CbAMSI[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

CbAMSI.dll
Size

5.9MB
MD5

cb7bb3523e28b6dc90394b684ae4ce97
SHA1

ed94c82e827cb48bd4e5f78ab6c2127ca6404414
SHA256

99425a73585a82ecfae815b9087f1d9c62414dafc86466c689f6b05eb5bba19e
SHA512

ddd565fcb5bef2f31638dd9e2598195f618ffa945388948c2a1450371a0166278e50d2d4e1bd60cff6fe48e8f73ffea64fa752541a7691153bbb03a4981ce1e3
SSDEEP

98304:eZqCX8PBhlMsO4Ax8jrxejgikFzMHtDtKZI8Ci195hewGQky2G7Pd0PK7BYoLQz:e8GQkyr7uK+z

Score

1^/10

Malware Config

Signatures

Files

CbAMSI.dll
.dll regsvr32 windows x64

78ef4970a9a94f772f8a3313725a7155

Code Sign

31:88:08:68:71:48:1c:7c:d0:57:9c:7a:2b:fc:8b:47
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

24-02-2021 00:00

Not After

23-02-2022 23:59

Subject

CN=Carbon Black\, Inc.,O=Carbon Black\, Inc.,POSTALCODE=02451,STREET=1100 Winter Street,L=Waltham,ST=Massachusetts,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-11-2018 00:00

Not After

31-12-2030 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-07-2015 21:03

Not After

22-07-2025 21:03

Subject

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3f:9a:b5:93:6e:d2:8b:73:20:0b:77:bc:a4:d3:a4:f9:2c:20:8d:d7:37:5b:e8:94:e9:3b:92:39:56:c4:fe:98
Signer

Actual PE Digest

3f:9a:b5:93:6e:d2:8b:73:20:0b:77:bc:a4:d3:a4:f9:2c:20:8d:d7:37:5b:e8:94:e9:3b:92:39:56:c4:fe:98

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Carbon Black\, Inc.,O=Carbon Black\, Inc.,POSTALCODE=02451,STREET=1100 Winter Street,L=Waltham,ST=Massachusetts,C=US

20-10-2021 14:00
Valid: true

Chain 1

CN=Carbon Black\, Inc.,O=Carbon Black\, Inc.,POSTALCODE=02451,STREET=1100 Winter Street,L=Waltham,ST=Massachusetts,C=US

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltlib

FilterFindNext
FilterFindClose
FilterConnectCommunicationPort
FilterFindFirst
FilterSendMessage

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError

ws2_32

ntohl
WSAStartup
WSACleanup
WSAGetLastError
WSAAddressToStringW

kernel32

MultiByteToWideChar
WideCharToMultiByte
ExpandEnvironmentStringsW
GetCurrentProcess
IsWow64Process
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDiskFreeSpaceExW
GetDriveTypeW
QueryDosDeviceW
GetVolumeNameForVolumeMountPointW
IsProcessorFeaturePresent
GlobalMemoryStatusEx
GetSystemInfo
GetSystemWindowsDirectoryW
GetVersionExW
FreeLibrary
GetModuleHandleW
GetProcAddress
GetComputerNameW
OpenProcess
OutputDebugStringW
GetModuleFileNameW
lstrcpynW
DuplicateHandle
RaiseException
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
InitializeCriticalSectionAndSpinCount
Sleep
SetLastError
RtlCompareMemory
UnhandledExceptionFilter
WaitForSingleObjectEx
ResetEvent
SetEvent
FileTimeToSystemTime
LocalFree
LoadLibraryW
QueryPerformanceFrequency
QueryPerformanceCounter
GetLastError
ReadFile
GetTimeFormatW
FindNextFileW
FindClose
GetSystemTimeAsFileTime
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
DecodePointer
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSection
LeaveCriticalSection
EncodePointer
EnterCriticalSection
InitOnceExecuteOnce
GetModuleFileNameA
CloseHandle
GetCPInfo
GetLocaleInfoW
WriteConsoleW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
LCMapStringW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
GetFileSizeEx
SetFilePointerEx
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
CreateEventW
GetStringTypeW
TerminateProcess
IsDebuggerPresent
SetStdHandle
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetStdHandle
GetStartupInfoW
GetCurrentThreadId
InitializeSListHead
GetDateFormatW
GetFileAttributesW
InterlockedFlushSList
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetConsoleOutputCP
WriteFile
ReadConsoleW
GetConsoleMode
GetFileType
CreateFileW
SetUnhandledExceptionFilter

user32

GetSystemMetrics

advapi32

EventSetInformation
EventRegister
EventWriteTransfer
RegOpenKeyExW
QueryServiceStatusEx
QueryServiceConfig2W
RegCloseKey
GetTokenInformation
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
EnumServicesStatusExW
CloseServiceHandle
RegOpenCurrentUser
ConvertSidToStringSidW
EventUnregister

shell32

SHGetFolderPathW

ole32

CoTaskMemFree
IIDFromString
CoCreateFreeThreadedMarshaler

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

msi

ord159
ord8
ord70
ord32
ord118
ord160
ord92

psapi

GetDeviceDriverBaseNameW
GetDeviceDriverFileNameW
EnumDeviceDrivers

iphlpapi

GetAdaptersAddresses

netapi32

NetGetJoinInformation
NetApiBufferFree

userenv

ExpandEnvironmentStringsForUserW
GetProfilesDirectoryW

ntdll

RtlUnwind
RtlCopyUnicodeString
RtlDowncaseUnicodeString
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.6MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

78ef4970a9a94f772f8a3313725a7155

Code Sign

31:88:08:68:71:48:1c:7c:d0:57:9c:7a:2b:fc:8b:47Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

3f:9a:b5:93:6e:d2:8b:73:20:0b:77:bc:a4:d3:a4:f9:2c:20:8d:d7:37:5b:e8:94:e9:3b:92:39:56:c4:fe:98Signer

Signature Validations

Verification

20-10-2021 14:00 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

fltlib

api-ms-win-core-winrt-error-l1-1-0

ws2_32

kernel32

user32

advapi32

shell32

ole32

version

msi

psapi

iphlpapi

netapi32

userenv

ntdll

Exports

Exports

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 1.6MB - Virtual size: 1.7MB

.pdata Size: 76KB - Virtual size: 75KB

_RDATA Size: 512B - Virtual size: 148B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 136KB - Virtual size: 136KB

31:88:08:68:71:48:1c:7c:d0:57:9c:7a:2b:fc:8b:47
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

3f:9a:b5:93:6e:d2:8b:73:20:0b:77:bc:a4:d3:a4:f9:2c:20:8d:d7:37:5b:e8:94:e9:3b:92:39:56:c4:fe:98
Signer

20-10-2021 14:00
Valid: true

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 1.6MB - Virtual size: 1.7MB

.pdata
Size: 76KB - Virtual size: 75KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 136KB - Virtual size: 136KB