netdrv[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

netdrv.dll
Size

1.9MB
MD5

cf06e91b130c71e2f7855ef65335954b
SHA1

2c1b6e7098e2c8d8d7d17fe49a9697d8ff12ce81
SHA256

9189c8895ac10ae1f232c974b7fbd7c267dec9cb8d5e7164a849de8050bcad9f
SHA512

670b4fde4d8432eab58935c8d75249ce8aeabcbd6f0d1b539e6684af8af13943eecd8cba3b7853c6f7cf3375604940b8ca0f5e0894cc573a48698765fd9d33cf
SSDEEP

49152:C2dEHOl4Yylw294NgCTzcAsBuu8g+Dq12YNJ/DM4ZLTGM2DkNwtLiota:Mn94NgdTDfaMq5tu

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
netdrv.dll

Files

netdrv.dll
.dll windows:5 windows x64 arch:x64

4ccebd550e46569f1f686de0e1342365

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Imports

ntdll

RtlLookupFunctionEntry
ZwQueryKey
ZwCreateKey
NtCompareTokens
ZwCancelIoFile
RtlReAllocateHeap
RtlOpenCurrentUser
ZwQueryValueKey
RtlTimeToTimeFields
ZwQueryVirtualMemory
ZwOpenKey
RtlGetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlEqualSid
RtlCreateAcl
RtlAddAccessDeniedAceEx
RtlCopySid
RtlValidSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlLengthSid
ZwOpenThreadToken
RtlGetOwnerSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlGetAce
RtlGetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlFreeHeap
RtlAllocateHeap
LdrGetDllHandle
RtlExpandEnvironmentStrings_U
RtlDosPathNameToNtPathName_U
RtlGetFullPathName_U
ZwReleaseMutant
ZwAllocateUuids
RtlInitAnsiString
LdrLoadDll
LdrUnloadDll
LdrGetProcedureAddress
ZwResumeThread
ZwDelayExecution
RtlCreateUserThread
ZwSetInformationThread
CsrClientCallServer
ZwDuplicateObject
RtlExitUserThread
ZwTerminateThread
ZwResetEvent
ZwSetEvent
RtlUpcaseUnicodeChar
RtlCreateUnicodeString
RtlInitializeCriticalSection
RtlDeleteCriticalSection
ZwOpenSymbolicLinkObject
ZwDeviceIoControlFile
ZwQuerySymbolicLinkObject
ZwQueryInformationFile
ZwSetInformationFile
ZwFlushVirtualMemory
ZwFlushBuffersFile
ZwMapViewOfSection
ZwWriteFile
ZwCreateSection
ZwReadFile
ZwUnmapViewOfSection
ZwQuerySystemInformation
ZwDuplicateToken
ZwOpenFile
ZwCreateEvent
RtlFreeUnicodeString
ZwCreateFile
ZwWaitForSingleObject
ZwFsControlFile
ZwOpenProcess
ZwClose
ZwTerminateProcess
RtlLeaveCriticalSection
ZwOpenProcessToken
RtlEnterCriticalSection
ZwReleaseSemaphore
ZwCreateSemaphore
ZwWaitForMultipleObjects
ZwQueryInformationToken
RtlGetCurrentDirectory_U
RtlQueryEnvironmentVariable_U
RtlGetNativeSystemInformation
RtlInitUnicodeString
ZwQueryInformationProcess
ZwReadVirtualMemory
RtlxOemStringToUnicodeSize
RtlUnicodeStringToOemString
RtlOemStringToUnicodeString
NlsMbOemCodePageTag
RtlNtStatusToDosError
RtlxUnicodeStringToOemSize
RtlUnicodeStringToAnsiString
RtlxUnicodeStringToAnsiSize
RtlxAnsiStringToUnicodeSize
RtlUpcaseUnicodeString
NlsMbCodePageTag
RtlAnsiStringToUnicodeString
RtlCompareUnicodeString
RtlVirtualUnwind
ZwQueryAttributesFile
ZwOpenDirectoryObject
ZwQueryInformationThread
ZwCreateNamedPipeFile
RtlCaptureContext

bcrypt

BCryptDestroyKey
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptDeriveKey
BCryptOpenAlgorithmProvider
BCryptSecretAgreement
BCryptExportKey
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptImportKeyPair
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptDestroySecret

kernel32

WaitForMultipleObjectsEx
IsDebuggerPresent
OutputDebugStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
TerminateProcess
WakeAllConditionVariable
SleepConditionVariableSRW
SetEnvironmentVariableW
GetCurrentThreadId
GetCurrentProcessId
InitOnceExecuteOnce
GetSystemTimeAsFileTime
QueryPerformanceFrequency
GetProcAddress
GetModuleHandleW
QueryPerformanceCounter
VirtualFree
CompareStringW
InitOnceComplete
InitOnceBeginInitialize
QueryFullProcessImageNameW
WerUnregisterMemoryBlock
FindVolumeClose
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
FindFirstVolumeW
InitializeCriticalSection
UnlockFileEx
GetFileSizeEx
K32GetMappedFileNameW
WerRegisterMemoryBlock
QueryDosDeviceW
GetCurrentDirectoryW
CreateDirectoryW
GetFullPathNameW
SetFileTime
GetFileInformationByHandle
FindClose
FindFirstFileW
DuplicateHandle
GetWindowsDirectoryW
GetFileSize
ReadFile
SetFilePointer
GetEnvironmentVariableW
MultiByteToWideChar
LocalFree
GlobalMemoryStatusEx
OpenProcess
GetLongPathNameW
GetProcessAffinityMask
DeviceIoControl
GetSystemDirectoryW
GetSystemWindowsDirectoryW
GetFileAttributesW
GetShortPathNameW
GetModuleFileNameW
ExpandEnvironmentStringsW
GetCurrentThread
GetTickCount
Sleep
GetCurrentProcess
GetVersionExW
GetSystemInfo
LeaveCriticalSection
EnterCriticalSection
HeapFree
GetProcessHeap
HeapAlloc
SetEvent
CreateEventW
FreeLibrary
VirtualAlloc
WriteFile
LockFileEx
MapViewOfFile
CreateFileMappingW
CloseHandle
CreateFileW
UnlockFile
UnmapViewOfFile
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
RaiseException
WideCharToMultiByte
SetLastError
DeleteCriticalSection
GetLastError
InitializeCriticalSectionEx

advapi32

RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
QueryServiceStatus
QueryServiceLockStatusW
CloseServiceHandle
OpenSCManagerW
ImpersonateLoggedOnUser
RevertToSelf
OpenThreadToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
AddAce
InitializeAcl
GetLengthSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetSidSubAuthority
GetSidSubAuthorityCount
FreeSid
OpenProcessToken
GetTokenInformation
EventWriteTransfer
EventRegister
EventUnregister
StartServiceW
OpenServiceW
AllocateAndInitializeSid
DuplicateToken
CheckTokenMembership

ole32

CoInitializeEx
CoUninitialize

rpcrt4

I_RpcBindingInqLocalClientPID
RpcServerListen
RpcServerRegisterIf2
NdrServerCall2
NdrServerCallAll
RpcMgmtStopServerListening
RpcServerUnregisterIf
RpcServerUseProtseqEpW

shell32

SHGetFolderPathW

Exports

Exports

rundll
on_avast_dll_unload

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 418KB - Virtual size: 417KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4ccebd550e46569f1f686de0e1342365

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

bcrypt

kernel32

advapi32

ole32

rpcrt4

shell32

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 418KB - Virtual size: 417KB

.data Size: 6KB - Virtual size: 32KB

.pdata Size: 56KB - Virtual size: 56KB

.rsrc Size: 18KB - Virtual size: 18KB

.reloc Size: 10KB - Virtual size: 10KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 418KB - Virtual size: 417KB

.data
Size: 6KB - Virtual size: 32KB

.pdata
Size: 56KB - Virtual size: 56KB

.rsrc
Size: 18KB - Virtual size: 18KB

.reloc
Size: 10KB - Virtual size: 10KB