MDUserLDAP[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

MDUserLDAP.dll
Size

916KB
MD5

1287385934587d76aaf3286e0c9e3350
SHA1

74b8eafd4c55efe407e905cd9d1864f6a75030fb
SHA256

b546358993254519e46ce2788c30849dc04a32f00abbfc46eb16e63577720d58
SHA512

e3ec3c8abb821ca253d2953be3646ba6e5f1108f2169f1d6d157bd26d115c7589aa27737763d9d75a6869585774eefbb2adf96f326c5c6c762f44561b7443ab4
SSDEEP

24576:UROyNQ2ze6nbD97LJotaI4MsqAiKVMmdfdJcY:UROMnf97StvZbKeu1D

Score

1^/10

Malware Config

Signatures

Files

MDUserLDAP.dll
.dll windows:6 windows x64 arch:x64

92e94e47b642522bf3cad4543055db6b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/02/2018, 00:00

Not After

05/02/2021, 12:00

Subject

CN=MDaemon Technologies\, Ltd.,O=MDaemon Technologies\, Ltd.,L=Grapevine,ST=Texas,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

a0:6a:94:96:88:0b:cf:62:a7:21:43:0b:8a:54:0e:b9:52:32:a4:73
Signer

Actual PE Digest

a0:6a:94:96:88:0b:cf:62:a7:21:43:0b:8a:54:0e:b9:52:32:a4:73

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

wldap32

ord200
ord27
ord26
ord47
ord186
ord13
ord211
ord48
ord36
ord16
ord41
ord60
ord34
ord143
ord53
ord25
ord52
ord38
ord44
ord30
ord50

ws2_32

htonl
WSAAddressToStringA
inet_addr
WSAStartup
WSACleanup

kernel32

HeapCreate
HeapFree
SetLastError
EnterCriticalSection
WriteFile
OutputDebugStringA
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
SetFilePointer
SetEndOfFile
UnlockFileEx
CreateMutexW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetCurrentThreadId
ReleaseMutex
UnmapViewOfFile
MultiByteToWideChar
Sleep
GetModuleHandleExA
GetLastError
GetFileAttributesA
GetFileAttributesExW
LoadLibraryA
GetVersionExA
DeleteFileW
HeapReAlloc
CloseHandle
HeapSetInformation
HeapAlloc
GetLocalTime
HeapDestroy
GetProcAddress
LockFileEx
GetFileSize
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTime
CreateFileMappingW
MapViewOfFile
GetTickCount
IsDebuggerPresent
FlushFileBuffers
MoveFileA
FindFirstFileA
FindNextFileA
GetPrivateProfileSectionA
GetACP
DeleteFileA
WritePrivateProfileStringA
RemoveDirectoryA
CreateDirectoryA
GetPrivateProfileStringA
WritePrivateProfileSectionA
GetFileAttributesExA
InitializeCriticalSection
GetSystemTimeAsFileTime
FindFirstFileW
WaitNamedPipeA
CreateNamedPipeA
WaitForMultipleObjects
FreeLibraryAndExitThread
DisconnectNamedPipe
MoveFileExA
CreateFileA
SetEvent
ResetEvent
GetOverlappedResult
CreateFileMappingA
CreateEventA
ConnectNamedPipe
GetPrivateProfileSectionNamesA
GetTimeZoneInformation
FileTimeToSystemTime
GetFileType
GetPrivateProfileIntA
GetStdHandle
ExitProcess
GetModuleHandleExW
ExitThread
CreateThread
SetStdHandle
LoadLibraryExW
InterlockedFlushSList
RtlUnwind
GetModuleFileNameA
ReadFile
CreateDirectoryW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetFilePointerEx
GetConsoleCP
GetConsoleMode
ReadConsoleW
FindFirstFileExA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
WriteConsoleW
RaiseException
RtlPcToFileHeader
RtlUnwindEx
FormatMessageA
GetModuleHandleA
GetSystemDirectoryA
InitializeSListHead
QueryPerformanceCounter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCPInfo
DecodePointer
EncodePointer
GetModuleHandleW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
CancelIo
SwitchToThread

user32

MessageBoxA
LoadStringA
SendMessageA
IsWindow
PostMessageA

advapi32

AddAccessAllowedAce
CryptDestroyKey
CryptVerifySignatureA
CryptImportKey
CryptGetHashParam
InitializeAcl
CryptGenRandom
LogonUserA
SystemFunction036
SetSecurityDescriptorDacl
CryptAcquireContextA
RegCloseKey
RegQueryValueExA
GetSidSubAuthority
GetSidLengthRequired
InitializeSid
CryptCreateHash
CryptHashData
CryptDestroyHash
InitializeSecurityDescriptor
RegOpenKeyExA
CryptReleaseContext

ole32

CoCreateGuid

shlwapi

StrChrA
StrChrW

winhttp

WinHttpQueryHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpSetOption
WinHttpSendRequest
WinHttpCloseHandle
WinHttpReceiveResponse

iphlpapi

GetAdaptersAddresses

ntdll

RtlIpv6StringToAddressA

Exports

Exports

MD_AddAliasToLdapAddrBook
MD_AddGroupMember
MD_AddMultiPOPItem
MD_AddRule
MD_AddToLdapAddrBook
MD_AddToQueueList
MD_AddUser
MD_AllowServiceAccess
MD_AttachmentLinkingDelete
MD_ChangeLdapAddrBook
MD_ChangeRule
MD_ChangeUser
MD_ClearBISInfo
MD_ClearGroupCache
MD_ClearSettingsCache
MD_ClusterEnable
MD_ClusterGetEnabled
MD_ClusterGetLocalNodeId
MD_ClusterGetLocalServerGUID
MD_ClusterGetLocalServerId
MD_ClusterGetNodeId
MD_ClusterGetPrimaryComputerName
MD_ClusterGetServerGUID
MD_ClusterGetServerId
MD_ClusterLocalNodeIsPrimary
MD_CompromisedPasswordCheck
MD_CreateAlias
MD_CreateFileName
MD_CreateGroup
MD_CreateIMAPFolder
MD_CreatePublicIMAPFolder
MD_CreateUserIMAPFolder
MD_DecodeIMAPFolderName
MD_DeleteAlias
MD_DeleteAllAliases
MD_DeleteDomain
MD_DeleteFromLdapAddrBook
MD_DeleteGateway
MD_DeleteGroup
MD_DeleteKey
MD_DeleteKeyIni
MD_DeleteMessageFile
MD_DeleteMultiPOPItem
MD_DeletePointer
MD_DeletePublicIMAPFolder
MD_DeleteRule
MD_DeleteSection
MD_DeleteUser
MD_DeleteUserIMAPFolder
MD_EncodeIMAPFolderName
MD_EraseAutoResp
MD_ExportAllUsers
MD_FilterString
MD_FilterUserInfo
MD_FindClose
MD_FindFirst
MD_FindFirstRule
MD_FindGroupMember
MD_FindNext
MD_FindNextRule
MD_FlagReloadUsers
MD_FreeDomain
MD_FreeGateway
MD_FreeGroup
MD_GatewayLicenseFull
MD_GetActiveSyncUserCounts
MD_GetActiveSyncUsers
MD_GetAddrBookParms
MD_GetAddrBookWhiteList
MD_GetAllGroups
MD_GetAllGroupsWithDesc
MD_GetAllowChangeViaEmail
MD_GetAllowIMAPAccess
MD_GetAllowPOPAccess
MD_GetAllowTFA
MD_GetAppDir
MD_GetApplyDomainSignature
MD_GetApplyQuotas
MD_GetAttachmentLinking
MD_GetAutoDecode
MD_GetAutoRespInfo
MD_GetBISInfo
MD_GetBoolKey
MD_GetByAlias
MD_GetByEmail
MD_GetByFullName
MD_GetByMailDir
MD_GetByMailbox
MD_GetCanModifyGAB
MD_GetClientSignatureFile
MD_GetComments
MD_GetCreatePlaceholderEvents
MD_GetDBPath
MD_GetDailyRcptQuota
MD_GetDailySendQuota
MD_GetDeclineConflictingRequests
MD_GetDeclineRecurringRequests
MD_GetDirSize
MD_GetDirStats
MD_GetDoNotDisturb
MD_GetDomain
MD_GetDomainCount
MD_GetDomainIP
MD_GetDomainIP6
MD_GetDomainNameUsingIP
MD_GetDomainNames
MD_GetDomainsGAB
MD_GetDontExpirePassword
MD_GetEditIMAPRules
MD_GetEmail
MD_GetEnableActiveSync
MD_GetEnableComAgent
MD_GetEnableInstantMessaging
MD_GetEnableMultiPOP
MD_GetExemptFromAuthMatch
MD_GetExtractInbound
MD_GetExtractOutbound
MD_GetFileCount
MD_GetForwardingInfo
MD_GetForwardingInfoQueue
MD_GetFree
MD_GetFullName
MD_GetGatewayCount
MD_GetGatewayNames
MD_GetGroups
MD_GetHideFromEveryone
MD_GetHiwaterBoolValue
MD_GetHiwaterStringValue
MD_GetIMAPFolderList
MD_GetIMAPFolders
MD_GetInboxMappings
MD_GetIntKey
MD_GetIsDisabled
MD_GetIsDomainAdmin
MD_GetIsForwarding
MD_GetIsFrozen
MD_GetKeepForwardedMail
MD_GetLicensesUsed
MD_GetMailDir
MD_GetMailDirOwner
MD_GetMailFormat
MD_GetMailbox
MD_GetMaxDiskSpace
MD_GetMaxMessageCount
MD_GetMembersOfGroup
MD_GetMultiPOPItems
MD_GetMultiPOPMaxMessageAge
MD_GetMultiPOPMaxMessageSize
MD_GetMustChangePassword
MD_GetMyIPAddresses
MD_GetPassword
MD_GetPasswordCreateDate
MD_GetProcessCalendarRequests
MD_GetPruningFlags
MD_GetPublicFolderAccessMask
MD_GetPublicIMAPFolderAccess
MD_GetPublicIMAPFolderPath
MD_GetQuotaCounts
MD_GetRemoteQueues
MD_GetRequireTFA
MD_GetSectionNames
MD_GetSharedAppDir
MD_GetSharedDomainInfo
MD_GetSharedFolderAccessMask
MD_GetSharedListMemberInfo
MD_GetSharedStringPair
MD_GetSharedUserInfo
MD_GetSignatureFile
MD_GetStringKey
MD_GetSubAddressedPath
MD_GetSubAddressing
MD_GetUpdateAddrBookWhiteList
MD_GetUseDefaultPruning
MD_GetUserIMAPFolderPath
MD_GetUserInfo
MD_GetWebConfigBit
MD_GetWebConfigBits
MD_GetWorldClientUserString
MD_GroupAddMember
MD_GroupClearCache
MD_GroupCreate
MD_GroupDelete
MD_GroupExists
MD_GroupFindMember
MD_GroupFree
MD_GroupGetADGroup
MD_GroupGetAll
MD_GroupGetAllWithDesc
MD_GroupGetCount
MD_GroupGetMembers
MD_GroupGetUserGroups
MD_GroupInit
MD_GroupRemoveMember
MD_GroupRename
MD_GroupRenameMember
MD_GroupSetUserGroups
MD_GroupUpdate
MD_GroupWrite
MD_ImportUserInfo
MD_ImportUsers
MD_InitBISInfo
MD_InitDomainInfo
MD_InitGatewayInfo
MD_InitMessageInfo
MD_InitMultiPOPItem
MD_InitUserInfo
MD_InitUserInfoByTemplate
MD_InvalidateActiveSyncUsers
MD_InvalidateAliases
MD_InvalidateBadPasswords
MD_InvalidateLANIPs
MD_IsAVLicenseTooSmall
MD_IsAlreadyAQueue
MD_IsDBConnected
MD_IsDynamicPasswordStr
MD_IsLicenseActive
MD_IsPasswordTooOld
MD_IsProVersion
MD_IsSecurePasswordStr
MD_IsSlaveNode
MD_IsSystemAddress
MD_IsTrialVersion
MD_IsValidAlias
MD_LogonUser
MD_MoveKey
MD_MoveRuleDown
MD_MoveRuleUp
MD_MoveSection
MD_PatternMatchCIDR
MD_PostAppMessage
MD_PublicIMAPFolderACLRemove
MD_PublicIMAPFolderACLUpdate
MD_ReadRule
MD_RegisterWindow
MD_ReloadUsers
MD_RemoveFromQueueList
MD_RemoveGroupMember
MD_RemoveSpamAssassinStr
MD_RenameDomain
MD_RenameGroup
MD_RenameGroupMember
MD_RenamePublicIMAPFolder
MD_RenameSection
MD_RenameUserFolder
MD_RenameUserIMAPFolder
MD_ReplaceTextInFile
MD_RestrictInboundMail
MD_RestrictOutboundMail
MD_RuleStringToRuleStruct
MD_RuleStructToRuleString
MD_SendAppMessage
MD_SendInstantMessage
MD_SetAccessType
MD_SetActiveSyncUsers
MD_SetAddrBookParms
MD_SetAddrBookWhiteList
MD_SetAllowChangeViaEmail
MD_SetAllowTFA
MD_SetApplyDomainSignature
MD_SetApplyQuotas
MD_SetAttachmentLinking
MD_SetAutoDecode
MD_SetAutoRespInfo
MD_SetBISInfo
MD_SetBoolKey
MD_SetBoolKeyIni
MD_SetCanModifyGAB
MD_SetComments
MD_SetDeclineConflictingRequests
MD_SetDeclineRecurringRequests
MD_SetDomain
MD_SetDontExpirePassword
MD_SetEditIMAPRules
MD_SetEnableActiveSync
MD_SetEnableComAgent
MD_SetEnableInstantMessaging
MD_SetEnableMultiPOP
MD_SetExemptFromAuthMatch
MD_SetExtractInbound
MD_SetExtractOutbound
MD_SetForwardingInfo
MD_SetForwardingInfoQueue
MD_SetFullName
MD_SetGhostCount
MD_SetGroups
MD_SetHideFromEveryone
MD_SetHiwaterBoolValue
MD_SetHiwaterStringValue
MD_SetInboundMailRestrictions
MD_SetInboxMappings
MD_SetIntKey
MD_SetIntKeyIni
MD_SetIsDisabled
MD_SetIsDomainAdmin
MD_SetIsForwarding
MD_SetIsFrozen
MD_SetKeepForwardedMail
MD_SetMailDir
MD_SetMailFormat
MD_SetMailbox
MD_SetMaxDiskSpace
MD_SetMaxMessageCount
MD_SetMultiPOPItems
MD_SetMultiPOPMaxMessageAge
MD_SetMultiPOPMaxMessageSize
MD_SetMustChangePassword
MD_SetNotificationFlag
MD_SetOutboundMailRestrictions
MD_SetPassword
MD_SetPasswordCreateDate
MD_SetProcessCalendarRequests
MD_SetPruningFlags
MD_SetRequireTFA
MD_SetSpamAssassinBool
MD_SetSpamAssassinStr
MD_SetStringKey
MD_SetStringKeyIni
MD_SetSubAddressing
MD_SetUpdateAddrBookWhiteList
MD_SetUseDefaultPruning
MD_SetUserIMAPFolderPermissions
MD_SetUserInfo
MD_SetWebConfigBit
MD_SetWebConfigBits
MD_SetWorldClientUserString
MD_SetupTicketRules
MD_SharedIMAPFolderACLRemove
MD_SharedIMAPFolderACLUpdate
MD_SpoolMessage
MD_StripSubAddressedPath
MD_SubscribeIMAPFolder
MD_TemplateCreate
MD_TemplateDelete
MD_TemplateExists
MD_TemplateFree
MD_TemplateGetAll
MD_TemplateGetFlags
MD_TemplateRename
MD_TemplateSetFlags
MD_TemplateWrite
MD_TranslateAlias
MD_UnregisterWindow
MD_UpdateAutoRespDomains
MD_UpdateDailyRcptQuota
MD_UpdateDailySendQuota
MD_UpdateGatewayIPList
MD_UpdateQuotaCounts
MD_UpdateSuppressList
MD_UserCount
MD_UserExists
MD_UserLicenseFull
MD_ValidateUser
MD_ValidateUserEx
MD_VerifyAccountDB
MD_VerifyDomainInfo
MD_VerifyGatewayInfo
MD_VerifyMessageInfo
MD_VerifyUserInfo
MD_WriteDomain
MD_WriteGateway

Sections

.text
Size: 667KB - Virtual size: 666KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 189KB - Virtual size: 189KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

92e94e47b642522bf3cad4543055db6b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2Certificate

Extended Key Usages

Key Usages

a0:6a:94:96:88:0b:cf:62:a7:21:43:0b:8a:54:0e:b9:52:32:a4:73Signer

Headers

DLL Characteristics

File Characteristics

Imports

wldap32

ws2_32

kernel32

user32

advapi32

ole32

shlwapi

winhttp

iphlpapi

ntdll

Exports

Exports

Sections

.text Size: 667KB - Virtual size: 666KB

.rdata Size: 189KB - Virtual size: 189KB

.data Size: 10KB - Virtual size: 95KB

.pdata Size: 28KB - Virtual size: 27KB

.rsrc Size: 10KB - Virtual size: 9KB

.reloc Size: 4KB - Virtual size: 4KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2
Certificate

a0:6a:94:96:88:0b:cf:62:a7:21:43:0b:8a:54:0e:b9:52:32:a4:73
Signer

.text
Size: 667KB - Virtual size: 666KB

.rdata
Size: 189KB - Virtual size: 189KB

.data
Size: 10KB - Virtual size: 95KB

.pdata
Size: 28KB - Virtual size: 27KB

.rsrc
Size: 10KB - Virtual size: 9KB

.reloc
Size: 4KB - Virtual size: 4KB