Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2021-Feb-11 10:52:58 |
Detected languages |
English - United States
|
CompanyName | UG North |
FileDescription | Kernel Driver Utility |
FileVersion | 1.0.2.2102 |
InternalName | Hamakaze.exe |
LegalCopyright | Copyright (C) 2020 - 2021 KDU Project |
OriginalFilename | Hamakaze.exe |
ProductName | KDU |
ProductVersion | 1.0.2.2102 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Info | Cryptographic algorithms detected in the binary: | Uses constants related to AES |
Suspicious | The PE is possibly packed. | Unusual section name found: iris |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Info | The PE's resources present abnormal characteristics. |
Resource 100 is possibly compressed or encrypted.
Resource 103 is possibly compressed or encrypted. Resource 105 is possibly compressed or encrypted. Resource 106 is possibly compressed or encrypted. Resource 107 is possibly compressed or encrypted. Resource 108 is possibly compressed or encrypted. Resource 109 is possibly compressed or encrypted. Resource 110 is possibly compressed or encrypted. Resource 111 is possibly compressed or encrypted. Resource 112 is possibly compressed or encrypted. |
Malicious | VirusTotal score: 38/69 (Scanned on 2021-04-05 19:27:59) |
FireEye:
Trojan.GenericKD.36422379
CAT-QuickHeal: Trojan.Kdu McAfee: RDN/Generic PUP.z Cylance: Unsafe Zillya: Tool.KDU.Win64.724 K7AntiVirus: Trojan ( 00572ba41 ) K7GW: Trojan ( 00572ba41 ) Cybereason: malicious.933289 Cyren: W64/Trojan.OJHG-0833 Symantec: Trojan.Gen.2 ESET-NOD32: a variant of Win64/Riskware.KDU.A TrendMicro-HouseCall: TROJ_FRS.VSNW03C21 Kaspersky: HEUR:HackTool.Win64.KernelDrUtil.gen BitDefender: Trojan.GenericKD.36422379 Paloalto: generic.ml MicroWorld-eScan: Trojan.GenericKD.36422379 Ad-Aware: Trojan.GenericKD.36422379 Emsisoft: Trojan.GenericKD.36422379 (B) VIPRE: Trojan.Win32.Generic!BT TrendMicro: TROJ_FRS.VSNW03C21 McAfee-GW-Edition: RDN/Generic PUP.z Sophos: Generic PUA NA (PUA) GData: Trojan.GenericKD.36422379 Webroot: W32.Malware.Gen MAX: malware (ai score=99) Gridinsoft: Trojan.Heur!.02014023 Arcabit: Trojan.Generic.D22BC2EB ZoneAlarm: HEUR:HackTool.Win64.KernelDrUtil.gen Microsoft: PUA:Win32/Presenoker AhnLab-V3: Malware/Win64.Generic.C4370492 ALYac: Trojan.GenericKD.36422379 Malwarebytes: Malware.AI.2509818333 Rising: PUA.Presenoker!8.F608 (CLOUD) Yandex: Trojan.Igent.bVumLh.27 Fortinet: Riskware/Generic_PUA_NA MaxSecure: Trojan.Malware.115606560.susgen Panda: Trj/Agent.AJS Qihoo-360: Win64/HackTool.Generic.HgEASRgA |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 8 |
TimeDateStamp | 2021-Feb-11 10:52:58 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x19e00 |
SizeOfInitializedData | 0x34e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000007670 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x55000 |
SizeOfHeaders | 0x400 |
Checksum | 0x4eeff |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
SetLastError
GetCurrentProcessId VirtualUnlock VirtualLock HeapSetInformation GetModuleHandleW FreeLibrary DeleteFileW GetCommandLineW GetSystemInfo GetSystemTimeAsFileTime GetFirmwareEnvironmentVariableW WriteConsoleW GetProcAddress GetSystemDirectoryA LoadLibraryExA CreateEventW WaitForSingleObject VirtualAlloc VirtualFree Sleep GetLastError CreateFileW CloseHandle HeapReAlloc HeapSize SetFilePointerEx GetFileSizeEx GetConsoleMode GetConsoleOutputCP FlushFileBuffers GetProcessHeap GetStringTypeW SetStdHandle SetEnvironmentVariableW FreeEnvironmentStringsW GetEnvironmentStringsW WideCharToMultiByte MultiByteToWideChar GetCPInfo GetOEMCP GetACP IsValidCodePage FindNextFileW FindFirstFileExW FindClose GetFileType LCMapStringW CompareStringW HeapFree HeapAlloc GetCommandLineA GetModuleHandleExW TerminateProcess ExitProcess GetCurrentProcess GetModuleFileNameW WriteFile GetStdHandle QueryPerformanceCounter GetCurrentThreadId InitializeSListHead RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent RtlUnwindEx EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW RaiseException |
---|---|
ADVAPI32.dll |
RegCreateKeyExW
RegEnumKeyExW RegSetValueExW RegOpenKeyExW RegSetKeyValueW RegCloseKey RegOpenKeyW RegDeleteKeyW |
ntdll.dll |
RtlTimeToSecondsSince1970
NtLoadDriver RtlSetLastWin32Error NtCreateFile RtlCreateSecurityDescriptor RtlCreateAcl RtlInitString RtlFreeHeap NtQueryDirectoryObject RtlExpandEnvironmentStrings NtOpenDirectoryObject NtFlushBuffersFile RtlValidSecurityDescriptor RtlAddAccessAllowedAce RtlLengthRequiredSid RtlLengthSid LdrFindResource_U RtlDosPathNameToNtPathName_U LdrAccessResource RtlSetDaclSecurityDescriptor RtlSubAuthoritySid NtUnloadDriver NtWriteFile RtlAllocateHeap LdrGetProcedureAddress RtlInitializeSid NtOpenProcessToken RtlLengthSecurityDescriptor NtAdjustPrivilegesToken NtOpenProcess NtDuplicateObject NtSetSecurityObject RtlDoesFileExists_U RtlGetVersion RtlNtStatusToDosError NtDeviceIoControlFile NtQuerySystemInformation NtClose RtlImageNtHeader LdrLoadDll RtlInitUnicodeString RtlFreeUnicodeString |
msdelta.dll |
ApplyDeltaB
DeltaFree |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.0.2.2102 |
ProductVersion | 1.0.2.2102 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | UG North |
FileDescription | Kernel Driver Utility |
FileVersion (#2) | 1.0.2.2102 |
InternalName | Hamakaze.exe |
LegalCopyright | Copyright (C) 2020 - 2021 KDU Project |
OriginalFilename | Hamakaze.exe |
ProductName | KDU |
ProductVersion (#2) | 1.0.2.2102 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2021-Feb-11 10:52:58 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x138 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140029028 |
XOR Key | 0x7b391e20 |
---|---|
Unmarked objects | 0 |
C objects (27412) | 11 |
ASM objects (27412) | 5 |
C++ objects (27412) | 137 |
C++ objects (VS 2015/2017/2019 runtime 29804) | 37 |
C objects (VS 2015/2017/2019 runtime 29804) | 16 |
ASM objects (VS 2015/2017/2019 runtime 29804) | 9 |
Imports (27412) | 9 |
Total imports | 153 |
265 (29812) | 30 |
Resource objects (29812) | 1 |
151 | 1 |
Linker (29812) | 1 |