DetEven[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

DetEven.dll
Size

1.3MB
MD5

2e14b8420adcf265bb65cefb081f454a
SHA1

bb7ddfc90b5e5995fd22cdd9706e6b77f4b9ea5b
SHA256

3d2df72e835b24e6ab7fad67457a9f86869b65c7c2731692b27dd6b9b94f37c7
SHA512

87adc058cdba45e9f3c5062bbc2d9931370d02c287cba29a6f85a27ab5ffbd3c932a23e571f3b11d21287a684edfa82c0947bf68ccf7f7c8a11df4e4dbf33cc8
SSDEEP

12288:9bvn5elqJVZLSSj/cez83VTHTpz4TOgQnD3QokzJpbOTri2s4gRtlWmTGVmE7GG7:97Pwfp7K4gRvW6Z7T6AV

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DetEven.dll

Files

DetEven.dll
.dll windows:5 windows x86

9156d550c6cc262621481252db095869

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

pskalloc

PTerminateThread
PWaitForSingleObject
PCreateThread
PCreateEvent
PCloseHandle
PInterlockedExchange
Pcalloc
PInterlockedDecrement
Pmalloc
Pstrdup
Pfree

pskutil

OSUtil_FreeLibrary
OSUtil_splitpathExUTF8_free
OSUtil_makepathExUTF8
OSUtil_splitpathExUTF8
OSUtil_LoadLibraryExUTF8
utf8foldstring
charconv_FreeBuffer
OSUtil_GetProcAddress
LogMessage

pskreg

ord11
ord5
ord21
ord1
ord16
ord17
ord2
ord18
ord14

pskdata

DATAMNGR_GetValue
DATAMNGR_SetValue

pskvfile

ord90
ord67
ord53
ord55
ord87
ord54
ord59
ord62
ord88
ord61
ord63
ord60
ord56
ord68
ord26
ord78
ord6
ord65
ord7
ord74
ord76
ord58

fwkpelib

PEAPI_FindCloseResource
PEAPI_FindFirstCertificate
PEAPI_FindNextResource
PEAPI_FindFirstResource
PEAPI_FindCloseCertificate
PEAPI_GetInfoEx
PEAPI_FindCloseResourceVersion
PEAPI_FindFirstResourceVersion
PEAPI_GetInfo
PEAPI_GetEnumerationInfo
PEAPI_GetBasicInfo
PEAPI_Rva2Raw

msvcrt

_stricmp
sprintf
strchr
memmove
strncpy
strstr
_memicmp
memcpy
memset

autoit

ord71

detbonsay

ord69

pscr80

strtok
toupper
isdigit
isalpha
tolower
isspace
strncmp
sscanf
towupper
towlower
_wcsnicmp
wcsncpy
wcsncmp
ceil
_wcsicmp
wcschr
strncat
_strnicmp
wcsncat
isalnum
wcsrchr
wcsstr
strrchr

tblmgr

TBLMGR_RegisterInTBL
TBLMGR_UnRegisterFromTBL

psklutil

ord478
ord563
ord562
ord564
ord565
ord184
ord180
ord185
ord575
ord571
ord570
ord312
ord716
ord585
ord581
ord723
ord417
ord401
ord207
ord722
ord506
ord579
ord721
ord521
ord424
ord735
ord724
ord535
ord538
ord402
ord714
ord580
ord536
ord550
ord301
ord310
ord426
ord427
ord737
ord560
ord300
ord539
ord435
ord474
ord531
ord545
ord546
ord718
ord183
ord434
ord415
ord213
ord736
ord738
ord739
ord517
ord475
ord540
ord400
ord182
ord561

psksys

ACCESS_Seek
ACCESS_Read
ACCESS_Filelength

fwkscs

SCS_FindCloseService
SCS_UsersFindShellFolders
SCS_Initialize
SCS_Finalize
SCS_GetMUID
SCS_GetServiceInfo
SCS_DeleteValue
SCS_DeleteKey
SCS_DeleteScheduledTasksByCallback
SCS_FindValueAndApply
SCS_Serv_Delete
SCS_UsersFindTempPaths
SCS_FindNextStringIniFile
SCS_GetDownloadDirectoryGUID
SCS_OpenIniFile
SCS_FindFirstService
SCS_FindFirstStringIniFile
SCS_CloseIniFile
SCS_FindNextService
SCS_GetItemStringIniFile
SCS_GetLastInfo

tbleven

ord22
ord20
ord21

det1ntbl

ord6

fwksec

FwkSec_DoDesImpersonatedTask

fwkmem

MEM_OpenProcessByPid
MEM_FindFirstVad
MEM_FindCloseModule
MEM_OpenVirtual
MEM_FindNextVad
MEM_FindCloseVirtual
MEM_CloseProcessHandle
MEM_CloseVirtual
MEM_FindFirstModule
MEM_OpenVad
MEM_CloseVad
MEM_GetVirtualInformation
MEM_GetModuleInformation
MEM_FindFirstVirtual
MEM_ReadProcessMemory
MEM_FindCloseVad
MEM_FindNextModule
MEM_FindNextVirtual
MEM_CloseModule
FWKMEM_RegisterToEvent
FWKMEM_UnRegisterFromEvent
MEM_GetVadInformation
MEM_OpenModule

plgainfo

AddTag
FreeXMLAdditionalInfo
DumpBufferXMLAdditionalInfoInternal
AddTagAttribute
CreateXMLAdditionalInfo
CloseTag

crypt32

CryptMsgClose
CryptQueryObject
CryptMsgGetParam
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW

kernel32

ExpandEnvironmentStringsA
WaitForSingleObject
CreateFileW
FreeLibrary
Sleep
GetCurrentThread
TryEnterCriticalSection
Process32First
QueryPerformanceFrequency
InterlockedIncrement
GetModuleHandleA
GetSystemInfo
LoadLibraryW
GetProcAddress
LocalAlloc
LocalFree
SetEvent
Process32Next
QueryPerformanceCounter
ReadProcessMemory
GetFileSize
ReadFile
GetShortPathNameA
GetLastError

advapi32

TraceEvent
GetTraceEnableFlags
GetTraceLoggerHandle
RegisterTraceGuidsA
UnregisterTraceGuids
GetTraceEnableLevel
RegQueryValueExW
RegEnumKeyExW

shell32

CommandLineToArgvW

pskheufil

HEUFIL_CalculateCode

detevenfilter

ord152
ord154
ord151
ord156
ord157
ord150
ord158

putczip

ord2
ord1
ord4
ord3
ord5

fwkpal

FWKPAL_IProcessInfo_GetClassification
FWKPAL_GetItem
FWKPAL_GetProcessFileCreated
FWKPAL_IProcessInfo_Release
FWKPAL_IProccessMonitorHistory_GetProcessCreator
FWKPAL_InterceptionAddToGroup
FWKPAL_GetItemString
FWKPAL_InterceptionDelFromGroup
FWKPAL_IProccessMonitorHistory_GetProcessCreatorByPath
FWKPAL_FindCloseItem
FWKPAL_IProcessInfo_GetParent
FWKPAL_FreeInfoByMD5
FWKPAL_SetInfoItem
FWKPAL_GetBLKValue
FWKPAL_IProccessMonitorHistory_GetProcessByPid
FWKPAL_IProcessInfo_IsRunning
FWKPAL_GetIDataStringItem
FWKPAL_IProcessInfo_GetExecutable
FWKPAL_GetIDataItem
FWKPAL_IProcessInfo_GetCreationTime
FWKPAL_IProcessInfo_GetPID
FWKPAL_IProcessInfo_GetChildProcesses
FWKPAL_FindNextItem
FWKPAL_FindFirstItem
FWKPAL_IProcessInfo_GetCommandLine

pskcrypt

DecodeBase64

pskwalloc

PWLeaveCriticalSection
PWDeleteCriticalSection
PWInitializeCriticalSection
PWEnterCriticalSection

fwkadd

FWKADD_SaveActions
FWKADD_AddProcessAction
FWKADD_CreateAdditionalTaks
FWKADD_FreeAddtionalTasks

secur32

GetUserNameExW

libdeteven

CheckFakeSkeptic
GetDeepLScore
LIST_Pop
IsProcessRemoteByPid
ReturnTempDirectoryW
GetProcessRemoteByPid
FILE_NODE_Free
LIST_IsEmpty
FlagsForDetection_GetValue
WPATH_Init
LIST_Push
guarded_isearch
GetSystemTimeAsULongLong
LIST_Push_STRING_PAIR
RemoveCommandLineEventConsumer
LIST_Push_STRING_TRIPLET
LIST_ITERATOR_End
NSIS_DisassembleByStream
FlagsForDetection_Create
GetProductID
PATH_Init
wcsistr
RemoveActionScriptConsumerByScriptText
GetFirstArgumentW
PATH_End
LIST_ITERATOR_GetValue
RemoveActionScriptConsumerByScriptFilename
CreateDummyFile
FlagsForDetection_SetValue
GetVolumeFlagsW
endsWithW
DATAMNGR_SetAlternatePath
WPATH_End
DUMMYFILENAME
FLAGS_FOR_DETECTION_ResetAlternatePath
my_wcsdup
ToLongPathNameW
LIST_ITERATOR_Next
GetProtectionID
RemoveAllCommandLineEventConsumer
RemoveAllActiveScriptEventConsumer
FlagsForDetection_Free
startsWith
FileTimeToULongLong
endsWith
stristr
guarded_isearchW
FileExistsW
LIST_ITERATOR_Begin
UT_BuscarID
GetArgumentSizeW
GetAncestorByPRC_ID
LIST_IsInitialized
GetNextArgumentW
wcsnzcpy
UnquoteArgumentW
ToLongPathName
CheckSkeptic
startsWithW
wcssep
GetProcessName
Nano_Calculate_ClientID
Init_EVENT_SOCKET_CONNECTION_v2
SetReanalyzable
wcstruncate
IsSupported_EVENT_SOCKET_CONNECTION_v2
concat_path
MultiWSTR_Duplicate
ShortPathToLongPathWithDecoration
MultiWSTR_Init
MultiWSTR_Add
MultiWSTR_AddList
FWKPALExcludeProcessExecutionByPathAndCommandLine
FWKPALExcludeProcessExecutionByPath
FWKPALUnExcludeProcessExecutionByPath
FWKPALUnExcludeProcessExecutionByPathAndCommandLine
SkipWhites
ProductAndVersionSanityCheck
CalculateAV_Product
CalculateAV_Version
LIST_Init
FileExistsA
IsPSKSYSsVersionAboveOrEqual
MultiWSTR_Size
GetDeepLVersion
LIST_Finalize
GetNextValidArgumentW

heuflagsfilter

ord150

Exports

Exports

PLGLOADER_GetTypes

Sections

.text
Size: 556KB - Virtual size: 555KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 371KB - Virtual size: 370KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 216KB - Virtual size: 218KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 188KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9156d550c6cc262621481252db095869

Headers

DLL Characteristics

File Characteristics

Imports

pskalloc

pskutil

pskreg

pskdata

pskvfile

fwkpelib

msvcrt

autoit

detbonsay

pscr80

tblmgr

psklutil

psksys

fwkscs

tbleven

det1ntbl

fwksec

fwkmem

plgainfo

crypt32

kernel32

advapi32

shell32

pskheufil

detevenfilter

putczip

fwkpal

pskcrypt

pskwalloc

fwkadd

secur32

libdeteven

heuflagsfilter

Exports

Exports

Sections

.text Size: 556KB - Virtual size: 555KB

.rdata Size: 371KB - Virtual size: 370KB

.data Size: 216KB - Virtual size: 218KB

.rsrc Size: 1024B - Virtual size: 856B

.reloc Size: 188KB - Virtual size: 188KB

.text
Size: 556KB - Virtual size: 555KB

.rdata
Size: 371KB - Virtual size: 370KB

.data
Size: 216KB - Virtual size: 218KB

.rsrc
Size: 1024B - Virtual size: 856B

.reloc
Size: 188KB - Virtual size: 188KB