Extorsion[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

Extorsion.dll
Size

6.3MB
MD5

8a4a65bcfc4ef6ebbce73d5d1416475a
SHA1

a5b0bef42c96ec2014f01524942eac0e7322ad58
SHA256

cc90f3c76470eb60b07040b5341fe744149a1798edb6691c597e885607ce239d
SHA512

348295f52491295ff4a20666b8344df9bf69478ddb1cae8ccc670a1be76e3a3f077df8f4fb5836d013ad68a2d60cf874ef8b2255dee053b644c39d4517cb460d
SSDEEP

49152:L7VwASONGtlqF1IU6iAdIdBGTryjRYcIJUXov9oPWD6dZrB7/PxbpZ1955ourbg4:FS+tWQ7xbbZXgjWpvD+/6LI1jFgoH5A

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Extorsion.dll

Files

Extorsion.dll
.dll windows:6 windows x64

502d59334989635cccd12a095b3e4967

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

OpenThread
FindFirstFileA
FindNextFileA
FindClose
DeleteFiber
SwitchToFiber
ConvertThreadToFiber
CreateFiber
SetConsoleTitleA
GetStdHandle
SetConsoleMode
FreeConsole
AllocConsole
TerminateThread
HeapCreate
HeapDestroy
HeapReAlloc
SetThreadContext
FlushInstructionCache
GetSystemInfo
VirtualQuery
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetSystemTimeAsFileTime
GetFileType
RtlVirtualUnwind
GetACP
GetSystemDirectoryA
FormatMessageA
FindFirstFileW
FindNextFileW
GetConsoleMode
ReadConsoleA
CreateToolhelp32Snapshot
Thread32First
GetFileSizeEx
CreateFileA
VerifyVersionInfoW
SleepEx
WaitForMultipleObjects
MoveFileExA
InitializeCriticalSectionEx
FormatMessageW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitOnceBeginInitialize
InitOnceComplete
GetFileInformationByHandleEx
AreFileApisANSI
SetFileInformationByHandle
Thread32Next
VirtualAlloc
VirtualFree
HeapFree
GetModuleHandleW
K32GetModuleInformation
VirtualProtect
GetTickCount
GetTickCount64
CreateThread
DisableThreadLibraryCalls
GetThreadContext
LoadLibraryW
ResumeThread
SuspendThread
GetCurrentThreadId
GetEnvironmentVariableA
GetEnvironmentVariableW
GetCurrentProcess
RtlCaptureContext
SetLastError
SetUnhandledExceptionFilter
AddVectoredExceptionHandler
FreeLibraryAndExitThread
RemoveVectoredExceptionHandler
Sleep
QueryPerformanceCounter
GetFileAttributesExW
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameW
lstrlenW
WaitNamedPipeW
GetCurrentProcessId
CloseHandle
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
RtlLookupFunctionEntry
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
InitializeSListHead
GetCPInfoExW
LocalFree
CreateDirectoryW
GetLastError
CreateFileW
HeapAlloc
PeekNamedPipe
WriteFile
ReadConsoleW
FindFirstFileExW
ReadFile

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
SendInput
GetKeyState
GetAsyncKeyState
FindWindowA
GetForegroundWindow

advapi32

CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptHashData
CryptGetHashParam
CryptAcquireContextA
RegSetValueExW
RegCreateKeyExW
RegCloseKey
CryptAcquireContextW
CryptReleaseContext
CryptGenRandom
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey

shell32

SHGetFolderPathA
SHGetFolderPathW

msvcp140

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?uncaught_exceptions@std@@YAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$numpunct@D@std@@2V0locale@2@A
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Thrd_yield
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Thrd_sleep
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
?swap@?$basic_ostream@DU?$char_traits@D@std@@@std@@IEAAXAEAV12@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z
?seekpos@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@V32@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Query_perf_counter
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Query_perf_frequency
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
_Cnd_destroy_in_situ
_Cnd_broadcast
_Mtx_unlock
_Thrd_join
_Xtime_get_ticks
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
_Mtx_init_in_situ
_Mtx_lock
_Mtx_destroy_in_situ
_Cnd_timedwait
?_Throw_C_error@std@@YAXH@Z
?_Xbad_alloc@std@@YAXXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_init_in_situ
_Mbrtowc
_Mtx_current_owns
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

wldap32

ord60
ord45
ord50
ord46
ord217
ord33
ord35
ord79
ord30
ord200
ord301
ord143
ord211
ord41
ord22
ord26
ord27
ord32

crypt32

PFXImportCertStore
CertFindExtension
CryptStringToBinaryA
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CryptDecodeObjectEx
CertCloseStore
CertOpenStore
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore

ws2_32

ioctlsocket
getsockname
getsockopt
ntohs
select
gethostbyname
WSAStartup
WSACleanup
WSAGetLastError
htonl
htons
inet_addr
inet_ntoa
gethostname
getpeername
sendto
gethostbyaddr
recvfrom
freeaddrinfo
getaddrinfo
getservbyport
getservbyname
__WSAFDIsSet
WSASetLastError
recv
send
WSAIoctl
accept
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
shutdown
socket
bind
closesocket
setsockopt
listen
connect

normaliz

IdnToAscii

winmm

timeGetTime

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
memmove
strchr
strrchr
strstr
memcpy
wcsstr
memcmp
memchr
__current_exception
__C_specific_handler
_CxxThrowException
__std_type_info_destroy_list
__current_exception_context
__std_exception_copy
__std_exception_destroy
__std_terminate

api-ms-win-crt-stdio-l1-1-0

fputs
__stdio_common_vfprintf
_wfopen
__stdio_common_vsprintf
fread
__stdio_common_vsscanf
_setmode
_fileno
fgets
_write
__acrt_iob_func
fputc
_open
ftell
fopen
fflush
fgetc
fclose
freopen_s
_lseeki64
fseek
__stdio_common_vsprintf_s
__stdio_common_vswprintf
fgetpos
_close
_read
fwrite
feof
fopen_s
setvbuf
ferror
ungetc
fsetpos
_fseeki64
_get_stream_buffer_pointers

api-ms-win-crt-heap-l1-1-0

_callnewh
calloc
free
malloc
realloc

api-ms-win-crt-runtime-l1-1-0

__sys_errlist
__sys_nerr
_beginthreadex
_cexit
terminate
_initterm
_errno
_crt_atexit
_invalid_parameter_noinfo_noreturn
_execute_onexit_table
abort
strerror_s
_exit
raise
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
signal
_seh_filter_dll
_initterm_e

api-ms-win-crt-math-l1-1-0

roundf
ldexp
_ldsign
_fdsign
_dsign
_fdopen
_dclass
_fdclass
_ldclass
ceil
ceilf
cosf
fmaxf
pow
log2
powf
sin
sinf
sqrt
cos

api-ms-win-crt-time-l1-1-0

_localtime64
_gmtime64_s
strftime
_gmtime64
_localtime64_s
_time64

api-ms-win-crt-string-l1-1-0

strncpy_s
_strdup
strcat_s
strncmp
strncpy
isspace
toupper
strpbrk
strcmp
strcpy_s
strcspn
strspn
isdigit
tolower

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-convert-l1-1-0

atoi
strtoull
wcstombs
strtoul
strtol
strtod
strtoll

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_fstat64
_access
_stat64
_unlink
_lock_file
_unlock_file

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func

api-ms-win-crt-environment-l1-1-0

getenv

bcrypt

BCryptGenRandom

Sections

.text
Size: 4.4MB - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 265KB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 143KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

502d59334989635cccd12a095b3e4967

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

msvcp140

wldap32

crypt32

ws2_32

normaliz

winmm

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

bcrypt

Sections

.text Size: 4.4MB - Virtual size: 4.4MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 265KB - Virtual size: 2.5MB

.pdata Size: 143KB - Virtual size: 142KB

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 57KB - Virtual size: 56KB

.text
Size: 4.4MB - Virtual size: 4.4MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 265KB - Virtual size: 2.5MB

.pdata
Size: 143KB - Virtual size: 142KB

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 57KB - Virtual size: 56KB