ScreenShot
| Created | 2021.06.29 11:18 | Machine | s1_win7_x6401 |
| Filename | d6 | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (NtRootKit, GenericKD, Retliften, Eldorado, Malfilter, MalDrv, Hijacker, CLASSIC, Malware@#2ttyxjwlgynhm, FETNILTER, R + Troj, ai score=81, ASMalwS, kcloud, Netfilter, R428224, Unsafe, Guntior, Izxv, malicious, confidence, 100%, susgen) | ||
| md5 | 530f12f8058199964d0b41f1856185ec | ||
| sha256 | bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a | ||
| ssdeep | 768:01ZqCQKy8IYdfWiUelR36ihR6nmRYsn5jS/OPNi7SbpG:0Nyq+4lRX6IHnsOVi7so | ||
| imphash | d252001e327cf09463aba69fb4de2125 | ||
| impfuzzy | 48:SjJ06oA8N+MwasthIqokKXPdZ/CM5lSDWsSuJns5ab:Oo3+MwDiqiZ/CCoVs5ab | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | MAL_Netfilter_Dropper_Jun_2021_1 | Detect the dropper of Netfilter rootkit | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
fwpkclnt.sys
0x140008050 FwpmFilterAdd0
0x140008058 FwpmFilterDeleteById0
0x140008060 FwpsAcquireClassifyHandle0
0x140008068 FwpmCalloutAdd0
0x140008070 FwpsCompleteClassify0
0x140008078 FwpsAcquireWritableLayerDataPointer0
0x140008080 FwpsApplyModifiedLayerData0
0x140008088 FwpmSubLayerDeleteByKey0
0x140008090 FwpmSubLayerAdd0
0x140008098 FwpmTransactionAbort0
0x1400080a0 FwpmTransactionCommit0
0x1400080a8 FwpmTransactionBegin0
0x1400080b0 FwpmEngineClose0
0x1400080b8 FwpmEngineOpen0
0x1400080c0 FwpsCalloutUnregisterById0
0x1400080c8 FwpsReleaseClassifyHandle0
0x1400080d0 FwpsCalloutRegister1
ntoskrnl.exe
0x1400080e0 IoCreateFile
0x1400080e8 IoFreeIrp
0x1400080f0 IoGetRelatedDeviceObject
0x1400080f8 ObReferenceObjectByHandle
0x140008100 ObfDereferenceObject
0x140008108 ZwQueryInformationFile
0x140008110 ZwSetInformationFile
0x140008118 ZwReadFile
0x140008120 ZwWriteFile
0x140008128 ZwClose
0x140008130 IoFileObjectType
0x140008138 KeEnterCriticalRegion
0x140008140 KeLeaveCriticalRegion
0x140008148 PsTerminateSystemThread
0x140008150 KeSetBasePriorityThread
0x140008158 sprintf
0x140008160 CmUnRegisterCallback
0x140008168 CmRegisterCallbackEx
0x140008170 CmCallbackGetKeyObjectID
0x140008178 MmIsAddressValid
0x140008180 strlen
0x140008188 strncmp
0x140008190 strncpy
0x140008198 wcscat
0x1400081a0 wcslen
0x1400081a8 wcsncmp
0x1400081b0 RtlInitAnsiString
0x1400081b8 strcat
0x1400081c0 strcmp
0x1400081c8 strncat
0x1400081d0 IoAllocateIrp
0x1400081d8 ExAcquireSpinLockExclusive
0x1400081e0 ExReleaseSpinLockExclusive
0x1400081e8 wcscpy
0x1400081f0 RtlAnsiStringToUnicodeString
0x1400081f8 RtlFreeUnicodeString
0x140008200 RtlCreateSecurityDescriptor
0x140008208 RtlSetDaclSecurityDescriptor
0x140008210 KeResetEvent
0x140008218 KeInitializeTimerEx
0x140008220 KeSetTimerEx
0x140008228 PsCreateSystemThread
0x140008230 ZwCreateKey
0x140008238 ZwOpenKey
0x140008240 ZwFlushKey
0x140008248 ZwQueryValueKey
0x140008250 ZwSetValueKey
0x140008258 NtQueryInformationToken
0x140008260 RtlLengthSid
0x140008268 RtlConvertSidToUnicodeString
0x140008270 RtlCreateAcl
0x140008278 RtlAddAccessAllowedAce
0x140008280 RtlSetOwnerSecurityDescriptor
0x140008288 PsLookupProcessByProcessId
0x140008290 ObOpenObjectByPointer
0x140008298 ZwOpenProcessTokenEx
0x1400082a0 ZwSetSecurityObject
0x1400082a8 PsGetProcessImageFileName
0x1400082b0 PsProcessType
0x1400082b8 SeExports
0x1400082c0 strchr
0x1400082c8 strncpy_s
0x1400082d0 MmProbeAndLockPages
0x1400082d8 MmUnlockPages
0x1400082e0 IoAllocateMdl
0x1400082e8 IoFreeMdl
0x1400082f0 IoReuseIrp
0x1400082f8 __C_specific_handler
0x140008300 IofCallDriver
0x140008308 ExAllocatePoolWithTag
0x140008310 KeWaitForSingleObject
0x140008318 KeSetEvent
0x140008320 KeInitializeEvent
0x140008328 IoDeleteSymbolicLink
0x140008330 KeBugCheckEx
0x140008338 RtlCopyUnicodeString
0x140008340 ExFreePoolWithTag
0x140008348 RtlInitUnicodeString
0x140008350 strcpy
0x140008358 strstr
NETIO.SYS
0x140008000 WskCaptureProviderNPI
0x140008008 WskReleaseProviderNPI
0x140008010 WskDeregister
0x140008018 WskRegister
WDFLDR.SYS
0x140008028 WdfVersionBind
0x140008030 WdfVersionBindClass
0x140008038 WdfVersionUnbindClass
0x140008040 WdfVersionUnbind
EAT(Export Address Table) is none
fwpkclnt.sys
0x140008050 FwpmFilterAdd0
0x140008058 FwpmFilterDeleteById0
0x140008060 FwpsAcquireClassifyHandle0
0x140008068 FwpmCalloutAdd0
0x140008070 FwpsCompleteClassify0
0x140008078 FwpsAcquireWritableLayerDataPointer0
0x140008080 FwpsApplyModifiedLayerData0
0x140008088 FwpmSubLayerDeleteByKey0
0x140008090 FwpmSubLayerAdd0
0x140008098 FwpmTransactionAbort0
0x1400080a0 FwpmTransactionCommit0
0x1400080a8 FwpmTransactionBegin0
0x1400080b0 FwpmEngineClose0
0x1400080b8 FwpmEngineOpen0
0x1400080c0 FwpsCalloutUnregisterById0
0x1400080c8 FwpsReleaseClassifyHandle0
0x1400080d0 FwpsCalloutRegister1
ntoskrnl.exe
0x1400080e0 IoCreateFile
0x1400080e8 IoFreeIrp
0x1400080f0 IoGetRelatedDeviceObject
0x1400080f8 ObReferenceObjectByHandle
0x140008100 ObfDereferenceObject
0x140008108 ZwQueryInformationFile
0x140008110 ZwSetInformationFile
0x140008118 ZwReadFile
0x140008120 ZwWriteFile
0x140008128 ZwClose
0x140008130 IoFileObjectType
0x140008138 KeEnterCriticalRegion
0x140008140 KeLeaveCriticalRegion
0x140008148 PsTerminateSystemThread
0x140008150 KeSetBasePriorityThread
0x140008158 sprintf
0x140008160 CmUnRegisterCallback
0x140008168 CmRegisterCallbackEx
0x140008170 CmCallbackGetKeyObjectID
0x140008178 MmIsAddressValid
0x140008180 strlen
0x140008188 strncmp
0x140008190 strncpy
0x140008198 wcscat
0x1400081a0 wcslen
0x1400081a8 wcsncmp
0x1400081b0 RtlInitAnsiString
0x1400081b8 strcat
0x1400081c0 strcmp
0x1400081c8 strncat
0x1400081d0 IoAllocateIrp
0x1400081d8 ExAcquireSpinLockExclusive
0x1400081e0 ExReleaseSpinLockExclusive
0x1400081e8 wcscpy
0x1400081f0 RtlAnsiStringToUnicodeString
0x1400081f8 RtlFreeUnicodeString
0x140008200 RtlCreateSecurityDescriptor
0x140008208 RtlSetDaclSecurityDescriptor
0x140008210 KeResetEvent
0x140008218 KeInitializeTimerEx
0x140008220 KeSetTimerEx
0x140008228 PsCreateSystemThread
0x140008230 ZwCreateKey
0x140008238 ZwOpenKey
0x140008240 ZwFlushKey
0x140008248 ZwQueryValueKey
0x140008250 ZwSetValueKey
0x140008258 NtQueryInformationToken
0x140008260 RtlLengthSid
0x140008268 RtlConvertSidToUnicodeString
0x140008270 RtlCreateAcl
0x140008278 RtlAddAccessAllowedAce
0x140008280 RtlSetOwnerSecurityDescriptor
0x140008288 PsLookupProcessByProcessId
0x140008290 ObOpenObjectByPointer
0x140008298 ZwOpenProcessTokenEx
0x1400082a0 ZwSetSecurityObject
0x1400082a8 PsGetProcessImageFileName
0x1400082b0 PsProcessType
0x1400082b8 SeExports
0x1400082c0 strchr
0x1400082c8 strncpy_s
0x1400082d0 MmProbeAndLockPages
0x1400082d8 MmUnlockPages
0x1400082e0 IoAllocateMdl
0x1400082e8 IoFreeMdl
0x1400082f0 IoReuseIrp
0x1400082f8 __C_specific_handler
0x140008300 IofCallDriver
0x140008308 ExAllocatePoolWithTag
0x140008310 KeWaitForSingleObject
0x140008318 KeSetEvent
0x140008320 KeInitializeEvent
0x140008328 IoDeleteSymbolicLink
0x140008330 KeBugCheckEx
0x140008338 RtlCopyUnicodeString
0x140008340 ExFreePoolWithTag
0x140008348 RtlInitUnicodeString
0x140008350 strcpy
0x140008358 strstr
NETIO.SYS
0x140008000 WskCaptureProviderNPI
0x140008008 WskReleaseProviderNPI
0x140008010 WskDeregister
0x140008018 WskRegister
WDFLDR.SYS
0x140008028 WdfVersionBind
0x140008030 WdfVersionBindClass
0x140008038 WdfVersionUnbindClass
0x140008040 WdfVersionUnbind
EAT(Export Address Table) is none