7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4
avkiller.sys
Description
Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.
This download link contains the malicious driver!
Commands
sc.exe create avkiller.sys binPath=C:\windows\temp\avkiller.sys type=kernel && sc.exe start avkiller.sys
Use Case | Privileges | Operating System |
---|---|---|
Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Resources
Known Vulnerable Samples
Property | Value |
---|---|
Filename | |
Creation Timestamp | 2024-03-06 07:44:38 |
MD5 | a8480c3b63db47212041042685afd753 |
SHA1 | 009328378ad988c7bc5b1e0f29837f52663b55d6 |
SHA256 | b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a |
Authentihash MD5 | 7f0c6c15be6d37232ec196b64fc20ba6 |
Authentihash SHA1 | bbea672633fa3be7dac0585673f4cfabca0d980c |
Authentihash SHA256 | 6365024365fb0899e8a81735369a2e01f55523888e84b091858b48ef14a79e23 |
RichPEHeaderHash MD5 | ea1c191ab6fbddb430742d6f55a773bc |
RichPEHeaderHash SHA1 | 5ce8df83fcf27c87be5294b51a686647f0dbd7d6 |
RichPEHeaderHash SHA256 | 288ed0eda97b6f307ee1d6ce94f7fe20c54d4b834bb82d143722ea8b608c1ff7 |
Certificates
Expand
Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 8314595952398203ab24badbbc927d39 |
ToBeSigned (TBS) SHA1 | b07dcf73133408eee2786a208ce4b2543bf6c583 |
ToBeSigned (TBS) SHA256 | c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41 |
Subject | C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA |
ValidFrom | 2013-12-10 00:00:00 |
ValidTo | 2023-12-09 23:59:59 |
Signature | 243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | True |
SerialNumber | 71a0b73695ddb1afc23b2b9a18ee54cb |
Version | 3 |
Certificate 1ef4ebc005a0702610bf1b2304869025
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 2c4b40a02062e2b5a8c341a47f9c632f |
ToBeSigned (TBS) SHA1 | 47df919dace02a7069f8f102b73b12e2b54ae23c |
ToBeSigned (TBS) SHA256 | 6dee78a4bbf3ce3d0721249fee237d942e8a9c69d0c1a21c4b071a71a1ef78d5 |
Subject | C=CN, L=Zaozhuang, O=Bopsoft, CN=Bopsoft, ST=Shandong |
ValidFrom | 2017-11-22 00:00:00 |
ValidTo | 2018-11-22 23:59:59 |
Signature | 3346fc00b09bb2e3772ad56ea8c7940fbc23f30851bd721cb5729cc5abb75e876f7cb55dbdfb9dd5c3b491ff0f6c7fa9dad3300e52dc360db7d3c98fc29480b3325302064eefa27093177b7cf7b6f6b3e1fc23f8599edb1f3731ec62f348bab7ed37063f71676fdfa6510c369f4b358b08214de1ef1ba47babc02d432a40ae7d043e0d0e2f0d6787fc99c81a5d3569e75abbcf666e9cdfb8fccd7bbe3f776a48af003c5c090eb5fd1730ecb3bbebbb190d8c07538982a14487c0b8f19b5b367496fcca6cf56fa8cf213bceb51c07eb8d766ef3e280f8821e3c0c1c22c928523d1d188eb997f614adee63afdda3d7bc418e4286b6f32d6f7361ea7dde2a63f8d3 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | False |
SerialNumber | 1ef4ebc005a0702610bf1b2304869025 |
Version | 3 |
Certificate 611fb0a400000000001d
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | a3f222107d4e1085e73b5b589c2f480b |
ToBeSigned (TBS) SHA1 | b94aa26cd77c48d91a53ac44506cbd255e1d362c |
ToBeSigned (TBS) SHA256 | a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa |
Subject | C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA |
ValidFrom | 2011-02-22 19:31:57 |
ValidTo | 2021-02-22 19:41:57 |
Signature | 2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | True |
SerialNumber | 611fb0a400000000001d |
Version | 3 |
Certificate 0094fa63cebbbc0730522a9ca5
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | ab2efb6e04ffd3788ff390443e4e837d |
ToBeSigned (TBS) SHA1 | bbbcf0041c5dcd0512e64f8a500b37822ff0a637 |
ToBeSigned (TBS) SHA256 | 0e05875da66f48327f14d1d8b08db647a01bb49f6487291e847f14a0432808fd |
Subject | C=CN, O=Pikachu Trust Network CA, OU=Identity Authentication, CN=Pikachu Time Fake RSA 2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100 |
ValidFrom | 2000-01-01 00:00:00 |
ValidTo | 2099-12-31 23:59:59 |
Signature | 163f5597d4df0398888852aa0e58bad45504ffa8af14f8360a60d656ff874c05731c24fb1032e0ce5a016e598e5ebc4ce72ff25ebdb198ed879311da97489a179e2dadb2475fa5cbdfaa7683f3afe3c804fcfbb9362cbcc61510044175e0dc2368416773bcc8b6b1fb679a8cd455fcf9f72b7b06c4a24e68fc8f8084dae22a965bba8e95291b991564d45539f62d071cb67cef5481f43c8d13ec7d3eba897effb2722dbf0944bee4a5bac0b2da968ad0599c70f4a4adf21d72308d11f7bd413ebbc2d029a458ef712411b8f2a8564b295b7368cd7d306598950f79dc44f1592acd6c34ec7282ff9de3ad54dd121b998db6e659b85f9d28ba3399daf54c8cafeb5ab0695769627974f91b0aacac264a894a000c87e4d9d4c6b1f16dd300afc8f22fc54fd3072112cdac50438bca5253fca47c806ed36bb23d66292fe7dce1ebd3fd4330a6060f75ce100007ccb8d2055f376a351147c4537c11e16d3c3e4a60edf648a66fa77b712f8bb9329b966b1b3df47749185bc64a0d19f468cfdd492090b867309299a405fbf0962f87553e89717ecebf77dc211a6d95f4c12b6ed26a7937b8f011791ea63dc361ef2424f5dac02da989c1ce655dc7bbd6d8565deed7dc6a3763b52507d24f0817954c7e4e44a612352f78245d3dd0892d4b88c8a52ebb8e271e917c48d50d16b1a5e43e586cccbaebea110988a979bba0e0e32b3789a0 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | False |
SerialNumber | 0094fa63cebbbc0730522a9ca5 |
Version | 3 |
Imports
Expand
- ntoskrnl.exe
Imported Functions
Expand
- strstr
- DbgPrint
- ObfDereferenceObject
- ZwClose
- PsGetProcessId
- ZwTerminateProcess
- ZwOpenProcess
- PsLookupProcessByProcessId
- PsGetProcessImageFileName
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
"Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
"TBS": {
"MD5": "8314595952398203ab24badbbc927d39",
"SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
"SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
"SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
},
"ValidFrom": "2013-12-10 00:00:00",
"ValidTo": "2023-12-09 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "1ef4ebc005a0702610bf1b2304869025",
"Signature": "3346fc00b09bb2e3772ad56ea8c7940fbc23f30851bd721cb5729cc5abb75e876f7cb55dbdfb9dd5c3b491ff0f6c7fa9dad3300e52dc360db7d3c98fc29480b3325302064eefa27093177b7cf7b6f6b3e1fc23f8599edb1f3731ec62f348bab7ed37063f71676fdfa6510c369f4b358b08214de1ef1ba47babc02d432a40ae7d043e0d0e2f0d6787fc99c81a5d3569e75abbcf666e9cdfb8fccd7bbe3f776a48af003c5c090eb5fd1730ecb3bbebbb190d8c07538982a14487c0b8f19b5b367496fcca6cf56fa8cf213bceb51c07eb8d766ef3e280f8821e3c0c1c22c928523d1d188eb997f614adee63afdda3d7bc418e4286b6f32d6f7361ea7dde2a63f8d3",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=CN, L=Zaozhuang, O=Bopsoft, CN=Bopsoft, ST=Shandong",
"TBS": {
"MD5": "2c4b40a02062e2b5a8c341a47f9c632f",
"SHA1": "47df919dace02a7069f8f102b73b12e2b54ae23c",
"SHA256": "6dee78a4bbf3ce3d0721249fee237d942e8a9c69d0c1a21c4b071a71a1ef78d5",
"SHA384": "9f40d16f8e471019201108ba3a1a1ce834e7bd894f086894c1e4d89bbcbaca9567f2b005df6e5c4888315c5cbb490f23"
},
"ValidFrom": "2017-11-22 00:00:00",
"ValidTo": "2018-11-22 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "611fb0a400000000001d",
"Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
"TBS": {
"MD5": "a3f222107d4e1085e73b5b589c2f480b",
"SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
"SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
"SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
},
"ValidFrom": "2011-02-22 19:31:57",
"ValidTo": "2021-02-22 19:41:57",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0094fa63cebbbc0730522a9ca5",
"Signature": "163f5597d4df0398888852aa0e58bad45504ffa8af14f8360a60d656ff874c05731c24fb1032e0ce5a016e598e5ebc4ce72ff25ebdb198ed879311da97489a179e2dadb2475fa5cbdfaa7683f3afe3c804fcfbb9362cbcc61510044175e0dc2368416773bcc8b6b1fb679a8cd455fcf9f72b7b06c4a24e68fc8f8084dae22a965bba8e95291b991564d45539f62d071cb67cef5481f43c8d13ec7d3eba897effb2722dbf0944bee4a5bac0b2da968ad0599c70f4a4adf21d72308d11f7bd413ebbc2d029a458ef712411b8f2a8564b295b7368cd7d306598950f79dc44f1592acd6c34ec7282ff9de3ad54dd121b998db6e659b85f9d28ba3399daf54c8cafeb5ab0695769627974f91b0aacac264a894a000c87e4d9d4c6b1f16dd300afc8f22fc54fd3072112cdac50438bca5253fca47c806ed36bb23d66292fe7dce1ebd3fd4330a6060f75ce100007ccb8d2055f376a351147c4537c11e16d3c3e4a60edf648a66fa77b712f8bb9329b966b1b3df47749185bc64a0d19f468cfdd492090b867309299a405fbf0962f87553e89717ecebf77dc211a6d95f4c12b6ed26a7937b8f011791ea63dc361ef2424f5dac02da989c1ce655dc7bbd6d8565deed7dc6a3763b52507d24f0817954c7e4e44a612352f78245d3dd0892d4b88c8a52ebb8e271e917c48d50d16b1a5e43e586cccbaebea110988a979bba0e0e32b3789a0",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=CN, O=Pikachu Trust Network CA, OU=Identity Authentication, CN=Pikachu Time Fake RSA 2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100",
"TBS": {
"MD5": "ab2efb6e04ffd3788ff390443e4e837d",
"SHA1": "bbbcf0041c5dcd0512e64f8a500b37822ff0a637",
"SHA256": "0e05875da66f48327f14d1d8b08db647a01bb49f6487291e847f14a0432808fd",
"SHA384": "95c13b92af8a79c17a022236830b7a210253553df8e543d22b2124f384821808e22563651507324d12e6f24761578458"
},
"ValidFrom": "2000-01-01 00:00:00",
"ValidTo": "2099-12-31 23:59:59",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
"SerialNumber": "1ef4ebc005a0702610bf1b2304869025",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2025-01-13