× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c9b734f070e55732b274c70381ea28ab574ef6ad3f606d3dc9b9b0038f3edeea
File name: SPTD.SYS
Detection ratio: 0 / 68
Analysis date: 2018-11-14 01:14:15 UTC ( 1 month ago )
Antivirus Result Update
Acronis 20180726
Ad-Aware 20181112
AegisLab 20181113
AhnLab-V3 20181113
Alibaba 20180921
ALYac 20181113
Antiy-AVL 20181113
Arcabit 20181114
Avast 20181113
Avast-Mobile 20181113
AVG 20181113
Avira (no cloud) 20181114
AVware 20180925
Babable 20180918
Baidu 20181112
BitDefender 20181114
Bkav 20181113
CAT-QuickHeal 20181113
ClamAV 20181114
CMC 20181113
CrowdStrike Falcon (ML) 20181022
Cybereason 20180225
Cylance 20181114
Cyren 20181113
DrWeb 20181114
eGambit 20181114
Emsisoft 20181114
Endgame 20181108
ESET-NOD32 20181113
F-Prot 20181113
F-Secure 20181114
Fortinet 20181113
GData 20181114
Ikarus 20181113
Sophos ML 20181108
Jiangmin 20181114
K7AntiVirus 20181113
K7GW 20181113
Kaspersky 20181113
Kingsoft 20181114
Malwarebytes 20181113
MAX 20181114
McAfee 20181113
McAfee-GW-Edition 20181113
Microsoft 20181113
eScan 20181113
NANO-Antivirus 20181114
Palo Alto Networks (Known Signatures) 20181114
Panda 20181113
Qihoo-360 20181114
Rising 20181113
SentinelOne (Static ML) 20181011
Sophos AV 20181113
SUPERAntiSpyware 20181114
Symantec 20181113
Symantec Mobile Insight 20181108
TACHYON 20181113
Tencent 20181114
TheHacker 20181113
TrendMicro 20181114
TrendMicro-HouseCall 20181113
Trustlook 20181114
VBA32 20181113
ViRobot 20181113
Webroot 20181114
Yandex 20181113
Zillya 20181113
ZoneAlarm by Check Point 20181114
Zoner 20181114
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2004

Product SCSI Pass Through Direct
Original name sptd.sys
Internal name SPTD.SYS
File version 1.62.0.0 built by: WinDDK
Description SCSI Pass Through Direct Host
Signature verification Signed file, verified signature
Signing date 9:56 PM 10/11/2009
Signers
[+] Duplex Secure Ltd
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2004 CA
Valid from 1:00 AM 6/27/2007
Valid to 12:59 AM 8/23/2010
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 5F50A775CF44D5AD7CCC02DD665B408ABB2EE002
Serial number 32 17 B3 18 D8 B2 B1 50 1B 37 11 EE 65 20 57 04
[+] VeriSign Class 3 Code Signing 2004 CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine x64
Compilation timestamp 2009-10-11 20:55:14
Entry Point 0x00080798
Number of sections 13
PE sections
Overlays
MD5 7d9407dd5ebe43c8a77db478c71925c3
File type data
Offset 827904
Size 6640
Entropy 7.30
PE imports
KeStallExecutionProcessor
ScsiPortInitialize
ExDeleteResourceLite
ExQueryDepthSList
ExInitializePagedLookasideList
RtlWriteRegistryValue
IoDriverObjectType
IoWriteErrorLogEntry
MmGetSystemRoutineAddress
ExInitializeResourceLite
PsGetVersion
IoGetCurrentProcess
IoInitializeIrp
ProbeForWrite
KeSetEvent
ProbeForRead
ObReferenceObjectByHandle
RtlFreeUnicodeString
MmSizeOfMdl
RtlDeleteRegistryValue
IoWMIWriteEvent
ExInterlockedRemoveHeadList
ExAcquireResourceSharedLite
MmUnmapIoSpace
IoBuildSynchronousFsdRequest
IoGetDeviceObjectPointer
MmUserProbeAddress
_wcsnicmp
KeAcquireSpinLockAtDpcLevel
ZwQuerySymbolicLinkObject
KeInitializeSemaphore
ExReleaseResourceLite
MmLockPagableDataSection
IoCreateDevice
RtlUnicodeStringToAnsiString
IoDeleteDevice
sprintf
MmIsDriverVerifying
ExDeleteNPagedLookasideList
MmMapIoSpace
MmHighestUserAddress
KeResetEvent
MmGetPhysicalAddress
KeEnterCriticalRegion
IoAllocateMdl
ZwOpenDirectoryObject
ObfReferenceObject
MmIsAddressValid
IoWMIRegistrationControl
KeReleaseSemaphore
RtlCompareMemory
KeAcquireSpinLockRaiseToDpc
RtlInitUnicodeString
IoBuildPartialMdl
KeInitializeEvent
MmMapLockedPagesSpecifyCache
strncpy
KeReleaseSpinLock
ExInitializeNPagedLookasideList
__C_specific_handler
ExpInterlockedPopEntrySList
MmProbeAndLockPages
ExDeletePagedLookasideList
KeWaitForMultipleObjects
IoBuildDeviceIoControlRequest
KeReleaseSpinLockFromDpcLevel
KeClearEvent
ExGetPreviousMode
IoReuseIrp
RtlUpcaseUnicodeString
IoFreeIrp
RtlAnsiStringToUnicodeString
ObfDereferenceObject
ExAcquireResourceExclusiveLite
ExQueueWorkItem
IoFileObjectType
IoAllocateErrorLogEntry
RtlInitAnsiString
ExAllocatePoolWithTag
swprintf
IoIs32bitProcess
MmUnlockPages
IoSetThreadHardErrorMode
RtlStringFromGUID
ExpInterlockedPushEntrySList
RtlQueryRegistryValues
IoRegisterShutdownNotification
ExInterlockedInsertTailList
IoAllocateIrp
_wcsicmp
IofCompleteRequest
RtlEqualUnicodeString
KeLeaveCriticalRegion
IofCallDriver
ExFreePoolWithTag
ZwOpenSymbolicLinkObject
PsGetCurrentProcessId
KeDelayExecutionThread
wcsstr
KeWaitForSingleObject
ExAllocatePoolWithTagPriority
IoFreeMdl
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
8.0

ImageVersion
6.0

FileSubtype
7

FileVersionNumber
1.62.0.0

LanguageCode
Neutral

FileFlagsMask
0x003f

FileDescription
SCSI Pass Through Direct Host

ImageFileCharacteristics
Executable, Large address aware

CharacterSet
Unicode

InitializedDataSize
94720

EntryPoint
0x80798

OriginalFileName
sptd.sys

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2004

FileVersion
1.62.0.0 built by: WinDDK

TimeStamp
2009:10:11 22:55:14+02:00

FileType
Win64 EXE

PEType
PE32+

InternalName
SPTD.SYS

ProductVersion
1.62.0.0

SubsystemVersion
5.2

OSVersion
6.0

FileOS
Windows NT 32-bit

Subsystem
Native

MachineType
AMD AMD64

CompanyName
Duplex Secure Ltd.

CodeSize
525312

ProductName
SCSI Pass Through Direct

ProductVersionNumber
1.62.0.0

FileTypeExtension
exe

ObjectFileType
Driver

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 602884696850c86434530790b110e8eb
SHA1 87b4cd76fda498ead798db96eb508bac1b60f56f
SHA256 c9b734f070e55732b274c70381ea28ab574ef6ad3f606d3dc9b9b0038f3edeea
ssdeep
24576:uKBcFLPFFLYshTUV8risCNB5XMvVf0TNnTLxHwBVJc:D6RF0+dW/pSuxHE2

authentihash 26841aca67ca17e3f672428f259f0126202762e9764f2cbbe68a66249c090dff
imphash c4ef82a46d1a386cef002b46a0a4cba7
File size 815.0 KB ( 834544 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (native) Mono/.Net assembly

TrID OS/2 Executable (generic) (33.6%)
Generic Win/DOS Executable (33.1%)
DOS Executable Generic (33.1%)
Tags
peexe assembly overlay signed 64bits native

VirusTotal metadata
First submission 2010-01-24 16:06:11 UTC ( 8 years, 10 months ago )
Last submission 2017-06-27 09:11:18 UTC ( 1 year, 5 months ago )
File names sptd0.sys
sptd.sys
sptd.sys
sptd.sys.old
file-3471023_sys
sptd.old
virus2.bin3
smona132607772222292628514
00010000000012A8_sptd.sys_sample
tsk0000.dta
file-802332_sys
$RNAUOA4.sys
sptd.sys_disk
tsk0000.dta
tsk0000.dta
udd463c.tmp
SPTD.SYS
gfgfsys
sptd.sys.vir
sptd.sys2
malware.sample
1sptd.sys
stpd
udd906.tmp
v1
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!