b074dcb5-b278-4434-bdd9-14a055d724f3

mlgbbiicaihflrnh.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: b074dcb5-b278-4434-bdd9-14a055d724f3
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the malicious driver!
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2016-09-05 00:43:33
    MD55fec28e8f4f76e5ede24beb32a32b9d7
    SHA1fcf9978cf1af2e9b1e2eaf509513664dfcc1847b
    SHA2567433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b
    Authentihash MD537458813b5115cbf06552da28fefbbbb
    Authentihash SHA11d1cafc73c97c6bcd2331f8777d90fdca57125a3
    Authentihash SHA256faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4
    RichPEHeaderHash MD5b2f23c03be4553a744ff25735a80073c
    RichPEHeaderHash SHA12703d60c8f12df9d6adf5ae475bfeb1786486888
    RichPEHeaderHash SHA25646ffd109664b6694974986a39d508002d564434d60a0fb9f861401f2cb2c83f1

    Download

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IofCompleteRequest
    • MmGetSystemRoutineAddress
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoDeleteDevice

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .data
    • .pdata
    • .info
    • INIT

    Signature

    Expand

    source

    last_updated: 2024-04-09