CrExt[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

CrExt.dll
Size

434KB
MD5

0346a0b23c31414dea64a567e25e6177
SHA1

542a5ea9ae48855a8e7e3855d92244e98b783f96
SHA256

7052a61b5e9b98793d43f36b205f4bba39c03d3df1e697e2a8b6456c94bab9ac
SHA512

bb07a0ee03627a6b44aa28fcb824333e581b404e3f5d8963f02357e16b1e857cb7a291efafdb97529de5c64029eeb4003240be1dd62e05ced3092bbfb2d1bb9d
SSDEEP

12288:0cZIM9p9r4nHKiXELA/aP+oK/rzz1aVtrY9dSFty:0EIM9p2qiXh/BoK/rlfSFM

Score

1^/10

Malware Config

Signatures

Files

CrExt.dll
.zip

Password: S@ndb0x!2023@@
Device/HarddiskVolume2/Program Files (x86)/ProductivityBoss_e5/bar/1.bin/CrExt.dll
.dll windows x86

Password: S@ndb0x!2023@@

fa464b00332bc451c42503d62023a0a0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

43:8d:42:91:e4:3c:2d:ff:ee:aa:ae:e5:b6:c0:70:b5
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

20/04/2015, 00:00

Not After

18/06/2018, 23:59

Subject

CN=Mindspark Interactive Network,O=Mindspark Interactive Network,L=Yonkers,ST=New York,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7e:6c:9b:82:aa:10:0b:60:47:7b:b8:6e:a0:75:34:c5:db:65:b1:e2
Signer

Actual PE Digest

7e:6c:9b:82:aa:10:0b:60:47:7b:b8:6e:a0:75:34:c5:db:65:b1:e2

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

rpcrt4

NdrAsyncServerCall
RpcBindingFree
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringFreeW
RpcServerUseProtseqEpW
RpcAsyncCancelCall
RpcAsyncGetCallStatus
RpcAsyncAbortCall
RpcAsyncCompleteCall
RpcServerUnregisterIf
RpcServerRegisterIfEx
NdrAsyncClientCall
RpcAsyncInitializeHandle
NdrDllGetClassObject
NdrCStdStubBuffer2_Release
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
NdrStubCall2
NdrStubForwardingFunction
CStdStubBuffer_Connect
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
IUnknown_AddRef_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
IUnknown_Release_Proxy
CStdStubBuffer_CountRefs
NdrOleAllocate
NdrOleFree
IUnknown_QueryInterface_Proxy
CStdStubBuffer_AddRef

kernel32

WaitForSingleObject
ReleaseMutex
GetModuleHandleW
SwitchToThread
FreeLibrary
GetFileAttributesW
CreateWaitableTimerW
GetCurrentProcess
DuplicateHandle
CancelWaitableTimer
CreateEventW
SetWaitableTimer
CreateFileMappingW
OpenFileMappingW
MapViewOfFile
UnmapViewOfFile
CreateDirectoryW
LocalFree
lstrcatW
CreateProcessW
OpenEventW
DeleteFileW
CreateFileW
WriteFile
lstrcmpiW
CreateEventA
SetEvent
OpenEventA
ResetEvent
GetProcessHeap
HeapAlloc
HeapFree
CreateFileA
lstrcpynW
TlsGetValue
GetDriveTypeW
CompareStringW
TlsAlloc
TlsSetValue
TlsFree
FindCloseChangeNotification
FindFirstChangeNotificationW
GetFileAttributesExW
LoadLibraryExW
GetCurrentThreadId
FlushInstructionCache
UnregisterWait
RegisterWaitForSingleObject
CreateIoCompletionPort
GetExitCodeThread
TerminateThread
GetSystemInfo
PostQueuedCompletionStatus
GetQueuedCompletionStatus
OpenMutexW
InitializeSListHead
GetThreadTimes
GetPrivateProfileSectionW
CreateMutexW
SetLastError
WideCharToMultiByte
lstrcpyW
GetShortPathNameW
LoadLibraryW
SleepEx
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetCurrentProcessId
CloseHandle
GetTickCount
lstrlenA
VerifyVersionInfoW
VerSetConditionMask
GetModuleFileNameW
MultiByteToWideChar
GetLastError
RaiseException
GetProcAddress
lstrlenW
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
SetHandleCount
GetLocaleInfoW
GetCurrentThread
InterlockedDecrement
InterlockedIncrement
Sleep
HeapSize
HeapReAlloc
HeapDestroy
HeapCreate
GetStdHandle
ExitProcess
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateThread
ExitThread
GetCommandLineA
LoadLibraryA
InterlockedExchange
LocalAlloc
SetStdHandle
WriteConsoleW
FlushFileBuffers
InterlockedCompareExchange
InterlockedPushEntrySList
VirtualFree
LCMapStringW
GetStringTypeW
RtlUnwind
SetFilePointer
GetConsoleCP
GetConsoleMode
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
OutputDebugStringW
OutputDebugStringA
ProcessIdToSessionId
GetComputerNameW
MapViewOfFileEx
GetLongPathNameW
CreateSemaphoreW
TerminateProcess
ReleaseSemaphore
QueueUserAPC
WaitForMultipleObjectsEx
GetModuleHandleExW
LockResource
SizeofResource
LoadResource
FindResourceW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
GetFileTime
SetEndOfFile
SetFileAttributesW
CopyFileW
ReadFile
GetFileSize
RemoveDirectoryW
FindClose
FindNextFileW
lstrcmpW
FindFirstFileW
InitializeCriticalSection
InterlockedPopEntrySList
VirtualAlloc
IsValidLocale

user32

GetClassInfoExW
LoadCursorW
PostMessageW
SetWindowPos
SetForegroundWindow
MapWindowPoints
IsRectEmpty
SetTimer
KillTimer
GetWindowThreadProcessId
IsWindow
GetParent
GetWindow
LoadImageW
wsprintfW
CallWindowProcW
SetWindowLongW
GetWindowLongW
UnregisterClassA
MsgWaitForMultipleObjectsEx
PeekMessageW
PostQuitMessage
CallMsgFilterW
TranslateMessage
DispatchMessageW
FindWindowExW
GetActiveWindow
IsChild
GetWindowRect
MessageBoxW
DefWindowProcW
RegisterClassExW
DestroyWindow
CreateWindowExW
SetParent
SendMessageW

advapi32

FreeSid
OpenProcessToken
GetTokenInformation
GetSidSubAuthority
GetAce
GetAclInformation
GetNamedSecurityInfoW
CreateProcessAsUserW
SetTokenInformation
AllocateAndInitializeSid
DuplicateTokenEx
RegCloseKey
GetSidSubAuthorityCount
GetLengthSid
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
MakeSelfRelativeSD
GetSecurityDescriptorLength
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
RegCreateKeyExW
RegOpenKeyExW
RegDeleteValueW
RegEnumKeyW
RegEnumValueW
RegSetValueExW
RegQueryValueExW
IsValidSid

ole32

CoGetCurrentLogicalThreadId
CoInitialize
CLSIDFromProgID
CoUnmarshalInterface
CreateStreamOnHGlobal
CoMarshalInterface
CoReleaseMarshalData
CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CoUninitialize

oleaut32

VarCmp
SafeArrayUnlock
SafeArrayLock
SafeArrayRedim
SafeArrayDestroy
SafeArrayCreate
SafeArrayGetUBound
SafeArrayGetLBound
DispCallFunc
VariantCopy
VariantChangeType
VariantInit
VarBstrCat
BSTR_UserSize
BSTR_UserMarshal
BSTR_UserUnmarshal
BSTR_UserFree
VARIANT_UserMarshal
VARIANT_UserSize
VARIANT_UserUnmarshal
VARIANT_UserFree
LPSAFEARRAY_UserFree
LPSAFEARRAY_UserUnmarshal
LPSAFEARRAY_UserMarshal
LPSAFEARRAY_UserSize
SysFreeString
SysAllocStringByteLen
SysStringByteLen
SysAllocString
VarBstrCmp
LoadTypeLi
LoadRegTypeLi
VariantClear
SysStringLen
SysAllocStringLen

shlwapi

SHRegWriteUSValueW
SHRegEnumUSValueW
SHRegQueryUSValueW
SHRegCloseUSKey
PathRemoveFileSpecW
SHRegDeleteEmptyUSKeyW
SHRegEnumUSKeyW
SHRegDeleteUSValueW
SHDeleteKeyW
SHRegOpenUSKeyW
SHRegGetUSValueW
SHRegCreateUSKeyW
StrRetToStrW
PathFindFileNameW
PathRenameExtensionW
StrRetToBufW
StrRChrW
ord176
StrChrW
PathAppendW

urlmon

URLOpenPullStreamW

ws2_32

connect
WSAAsyncSelect
WSASetLastError
closesocket
WSAGetLastError
send
recv
WSAStartup
WSACleanup
socket
gethostbyname
htons

wininet

InternetCrackUrlW

setupapi

SetupDecompressOrCopyFileW
SetupGetFileCompressionInfoW

crypt32

CertFreeCertificateContext
CryptMsgClose
CertCloseStore
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject

wintrust

WinVerifyTrust

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

userenv

UnloadUserProfile

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 546KB - Virtual size: 546KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 198KB - Virtual size: 198KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 95KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
manifest.json

Sharing

General

Malware Config

Signatures

Files

Password: S@ndb0x!2023@@

Password: S@ndb0x!2023@@

fa464b00332bc451c42503d62023a0a0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

43:8d:42:91:e4:3c:2d:ff:ee:aa:ae:e5:b6:c0:70:b5Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

7e:6c:9b:82:aa:10:0b:60:47:7b:b8:6e:a0:75:34:c5:db:65:b1:e2Signer

Headers

DLL Characteristics

File Characteristics

Imports

rpcrt4

kernel32

user32

advapi32

ole32

oleaut32

shlwapi

urlmon

ws2_32

wininet

setupapi

crypt32

wintrust

version

userenv

Exports

Exports

Sections

.text Size: 546KB - Virtual size: 546KB

.orpc Size: 1KB - Virtual size: 1KB

.rdata Size: 198KB - Virtual size: 198KB

.data Size: 95KB - Virtual size: 108KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 44KB - Virtual size: 43KB

.reloc Size: 65KB - Virtual size: 64KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

43:8d:42:91:e4:3c:2d:ff:ee:aa:ae:e5:b6:c0:70:b5
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

7e:6c:9b:82:aa:10:0b:60:47:7b:b8:6e:a0:75:34:c5:db:65:b1:e2
Signer

.text
Size: 546KB - Virtual size: 546KB

.orpc
Size: 1KB - Virtual size: 1KB

.rdata
Size: 198KB - Virtual size: 198KB

.data
Size: 95KB - Virtual size: 108KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 44KB - Virtual size: 43KB

.reloc
Size: 65KB - Virtual size: 64KB