c9a31ea148232b201fe7cb7db5c75f5e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2011-Oct-17 19:06:28
Detected languages English - United States
CompanyName IBM Corporation ©
FileDescription IBM ServeRAID Controller Driver
FileVersion 4.33.0.12
InternalName nfrd965.sys
InternalCopyright (C) Copyright IBM Corp. 1994, 2002.
OriginalFilename nfrd965.sys
ProductName IBM ServeRAID Contoller
ProductVersion 4.33.0.12

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious The PE is possibly packed. Unusual section name found: INIT
Section INIT is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. Uses Windows's Native API:
  • ZwClose
  • ZwOpenFile
  • ZwQueryInformationFile
  • ZwReadFile
  • ZwAllocateVirtualMemory
  • ZwQueryValueKey
  • ZwOpenKey
  • ZwQueryInformationProcess
Malicious VirusTotal score: 57/71 (Scanned on 2019-07-27 06:11:54) Bkav: W32.DuquB.Trojan
MicroWorld-eScan: Trojan.GenericKD.31198582
CMC: Trojan.Win32.Duqu!O
ALYac: Trojan.Agent.duqu
Cylance: Unsafe
Alibaba: Trojan:Win32/Duqu.aaff82de
K7GW: Riskware ( 0015e4f01 )
K7AntiVirus: Trojan ( 002d98161 )
Arcabit: Trojan.Generic.D1DC0D76
TrendMicro: RTKT_DUQU.A
NANO-Antivirus: Trojan.Win32.Duqu.eorzg
F-Prot: W32/Duqu.C
Symantec: Trojan.Gen.2
TotalDefense: Win32/Duqu.A
Paloalto: generic.ml
ClamAV: Win.Trojan.Duqu-7
Kaspersky: Trojan.Win32.Duqu.a
BitDefender: Trojan.GenericKD.31198582
AegisLab: Trojan.Win32.Duqu.4!c
Avast: Win32:Duqu-B [Rtk]
Tencent: Win32.Trojan.Duqu.Taop
Ad-Aware: Trojan.GenericKD.31198582
Emsisoft: Trojan.GenericKD.31198582 (B)
Comodo: TrojWare.Win32.Duqu.A@4k81p1
DrWeb: Trojan.Duqu.2
Zillya: Trojan.Duqu.Win32.2
McAfee-GW-Edition: PWS-Duqu!rootkit
Fortinet: W32/Duqu.A
FireEye: Trojan.GenericKD.31198582
Sophos: Mal/Duqu-A
Ikarus: Trojan.Win32.Duqu
Cyren: W32/Duqu.BOQU-9196
Jiangmin: Trojan/Duqu.b
Webroot: W32.Trojan.Gen
Avira: TR/Duqu.A.1
MAX: malware (ai score=100)
Antiy-AVL: Trojan/Win32.Duqu
Endgame: malicious (high confidence)
Microsoft: Trojan:WinNT/Duqu.B
ViRobot: Trojan.Win32.Duqu.24960
ZoneAlarm: Trojan.Win32.Duqu.a
AhnLab-V3: Trojan/Win32.Duqu.R13984
McAfee: PWS-Duqu!rootkit
TACHYON: Trojan/W32.Duqu.24960.B
VBA32: Trojan.Duqu.2102
ESET-NOD32: Win32/Duqu.A
TrendMicro-HouseCall: RTKT_DUQU.A
Rising: Trojan.Duqu!8.49A6 (TFE:3:7q87n6NWGJD)
Yandex: Trojan.Duqu!o6SU6/Pq/F4
SentinelOne: DFI - Suspicious PE
MaxSecure: Trojan.Malware.3138161.susgen
GData: Trojan.GenericKD.31198582
AVG: Win32:Duqu-B [Rtk]
Cybereason: malicious.148232
Panda: Generic Malware
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Malware.Radar01.Gen

Hashes

MD5 c9a31ea148232b201fe7cb7db5c75f5e
SHA1 b3074b26b346cb76605171ba19616baf821acf66
SHA256 9d88425e266b3a74045186837fbd71de657b47d11efefcf8b3cd185a884b5306
SHA3 b637d2021c6b85c373c5d5d86b84acb20e7a7f13f5d1384e3b382a89e9b726f8
SSDeep 384:bJu/osVhICBqnHH1vZGHvCzQ3T022+u/IlCq7HuekK4:lw/rBQnVgHvqQ392//MRkK4
Imports Hash c4b26918bdf8111b995d424e073d2d2a

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2011-Oct-17 19:06:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x3600
SizeOfInitializedData 0x2880
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000570 (Section: .text)
BaseOfCode 0x300
BaseOfData 0x3380
ImageBase 0x10000
SectionAlignment 0x80
FileAlignment 0x80
OperatingSystemVersion 6.0
ImageVersion 6.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x6180
SizeOfHeaders 0x300
Checksum 0x13ee1
Subsystem IMAGE_SUBSYSTEM_NATIVE
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 60db5f00e6f7f73fbae1ec3e55c4a2d7
SHA1 975fa50e957b3420b30cbb192fd4e3a42c0b8775
SHA256 ea149efd09e9380e535e79f3af1ca0d84c2bc9b0ab5f1f652292dd6effdd6448
SHA3 49baa509c1810a642cbf928819dad649eabf75859b69495a7d37d0860257867b
VirtualSize 0x3011
VirtualAddress 0x300
SizeOfRawData 0x3080
PointerToRawData 0x300
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 6.30767

.rdata

MD5 d8fbc4bea9cd1185ae4a4b47caec08c8
SHA1 2e045c5d5418c7561afe3597eeebeaa9c31cdb41
SHA256 25dc1a77156c2198aa5ccddfffcd1b3b3d2b5e44e143b7ccdc9ed170de06830c
SHA3 e4a70ca88e742c1df1309de54dacf80f87c255c180b99e7ba1f53ec74c4a2172
VirtualSize 0x1d94
VirtualAddress 0x3380
SizeOfRawData 0x1e00
PointerToRawData 0x3380
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.12571

.data

MD5 54e7fd1d5d2c6236058e5c8e96b06a1d
SHA1 d825a6748e604ab561bc9dca970c040aed80516e
SHA256 a3dfab7739814ee7060492073652fff3359930b7c624bcf6affd26f30b48675e
SHA3 7116f0336b30833cef8739ce0174410c5ac90b3ae756f5ccd7c8bff6f4719918
VirtualSize 0x274
VirtualAddress 0x5180
SizeOfRawData 0x280
PointerToRawData 0x5180
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.08744

INIT

MD5 373f1bfdbcc433bd3122b396e10fbc78
SHA1 b69d7bfa9c609d07ca7e47e6ae7dc4697dc46cfe
SHA256 991d8e38f68490863c7e67dfe43fd5f1798adda99228cc6f10663040aa5ed9d0
SHA3 b76841b3be7e09b31a43c62e619f175c414f0ca3e92a3f516dcc2b8438f46c8e
VirtualSize 0x522
VirtualAddress 0x5400
SizeOfRawData 0x580
PointerToRawData 0x5400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.02773

.rsrc

MD5 3565ffac6fc43522c36b31b7b6c38b16
SHA1 b54ff9de94bf8da10c98f9df865917cb0a00b259
SHA256 eb1e45c0009436564074d8a237c019795db33a3f18dd1ff05c99cf33c6f158cd
SHA3 8a7c776bed573b9151321546f53a28e764f6c29d1b4a372ea2ba7eb41ba6f8de
VirtualSize 0x388
VirtualAddress 0x5980
SizeOfRawData 0x400
PointerToRawData 0x5980
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.7389

.reloc

MD5 b27d63fd960e42876dc4cd1906080432
SHA1 8282b54a58730ad9c319fb20ca329e8effb3b39f
SHA256 b3f9cddf6ea4170236cd50fc4dcad659f835444eb0d594c2d6f56ec978d1c8fc
SHA3 524df3de2a374b7079b7d6e73e905d735291d38b2da92696316a253d73b83c89
VirtualSize 0x3c4
VirtualAddress 0x5d80
SizeOfRawData 0x400
PointerToRawData 0x5d80
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.95603

Imports

ntoskrnl.exe IoDeleteDevice
IoFreeWorkItem
MmUnmapIoSpace
MmGetPhysicalAddress
ExAllocatePool
IoAllocateWorkItem
MmMapIoSpace
IoAttachDeviceToDeviceStack
IoCreateSymbolicLink
IoInitializeRemoveLockEx
IoCreateDevice
IoQueueWorkItem
RtlInitUnicodeString
ZwClose
ZwOpenFile
ZwQueryInformationFile
KdDebuggerEnabled
InitSafeBootMode
IofCompleteRequest
RtlDeleteElementGenericTable
KeGetCurrentThread
RtlLookupElementGenericTable
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlUpcaseUnicodeChar
IoRegisterDriverReinitialization
ExFreePoolWithTag
ZwReadFile
IoDeleteSymbolicLink
ZwAllocateVirtualMemory
KeInitializeMutex
KeReleaseMutex
KeWaitForSingleObject
ZwQueryValueKey
ZwOpenKey
_stricmp
MmGetSystemRoutineAddress
PsGetVersion
ZwQueryInformationProcess
ObOpenObjectByPointer
PsLookupProcessByProcessId
ObfDereferenceObject
memcpy
_except_handler3
memset
HAL.dll KfAcquireSpinLock
KeGetCurrentIrql
KfReleaseSpinLock

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x330
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4612
MD5 aa0262170fe39ace3f8e0cd00f20ba5b
SHA1 a0c12f38f899a02d860cf3bfba7ada2b4127826a
SHA256 70567ac88f02ca385a55e146d89cb8ce205cf64cdf70c5274839baafba8c879e
SHA3 caee985278ee1974409ce6627c11536aed5553fcc6dcb3dbd0656bf7374e323f

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.33.0.12
ProductVersion 4.33.0.12
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DRV
FileSubtype VFT2_UNKNOWN
Language English - United States
CompanyName IBM Corporation ©
FileDescription IBM ServeRAID Controller Driver
FileVersion (#2) 4.33.0.12
InternalName nfrd965.sys
InternalCopyright (C) Copyright IBM Corp. 1994, 2002.
OriginalFilename nfrd965.sys
ProductName IBM ServeRAID Contoller
ProductVersion (#2) 4.33.0.12
Resource LangID English - United States

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x15348
SEHandlerTable 0x15090
SEHandlerCount 1

RICH Header

XOR Key 0x90d576c6
Unmarked objects 0
C objects (VS2012 build 50727 / VS2005 build 50727) 2
Total imports 49
19 (9049) 5
C objects (VS2008 SP1 build 30729) 2
113 (VS2012 build 50727 / VS2005 build 50727) 32
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors