Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
Compilation Date | 2011-Oct-17 19:06:28 |
Detected languages |
English - United States
|
CompanyName | IBM Corporation © |
FileDescription | IBM ServeRAID Controller Driver |
FileVersion | 4.33.0.12 |
InternalName | nfrd965.sys |
InternalCopyright | (C) Copyright IBM Corp. 1994, 2002. |
OriginalFilename | nfrd965.sys |
ProductName | IBM ServeRAID Contoller |
ProductVersion | 4.33.0.12 |
Info | Matching compiler(s): |
Microsoft Visual C++
Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | The PE is possibly packed. | Section INIT is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
Uses Windows's Native API:
|
Malicious | VirusTotal score: 57/70 (Scanned on 2019-12-10 05:44:41) |
Bkav:
W32.DuquB.Trojan
DrWeb: Trojan.Duqu.2 MicroWorld-eScan: Trojan.GenericKD.31198582 CMC: Trojan.Win32.Duqu!O CAT-QuickHeal: Trojan.Duqu McAfee: PWS-Duqu!rootkit.a Cylance: Unsafe Zillya: Trojan.Duqu.Win32.2 Sangfor: Malware K7AntiVirus: Trojan ( 002d98161 ) Alibaba: Trojan:Win32/Duqu.592b6e09 K7GW: Riskware ( 0015e4f01 ) Cybereason: malicious.148232 F-Prot: W32/Duqu.C Symantec: Trojan.Gen.2 ESET-NOD32: Win32/Duqu.A Paloalto: generic.ml ClamAV: Win.Trojan.Duqu-7 Kaspersky: Trojan.Win32.Duqu.a BitDefender: Trojan.GenericKD.31198582 NANO-Antivirus: Trojan.Win32.Duqu.eorzg ViRobot: Trojan.Win32.Duqu.24960 Avast: Win32:Duqu-B [Rtk] Endgame: malicious (high confidence) Sophos: Mal/Duqu-A Comodo: TrojWare.Win32.Duqu.A@4k81p1 F-Secure: Trojan.TR/Duqu.A.1 VIPRE: Trojan.Win32.Duqu.a (v) TrendMicro: RTKT_DUQU.A McAfee-GW-Edition: PWS-Duqu!rootkit.a Trapmine: suspicious.low.ml.score FireEye: Trojan.GenericKD.31198582 Emsisoft: Trojan.GenericKD.31198582 (B) Cyren: W32/Duqu.BOQU-9196 Jiangmin: Trojan/Duqu.b Webroot: W32.Trojan.Gen Avira: TR/Duqu.A.1 MAX: malware (ai score=100) Antiy-AVL: Trojan/Win32.Duqu Microsoft: Trojan:WinNT/Duqu.B Arcabit: Trojan.Generic.D1DC0D76 ZoneAlarm: Trojan.Win32.Duqu.a GData: Trojan.GenericKD.31198582 AhnLab-V3: Trojan/Win32.Duqu.R13984 VBA32: Trojan.Duqu.2102 ALYac: Trojan.Agent.duqu TACHYON: Trojan/W32.Duqu.24960.B Ad-Aware: Trojan.GenericKD.31198582 TrendMicro-HouseCall: RTKT_DUQU.A Rising: Trojan.Duqu!8.49A6 (TFE:3:7q87n6NWGJD) Yandex: Trojan.Duqu!o6SU6/Pq/F4 Ikarus: Trojan.Win32.Duqu Fortinet: W32/Duqu.A AVG: Win32:Duqu-B [Rtk] Panda: Generic Malware CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Malware.Radar01.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2011-Oct-17 19:06:28 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 8.0 |
SizeOfCode | 0x3600 |
SizeOfInitializedData | 0x2880 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00000570 (Section: .text) |
BaseOfCode | 0x300 |
BaseOfData | 0x3380 |
ImageBase | 0x10000 |
SectionAlignment | 0x80 |
FileAlignment | 0x80 |
OperatingSystemVersion | 6.0 |
ImageVersion | 6.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x6180 |
SizeOfHeaders | 0x300 |
Checksum | 0x13ee1 |
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ntoskrnl.exe |
IoDeleteDevice
IoFreeWorkItem MmUnmapIoSpace MmGetPhysicalAddress ExAllocatePool IoAllocateWorkItem MmMapIoSpace IoAttachDeviceToDeviceStack IoCreateSymbolicLink IoInitializeRemoveLockEx IoCreateDevice IoQueueWorkItem RtlInitUnicodeString ZwClose ZwOpenFile ZwQueryInformationFile KdDebuggerEnabled InitSafeBootMode IofCompleteRequest RtlDeleteElementGenericTable KeGetCurrentThread RtlLookupElementGenericTable RtlInitializeGenericTable RtlInsertElementGenericTable RtlUpcaseUnicodeChar IoRegisterDriverReinitialization ExFreePoolWithTag ZwReadFile IoDeleteSymbolicLink ZwAllocateVirtualMemory KeInitializeMutex KeReleaseMutex KeWaitForSingleObject ZwQueryValueKey ZwOpenKey _stricmp MmGetSystemRoutineAddress PsGetVersion ZwQueryInformationProcess ObOpenObjectByPointer PsLookupProcessByProcessId ObfDereferenceObject memcpy _except_handler3 memset |
---|---|
HAL.dll |
KfAcquireSpinLock
KeGetCurrentIrql KfReleaseSpinLock |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 4.33.0.12 |
ProductVersion | 4.33.0.12 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DRV
|
FileSubtype | VFT2_UNKNOWN |
Language | English - United States |
CompanyName | IBM Corporation © |
FileDescription | IBM ServeRAID Controller Driver |
FileVersion (#2) | 4.33.0.12 |
InternalName | nfrd965.sys |
InternalCopyright | (C) Copyright IBM Corp. 1994, 2002. |
OriginalFilename | nfrd965.sys |
ProductName | IBM ServeRAID Contoller |
ProductVersion (#2) | 4.33.0.12 |
Resource LangID | English - United States |
---|
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x15348 |
SEHandlerTable | 0x15090 |
SEHandlerCount | 1 |
XOR Key | 0x90d576c6 |
---|---|
Unmarked objects | 0 |
C objects (VS2012 build 50727 / VS2005 build 50727) | 2 |
Total imports | 49 |
19 (9049) | 5 |
C objects (VS2008 SP1 build 30729) | 2 |
113 (VS2012 build 50727 / VS2005 build 50727) | 32 |
Resource objects (VS2012 build 50727 / VS2005 build 50727) | 1 |
Linker (VS2012 build 50727 / VS2005 build 50727) | 1 |