General

Malware Config

Signatures

Files

• 979e30ec1e402ede4b222830f8f61818b3811acbbc670cf7b8790b2a70444cd0

  .dll windows x86

  c879248519db31c2ace63fe03693d885

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  advapi32

  ControlService

  SetTokenInformation

  ImpersonateLoggedOnUser

  CreateProcessAsUserW

  StartServiceW

  ConvertSidToStringSidW

  QueryServiceStatus

  DuplicateTokenEx

  RegSetValueExW

  LsaRetrievePrivateData

  LookupAccountNameW

  AccessCheck

  GetSecurityDescriptorLength

  RegCreateKeyExW

  ConvertStringSecurityDescriptorToSecurityDescriptorW

  QueryServiceStatusEx

  SaferCreateLevel

  SaferComputeTokenFromLevel

  SaferCloseLevel

  CommandLineFromMsiDescriptor

  IsValidSecurityDescriptor

  LookupAccountSidW

  FreeSid

  AllocateAndInitializeSid

  SetSecurityDescriptorDacl

  InitializeSecurityDescriptor

  AddAccessAllowedAce

  InitializeAcl

  GetLengthSid

  RegCloseKey

  RegQueryValueExW

  RegOpenKeyExW

  CloseServiceHandle

  OpenServiceW

  OpenSCManagerW

  AllocateLocallyUniqueId

  SetServiceStatus

  RegQueryValueA

  RegisterServiceCtrlHandlerExW

  RegisterEventSourceW

  ReportEventW

  DeregisterEventSource

  IsValidSid

  GetSidIdentifierAuthority

  GetSidSubAuthorityCount

  GetSidSubAuthority

  GetSecurityDescriptorDacl

  GetAce

  RegOpenKeyW

  RegQueryValueW

  CryptAcquireContextW

  CryptReleaseContext

  SystemFunction036

  CryptGenRandom

  CopySid

  RegNotifyChangeKeyValue

  RegQueryInfoKeyW

  RegEnumValueW

  ImpersonateAnonymousToken

  OpenThreadToken

  RevertToSelf

  RegOpenUserClassesRoot

  CheckTokenMembership

  SaferiCompareTokenLevels

  SetThreadToken

  CreateWellKnownSid

  LsaOpenPolicy

  LsaQueryInformationPolicy

  LsaClose

  EqualSid

  GetTokenInformation

  OpenProcessToken

  ChangeServiceConfigW

  LsaFreeMemory

  kernel32

  DisableThreadLibraryCalls

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  GetCurrentProcess

  TerminateProcess

  GetCurrentProcessId

  GetCurrentThreadId

  GetTickCount

  LoadLibraryA

  InterlockedCompareExchange

  FreeLibrary

  GetProcAddress

  TlsAlloc

  LocalAlloc

  CreateEventA

  LocalFree

  Sleep

  GetComputerNameA

  QueryPerformanceCounter

  GlobalMemoryStatus

  GetDiskFreeSpaceA

  InterlockedExchange

  EnterCriticalSection

  LeaveCriticalSection

  GetComputerNameW

  GetLastError

  lstrcmpW

  GetProcessHeap

  HeapAlloc

  HeapFree

  GetDriveTypeW

  lstrcpynW

  MultiByteToWideChar

  lstrlenA

  GetExitCodeProcess

  WaitForMultipleObjects

  CreateMutexW

  UnmapViewOfFile

  MapViewOfFile

  CreateFileMappingW

  ResumeThread

  OpenFileMappingW

  CreateProcessW

  ReadFile

  GetModuleFileNameW

  WriteFile

  WaitNamedPipeW

  InitializeCriticalSectionAndSpinCount

  lstrcmpiA

  MapViewOfFileEx

  VirtualAlloc

  VirtualFree

  GetSystemTimeAsFileTime

  DelayLoadFailureHook

  SetLastError

  CloseHandle

  DeviceIoControl

  CreateFileW

  SleepEx

  InterlockedIncrement

  InterlockedDecrement

  CreateThread

  GetSystemInfo

  lstrcpyW

  lstrlenW

  RegisterWaitForSingleObject

  CreateEventW

  SetEvent

  WaitForSingleObject

  lstrcatW

  TerminateJobObject

  GetCurrentThread

  InterlockedExchangeAdd

  DeleteTimerQueueTimer

  CreateTimerQueueTimer

  DeleteCriticalSection

  IsDebuggerPresent

  DebugBreak

  ResetEvent

  TlsSetValue

  TlsGetValue

  GetModuleHandleW

  LoadLibraryExA

  ExpandEnvironmentStringsW

  ReleaseMutex

  ReleaseActCtx

  FindActCtxSectionGuid

  FindActCtxSectionStringW

  LoadLibraryW

  GetSystemDirectoryW

  GetSystemWow64DirectoryW

  lstrcmpiW

  SearchPathW

  AddRefActCtx

  OpenProcess

  DuplicateHandle

  InitializeCriticalSection

  OpenEventW

  LoadLibraryExW

  FindClose

  FindFirstFileW

  msvcrt

  _onexit

  __dllonexit

  _adjust_fdiv

  malloc

  _initterm

  free

  _ftol

  _resetstkoflw

  _except_handler3

  memmove

  _wtoi

  _purecall

  ceil

  wcslen

  wcschr

  _ultow

  strncmp

  wcstol

  _stricmp

  swprintf

  _vsnwprintf

  _wcsicmp

  wcsncpy

  towupper

  wcscat

  wcscpy

  ntdll

  RtlAllocateHeap

  RtlFreeHeap

  RtlImageNtHeader

  RtlNtStatusToDosError

  NtOpenFile

  RtlInitString

  RtlDeleteCriticalSection

  NtCompareTokens

  NtQueryInformationToken

  DbgPrint

  NtQuerySystemInformation

  RtlCopySid

  NtOpenSection

  NtFsControlFile

  NtCreateFile

  RtlAdjustPrivilege

  NtSetInformationProcess

  NtDuplicateToken

  RtlInitUnicodeString

  RtlEqualUnicodeString

  NtSetUuidSeed

  RtlSetSaclSecurityDescriptor

  RtlSetDaclSecurityDescriptor

  RtlSetGroupSecurityDescriptor

  RtlSetOwnerSecurityDescriptor

  RtlCreateSecurityDescriptor

  RtlAddAce

  RtlCreateAcl

  RtlGetNtProductType

  RtlInitializeCriticalSection

  NtAllocateLocallyUniqueId

  RtlLengthRequiredSid

  RtlInitializeSid

  RtlSubAuthoritySid

  RtlAllocateAndInitializeSid

  NtClose

  NtOpenKey

  RtlLengthSid

  rpcrt4

  RpcServerRegisterIf2

  RpcMgmtSetServerStackSize

  UuidCreate

  RpcServerListen

  RpcMgmtIsServerListening

  I_RpcAllocate

  I_RpcFree

  RpcServerUseProtseqEpExW

  RpcBindingFree

  RpcBindingSetAuthInfoW

  RpcBindingSetAuthInfoExW

  NdrAsyncServerCall

  NdrAsyncClientCall

  MesEncodeFixedBufferHandleCreate

  MesHandleFree

  MesDecodeBufferHandleCreate

  NdrMesTypeAlignSize2

  NdrMesTypeEncode2

  NdrMesTypeDecode2

  RpcRevertToSelfEx

  RpcImpersonateClient

  RpcRaiseException

  I_RpcBindingInqTransportType

  RpcAsyncCompleteCall

  RpcBindingSetOption

  I_RpcBindingInqWireIdForSnego

  RpcServerUnregisterIf

  I_RpcServerInqLocalConnAddress

  I_RpcServerCheckClientRestriction

  TowerExplode

  I_RpcSystemFunction001

  RpcServerRegisterIfEx

  I_RpcServerRegisterForwardFunction

  I_RpcServerSetAddressChangeFn

  I_RpcExceptionFilter

  NdrClientCall2

  NdrServerCall2

  RpcStringBindingComposeW

  RpcMgmtEnableIdleCleanup

  I_RpcBindingInqLocalClientPID

  RpcRevertToSelf

  RpcBindingReset

  RpcAsyncCancelCall

  RpcBindingFromStringBindingW

  RpcBindingSetObject

  RpcAsyncInitializeHandle

  RpcBindingCopy

  RpcServerInqBindings

  RpcBindingVectorFree

  RpcStringFreeW

  RpcBindingToStringBindingW

  RpcStringBindingParseW

  RpcServerRegisterAuthInfoW

  secur32

  FreeContextBuffer

  LsaLogonUser

  LsaLookupAuthenticationPackage

  LsaRegisterLogonProcess

  LsaFreeReturnBuffer

  EnumerateSecurityPackagesW

  user32

  wsprintfW

  LoadStringW

  CharUpperW

  ws2_32

  closesocket

  WSAIoctl

  WSAGetLastError

  inet_ntoa

  gethostname

  gethostbyname

  socket

  bind

  WSASetServiceW

  htons

  getsockname

  Exports

  Exports

  CoGetComCatalog

  GL70

  ServiceMain

  Load

  Sections

  .text

  Size: 245KB - Virtual size: 245KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 131KB - Virtual size: 131KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .idata

  Size: 150KB - Virtual size: 149KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 11KB - Virtual size: 10KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ