutdownNotification
IoUnregisterShutdownNotification
ObfDereferenceObject
MmGetSystemRoutineAddress
RtlCopyUnicodeString
RtlIsNtDdiVersionAvailable
IoAttachDeviceToDeviceStack
IoBuildSynchronousFsdRequest
IofCallDriver
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoRegisterDeviceInterface
ZwClose
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
IoGetAttachedDevice
InitSafeBootMode
NtBuildNumber
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeInsertQueue
RtlFreeUnicodeString
RtlStringFromGUID
ZwEnumerateValueKey
ZwSetValueKey
KeReadStateEvent
KeReadStateTimer
KeSetTimer
KeWaitForMultipleObjects
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryActiveProcessorCountEx
KeDelayExecutionThread
IoAllocateIrp
IoBuildPartialMdl
IoFreeIrp
KeRemoveQueue
ExAllocatePoolWithTagPriority
ZwQueryValueKey
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDetachDevice
IoSetDeviceInterfaceState
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
_vsnwprintf
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
_strnicmp
RtlGUIDFromString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwOpenKey
ZwDeleteValueKey
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
KeGetCurrentIrql
IoGetStackLimits
ExEventObjectType
ExWindowStationObjectType
KeBugCheckEx
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmBuildMdlForNonPagedPool
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
PsCreateSystemThread
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
wcschr
RtlUnicodeStringToInteger
RtlEqualUnicodeString
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoOpenDeviceRegistryKey
IoGetDevicePropertyData
ObfReferenceObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlQueryRegistryValues
RtlCompareUnicodeString
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
drv10/rxfcv.cat
drv10/rxfcv.inf
drv10/rxfcv.sys
.sys windows:10 windows x64 arch:x64

e47a7ca085c8d28af059a3defa00723f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyCache\release\drv\win10\amd64\rxfcv_srv.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsStartHyperSystem
RxbsGetHyperSystemState
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem

ntoskrnl.exe

KeSetPriorityThread
KeWaitForSingleObject
ExFreePoolWithTag
ExInterlockedRemoveHeadList
PsTerminateSystemThread
KeInitializeEvent
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoFreeMdl
RtlCompareMemory
ExUuidCreate
RtlInitUnicodeString
KeClearEvent
KeSetEvent
ExInterlockedInsertTailList
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoRegisterLastChanceShutdownNotification
IoUnregisterShutdownNotification
ObfDereferenceObject
MmGetSystemRoutineAddress
RtlCopyUnicodeString
RtlIsNtDdiVersionAvailable
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IoBuildSynchronousFsdRequest
IofCallDriver
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoRegisterDeviceInterface
ZwClose
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
IoGetAttachedDevice
KdDebuggerEnabled
InitSafeBootMode
NtBuildNumber
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeInsertQueue
RtlFreeUnicodeString
RtlStringFromGUID
ZwEnumerateValueKey
ZwSetValueKey
KeReadStateEvent
KeReadStateTimer
KeSetTimer
KeWaitForMultipleObjects
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryActiveProcessorCountEx
KeDelayExecutionThread
IoAllocateIrp
IoBuildPartialMdl
IoFreeIrp
KeRemoveQueue
ExAllocatePoolWithTagPriority
ZwQueryValueKey
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDetachDevice
IoSetDeviceInterfaceState
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
_vsnwprintf
_strnicmp
RtlGUIDFromString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwOpenKey
ZwDeleteValueKey
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
KeGetCurrentIrql
IoGetStackLimits
ExEventObjectType
ExWindowStationObjectType
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmBuildMdlForNonPagedPool
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
PsCreateSystemThread
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
wcschr
RtlUnicodeStringToInteger
RtlEqualUnicodeString
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoOpenDeviceRegistryKey
IoGetDevicePropertyData
ObfReferenceObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlQueryRegistryValues
RtlCompareUnicodeString
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
drv7/rxfcv.cat
drv7/rxfcv.inf
drv7/rxfcv.sys
.sys windows:10 windows x64 arch:x64

58ecbaaab3100bdda10da5c8f0945a4d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyCache\release\drv\winlh\amd64\rxfcv_srv_raw.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsStartHyperSystem
RxbsGetHyperSystemState
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem

ntoskrnl.exe

KeSetPriorityThread
KeWaitForSingleObject
ExFreePoolWithTag
ExInterlockedRemoveHeadList
PsTerminateSystemThread
KeInitializeEvent
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoFreeMdl
RtlCompareMemory
ExUuidCreate
RtlInitUnicodeString
KeClearEvent
KeSetEvent
ExInterlockedInsertTailList
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoRegisterLastChanceShutdownNotification
IoUnregisterShutdownNotification
ObfDereferenceObject
RtlCopyUnicodeString
IoAttachDeviceToDeviceStack
IoBuildSynchronousFsdRequest
IofCallDriver
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoRegisterDeviceInterface
ZwClose
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
IoGetAttachedDevice
InitSafeBootMode
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeInsertQueue
RtlFreeUnicodeString
RtlStringFromGUID
ZwEnumerateValueKey
ZwSetValueKey
KeReadStateEvent
KeReadStateTimer
KeSetTimer
KeWaitForMultipleObjects
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryActiveProcessorCount
KeDelayExecutionThread
IoAllocateIrp
IoBuildPartialMdl
IoFreeIrp
KeRemoveQueue
ExAllocatePoolWithTagPriority
ZwQueryValueKey
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDetachDevice
IoSetDeviceInterfaceState
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
_vsnwprintf
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
_strnicmp
RtlGUIDFromString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwOpenKey
ZwDeleteValueKey
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
KeGetCurrentIrql
IoGetStackLimits
ExEventObjectType
ExWindowStationObjectType
KeBugCheckEx
KeRevertToUserAffinityThreadEx
KeSetSystemAffinityThreadEx
MmBuildMdlForNonPagedPool
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
MmGetPhysicalMemoryRanges
ZwQuerySystemInformation
PsCreateSystemThread
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
wcschr
RtlUnicodeStringToInteger
RtlEqualUnicodeString
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoOpenDeviceRegistryKey
ObfReferenceObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlQueryRegistryValues
MmGetSystemRoutineAddress
RtlCompareUnicodeString

Sections

.text
Size: 121KB - Virtual size: 120KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.juno
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
install.bat
.bat .vbs

Sharing

General

Malware Config

Signatures

Files

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

Imports

kernel32

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 12KB - Virtual size: 10KB

.data Size: 16KB - Virtual size: 22KB

e47a7ca085c8d28af059a3defa00723f

Code Sign

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

8d:30:04:fc:66:c0:bf:4e:c1:d7:5c:05:f9:f6:5a:37:56:e6:9b:e6:74:1c:e3:a3:9c:e3:a8:0c:f4:d5:8b:64Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 114KB - Virtual size: 113KB

EXTRA Size: 8KB - Virtual size: 7KB

CPATA Size: 512B - Virtual size: 401B

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 6KB - Virtual size: 5KB

PAGE Size: 3KB - Virtual size: 2KB

INIT Size: 10KB - Virtual size: 10KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 132B

9653b3b7b9a2698ec8e96dd8b2ddea07

Code Sign

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

c5:d4:fb:cf:05:7b:48:dd:fd:23:e5:a7:17:68:04:38:82:5d:f3:a9:c5:02:e4:78:54:1e:16:64:e4:d1:c7:c1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 127KB - Virtual size: 126KB

EXTRA Size: 10KB - Virtual size: 10KB

CPATA Size: 4KB - Virtual size: 4KB

.rdata Size: 16KB - Virtual size: 16KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 6KB - Virtual size: 6KB

PAGE Size: 3KB - Virtual size: 2KB

INIT Size: 17KB - Virtual size: 16KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 200B

e47a7ca085c8d28af059a3defa00723f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 114KB - Virtual size: 113KB

EXTRA Size: 8KB - Virtual size: 7KB

CPATA Size: 512B - Virtual size: 401B

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 6KB - Virtual size: 5KB

PAGE Size: 3KB - Virtual size: 2KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 16KB - Virtual size: 22KB

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

8d:30:04:fc:66:c0:bf:4e:c1:d7:5c:05:f9:f6:5a:37:56:e6:9b:e6:74:1c:e3:a3:9c:e3:a8:0c:f4:d5:8b:64
Signer

.text
Size: 114KB - Virtual size: 113KB

EXTRA
Size: 8KB - Virtual size: 7KB

CPATA
Size: 512B - Virtual size: 401B

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 5KB

PAGE
Size: 3KB - Virtual size: 2KB

INIT
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 132B

33:00:00:00:61:c8:8b:12:9c:2a:7f:1d:87:00:00:00:00:00:61
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

c5:d4:fb:cf:05:7b:48:dd:fd:23:e5:a7:17:68:04:38:82:5d:f3:a9:c5:02:e4:78:54:1e:16:64:e4:d1:c7:c1
Signer

.text
Size: 127KB - Virtual size: 126KB

EXTRA
Size: 10KB - Virtual size: 10KB

CPATA
Size: 4KB - Virtual size: 4KB

.rdata
Size: 16KB - Virtual size: 16KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 6KB

PAGE
Size: 3KB - Virtual size: 2KB

INIT
Size: 17KB - Virtual size: 16KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 200B

.text
Size: 114KB - Virtual size: 113KB

EXTRA
Size: 8KB - Virtual size: 7KB

CPATA
Size: 512B - Virtual size: 401B

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 5KB

PAGE
Size: 3KB - Virtual size: 2KB

INIT
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 132B

.text
Size: 121KB - Virtual size: 120KB

EXTRA
Size: 10KB - Virtual size: 9KB

CPATA
Size: 4KB - Virtual size: 4KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 6KB

PAGE
Size: 2KB - Virtual size: 2KB

INIT
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 196B

.juno
Size: 4KB - Virtual size: 4KB