MDUser[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

MDUser.dll
Size

908KB
MD5

da6dda7bc1ba89e0a348ac7746509a9b
SHA1

e8a10329d5061692dd60391ceb4a1b339a777392
SHA256

083244463dd155a4c02e52817f346c95bbf269ee7325c4a6a4aa8dcc96161399
SHA512

931be741c0b10e65c2d90b64f21d8e9a8af57ee2a0c1f41bf122670840c159a39cd77ffc65fa5d37b5b72da2bbac4b0b1f50699c2e4d9ed00c6a41d0f7015396
SSDEEP

24576:Zp6vs2XNMDKbepikDLBpdPihcea8VmnlEdoXE:Zp6TbOiMBaex8VmlIo0

Score

1^/10

Malware Config

Signatures

Files

MDUser.dll
.dll windows:5 windows x64 arch:x64

b777b63ce5cebe76eb1d5ae2e006cbd7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22-10-2013 12:00

Not After

22-10-2028 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-02-2018 00:00

Not After

05-02-2021 12:00

Subject

CN=MDaemon Technologies\, Ltd.,O=MDaemon Technologies\, Ltd.,L=Grapevine,ST=Texas,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

ec:39:31:70:31:f0:b6:c3:f9:45:e4:36:0e:c0:6c:b0:b4:cc:e6:4a
Signer

Actual PE Digest

ec:39:31:70:31:f0:b6:c3:f9:45:e4:36:0e:c0:6c:b0:b4:cc:e6:4a

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ws2_32

WSACleanup
WSAStartup
inet_addr
WSAAddressToStringA
htonl

kernel32

Sleep
GetModuleHandleExA
GetFileAttributesA
GetFileAttributesExW
LoadLibraryA
GetVersionExA
DeleteFileW
HeapReAlloc
CloseHandle
HeapSetInformation
HeapAlloc
GetLocalTime
HeapDestroy
GetProcAddress
LockFileEx
GetFileSize
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
GetSystemTime
CreateFileMappingW
MapViewOfFile
GetTickCount
IsDebuggerPresent
FlushFileBuffers
GetFileAttributesExA
InitializeCriticalSection
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
CreateFileA
GetSystemInfo
CreateFileMappingA
CreateProcessA
MoveFileA
FindFirstFileA
FindNextFileA
GetPrivateProfileSectionA
GetACP
DeleteFileA
WritePrivateProfileStringA
RemoveDirectoryA
CreateDirectoryA
GetPrivateProfileStringA
WritePrivateProfileSectionA
CancelIo
WaitNamedPipeA
CreateNamedPipeA
WaitForMultipleObjects
FreeLibraryAndExitThread
DisconnectNamedPipe
CopyFileA
MoveFileExA
SetEvent
ResetEvent
UnmapViewOfFile
CreateEventA
ConnectNamedPipe
GetPrivateProfileSectionNamesA
GetTimeZoneInformation
FileTimeToSystemTime
GetFileType
GetPrivateProfileIntA
RaiseException
VirtualProtect
VirtualQuery
GetModuleHandleW
LoadLibraryExA
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
ReleaseMutex
GetCurrentThreadId
GetFileAttributesW
CreateFileW
WaitForSingleObject
FindClose
RtlUnwind
CreateMutexW
UnlockFileEx
SetEndOfFile
SetFilePointer
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
OutputDebugStringA
WriteFile
EnterCriticalSection
SetLastError
HeapFree
HeapCreate
FindFirstFileW
GetModuleFileNameA
ReadFile
CreateDirectoryW
WideCharToMultiByte
GetLastError
MultiByteToWideChar
WriteConsoleW
FindFirstFileExA
ReadConsoleW
GetConsoleMode
GetConsoleCP
SetFilePointerEx
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetStdHandle
ExitProcess
GetModuleHandleExW
ExitThread
CreateThread
SetStdHandle
LoadLibraryExW
InterlockedFlushSList
RtlPcToFileHeader
RtlUnwindEx
FormatMessageA
GetModuleHandleA
GetSystemDirectoryA
InitializeSListHead
QueryPerformanceCounter
HeapSize
GetOverlappedResult
GetStartupInfoW
IsProcessorFeaturePresent
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
DecodePointer
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess

user32

MessageBoxA
PostMessageA
IsWindow
LoadStringA
SendMessageA

advapi32

CryptDestroyHash
CryptDestroyKey
CryptVerifySignatureA
CryptImportKey
AddAccessAllowedAce
CryptGetHashParam
CryptGenRandom
LogonUserA
SystemFunction036
SetSecurityDescriptorDacl
CryptAcquireContextA
RegCloseKey
RegQueryValueExA
GetSidSubAuthority
GetSidLengthRequired
InitializeSid
CryptCreateHash
CryptHashData
InitializeSecurityDescriptor
RegOpenKeyExA
InitializeAcl
CryptReleaseContext

ole32

CoCreateGuid

winhttp

WinHttpQueryHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpSetOption
WinHttpOpen
WinHttpSendRequest
WinHttpConnect
WinHttpReceiveResponse
WinHttpCloseHandle

shlwapi

StrChrA
StrChrW

iphlpapi

GetAdaptersAddresses

ntdll

RtlIpv6StringToAddressA

Exports

Exports

MD_AddAliasToLdapAddrBook
MD_AddGroupMember
MD_AddMultiPOPItem
MD_AddRule
MD_AddToLdapAddrBook
MD_AddToQueueList
MD_AddUser
MD_AllowServiceAccess
MD_AttachmentLinkingDelete
MD_ChangeLdapAddrBook
MD_ChangeRule
MD_ChangeUser
MD_ClearBISInfo
MD_ClearGroupCache
MD_ClearSettingsCache
MD_ClusterEnable
MD_ClusterGetEnabled
MD_ClusterGetLocalNodeId
MD_ClusterGetLocalServerGUID
MD_ClusterGetLocalServerId
MD_ClusterGetNodeId
MD_ClusterGetPrimaryComputerName
MD_ClusterGetServerGUID
MD_ClusterGetServerId
MD_ClusterLocalNodeIsPrimary
MD_CompromisedPasswordCheck
MD_CreateAlias
MD_CreateFileName
MD_CreateGroup
MD_CreateIMAPFolder
MD_CreatePublicIMAPFolder
MD_CreateUserIMAPFolder
MD_DecodeIMAPFolderName
MD_DeleteAlias
MD_DeleteAllAliases
MD_DeleteDomain
MD_DeleteFromLdapAddrBook
MD_DeleteGateway
MD_DeleteGroup
MD_DeleteKey
MD_DeleteKeyIni
MD_DeleteMessageFile
MD_DeleteMultiPOPItem
MD_DeletePointer
MD_DeletePublicIMAPFolder
MD_DeleteRule
MD_DeleteSection
MD_DeleteUser
MD_DeleteUserIMAPFolder
MD_EncodeIMAPFolderName
MD_EraseAutoResp
MD_ExportAllUsers
MD_FilterString
MD_FilterUserInfo
MD_FindClose
MD_FindFirst
MD_FindFirstRule
MD_FindGroupMember
MD_FindNext
MD_FindNextRule
MD_FlagReloadUsers
MD_FreeDomain
MD_FreeGateway
MD_FreeGroup
MD_GatewayLicenseFull
MD_GetActiveSyncUserCounts
MD_GetActiveSyncUsers
MD_GetAddrBookParms
MD_GetAddrBookWhiteList
MD_GetAllGroups
MD_GetAllGroupsWithDesc
MD_GetAllowChangeViaEmail
MD_GetAllowIMAPAccess
MD_GetAllowPOPAccess
MD_GetAllowTFA
MD_GetAppDir
MD_GetApplyDomainSignature
MD_GetApplyQuotas
MD_GetAttachmentLinking
MD_GetAutoDecode
MD_GetAutoRespInfo
MD_GetBISInfo
MD_GetBoolKey
MD_GetByAlias
MD_GetByEmail
MD_GetByFullName
MD_GetByMailDir
MD_GetByMailbox
MD_GetCanModifyGAB
MD_GetClientSignatureFile
MD_GetComments
MD_GetCreatePlaceholderEvents
MD_GetDBPath
MD_GetDailyRcptQuota
MD_GetDailySendQuota
MD_GetDeclineConflictingRequests
MD_GetDeclineRecurringRequests
MD_GetDirSize
MD_GetDirStats
MD_GetDoNotDisturb
MD_GetDomain
MD_GetDomainCount
MD_GetDomainIP
MD_GetDomainIP6
MD_GetDomainNameUsingIP
MD_GetDomainNames
MD_GetDomainsGAB
MD_GetDontExpirePassword
MD_GetEditIMAPRules
MD_GetEmail
MD_GetEnableActiveSync
MD_GetEnableComAgent
MD_GetEnableInstantMessaging
MD_GetEnableMultiPOP
MD_GetExemptFromAuthMatch
MD_GetExtractInbound
MD_GetExtractOutbound
MD_GetFileCount
MD_GetForwardingInfo
MD_GetForwardingInfoQueue
MD_GetFree
MD_GetFullName
MD_GetGatewayCount
MD_GetGatewayNames
MD_GetGroups
MD_GetHideFromEveryone
MD_GetHiwaterBoolValue
MD_GetHiwaterStringValue
MD_GetIMAPFolderList
MD_GetIMAPFolders
MD_GetInboxMappings
MD_GetIntKey
MD_GetIsDisabled
MD_GetIsDomainAdmin
MD_GetIsForwarding
MD_GetIsFrozen
MD_GetKeepForwardedMail
MD_GetLicensesUsed
MD_GetMailDir
MD_GetMailDirOwner
MD_GetMailFormat
MD_GetMailbox
MD_GetMaxDiskSpace
MD_GetMaxMessageCount
MD_GetMembersOfGroup
MD_GetMultiPOPItems
MD_GetMultiPOPMaxMessageAge
MD_GetMultiPOPMaxMessageSize
MD_GetMustChangePassword
MD_GetMyIPAddresses
MD_GetPassword
MD_GetPasswordCreateDate
MD_GetProcessCalendarRequests
MD_GetPruningFlags
MD_GetPublicFolderAccessMask
MD_GetPublicIMAPFolderAccess
MD_GetPublicIMAPFolderPath
MD_GetQuotaCounts
MD_GetRemoteQueues
MD_GetRequireTFA
MD_GetSectionNames
MD_GetSharedAppDir
MD_GetSharedDomainInfo
MD_GetSharedFolderAccessMask
MD_GetSharedListMemberInfo
MD_GetSharedStringPair
MD_GetSharedUserInfo
MD_GetSignatureFile
MD_GetStringKey
MD_GetSubAddressedPath
MD_GetSubAddressing
MD_GetUpdateAddrBookWhiteList
MD_GetUseDefaultPruning
MD_GetUserIMAPFolderPath
MD_GetUserInfo
MD_GetWebConfigBit
MD_GetWebConfigBits
MD_GetWorldClientUserString
MD_GroupAddMember
MD_GroupClearCache
MD_GroupCreate
MD_GroupDelete
MD_GroupExists
MD_GroupFindMember
MD_GroupFree
MD_GroupGetADGroup
MD_GroupGetAll
MD_GroupGetAllWithDesc
MD_GroupGetCount
MD_GroupGetMembers
MD_GroupGetUserGroups
MD_GroupInit
MD_GroupRemoveMember
MD_GroupRename
MD_GroupRenameMember
MD_GroupSetUserGroups
MD_GroupUpdate
MD_GroupWrite
MD_ImportUserInfo
MD_ImportUsers
MD_InitBISInfo
MD_InitDomainInfo
MD_InitGatewayInfo
MD_InitMessageInfo
MD_InitMultiPOPItem
MD_InitUserInfo
MD_InitUserInfoByTemplate
MD_InvalidateActiveSyncUsers
MD_InvalidateAliases
MD_InvalidateBadPasswords
MD_InvalidateLANIPs
MD_IsAVLicenseTooSmall
MD_IsAlreadyAQueue
MD_IsDBConnected
MD_IsDynamicPasswordStr
MD_IsLicenseActive
MD_IsPasswordTooOld
MD_IsProVersion
MD_IsSecurePasswordStr
MD_IsSlaveNode
MD_IsSystemAddress
MD_IsTrialVersion
MD_IsValidAlias
MD_LogonUser
MD_MoveKey
MD_MoveRuleDown
MD_MoveRuleUp
MD_MoveSection
MD_PatternMatchCIDR
MD_PostAppMessage
MD_PublicIMAPFolderACLRemove
MD_PublicIMAPFolderACLUpdate
MD_ReadRule
MD_RegisterWindow
MD_ReloadUsers
MD_RemoveFromQueueList
MD_RemoveGroupMember
MD_RemoveSpamAssassinStr
MD_RenameDomain
MD_RenameGroup
MD_RenameGroupMember
MD_RenamePublicIMAPFolder
MD_RenameSection
MD_RenameUserFolder
MD_RenameUserIMAPFolder
MD_ReplaceTextInFile
MD_RestrictInboundMail
MD_RestrictOutboundMail
MD_RuleStringToRuleStruct
MD_RuleStructToRuleString
MD_SendAppMessage
MD_SendInstantMessage
MD_SetAccessType
MD_SetActiveSyncUsers
MD_SetAddrBookParms
MD_SetAddrBookWhiteList
MD_SetAllowChangeViaEmail
MD_SetAllowTFA
MD_SetApplyDomainSignature
MD_SetApplyQuotas
MD_SetAttachmentLinking
MD_SetAutoDecode
MD_SetAutoRespInfo
MD_SetBISInfo
MD_SetBoolKey
MD_SetBoolKeyIni
MD_SetCanModifyGAB
MD_SetComments
MD_SetDeclineConflictingRequests
MD_SetDeclineRecurringRequests
MD_SetDomain
MD_SetDontExpirePassword
MD_SetEditIMAPRules
MD_SetEnableActiveSync
MD_SetEnableComAgent
MD_SetEnableInstantMessaging
MD_SetEnableMultiPOP
MD_SetExemptFromAuthMatch
MD_SetExtractInbound
MD_SetExtractOutbound
MD_SetForwardingInfo
MD_SetForwardingInfoQueue
MD_SetFullName
MD_SetGhostCount
MD_SetGroups
MD_SetHideFromEveryone
MD_SetHiwaterBoolValue
MD_SetHiwaterStringValue
MD_SetInboundMailRestrictions
MD_SetInboxMappings
MD_SetIntKey
MD_SetIntKeyIni
MD_SetIsDisabled
MD_SetIsDomainAdmin
MD_SetIsForwarding
MD_SetIsFrozen
MD_SetKeepForwardedMail
MD_SetMailDir
MD_SetMailFormat
MD_SetMailbox
MD_SetMaxDiskSpace
MD_SetMaxMessageCount
MD_SetMultiPOPItems
MD_SetMultiPOPMaxMessageAge
MD_SetMultiPOPMaxMessageSize
MD_SetMustChangePassword
MD_SetNotificationFlag
MD_SetOutboundMailRestrictions
MD_SetPassword
MD_SetPasswordCreateDate
MD_SetProcessCalendarRequests
MD_SetPruningFlags
MD_SetRequireTFA
MD_SetSpamAssassinBool
MD_SetSpamAssassinStr
MD_SetStringKey
MD_SetStringKeyIni
MD_SetSubAddressing
MD_SetUpdateAddrBookWhiteList
MD_SetUseDefaultPruning
MD_SetUserIMAPFolderPermissions
MD_SetUserInfo
MD_SetWebConfigBit
MD_SetWebConfigBits
MD_SetWorldClientUserString
MD_SetupTicketRules
MD_SharedIMAPFolderACLRemove
MD_SharedIMAPFolderACLUpdate
MD_SpoolMessage
MD_StripSubAddressedPath
MD_SubscribeIMAPFolder
MD_TemplateCreate
MD_TemplateDelete
MD_TemplateExists
MD_TemplateFree
MD_TemplateGetAll
MD_TemplateGetFlags
MD_TemplateRename
MD_TemplateSetFlags
MD_TemplateWrite
MD_TranslateAlias
MD_UnregisterWindow
MD_UpdateAutoRespDomains
MD_UpdateDailyRcptQuota
MD_UpdateDailySendQuota
MD_UpdateGatewayIPList
MD_UpdateQuotaCounts
MD_UpdateSuppressList
MD_UserCount
MD_UserExists
MD_UserLicenseFull
MD_ValidateUser
MD_ValidateUserEx
MD_VerifyAccountDB
MD_VerifyDomainInfo
MD_VerifyGatewayInfo
MD_VerifyMessageInfo
MD_VerifyUserInfo
MD_WriteDomain
MD_WriteGateway

Sections

.text
Size: 661KB - Virtual size: 660KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 189KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b777b63ce5cebe76eb1d5ae2e006cbd7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2Certificate

Extended Key Usages

Key Usages

ec:39:31:70:31:f0:b6:c3:f9:45:e4:36:0e:c0:6c:b0:b4:cc:e6:4aSigner

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

user32

advapi32

ole32

winhttp

shlwapi

iphlpapi

ntdll

Exports

Exports

Sections

.text Size: 661KB - Virtual size: 660KB

.rdata Size: 189KB - Virtual size: 188KB

.data Size: 10KB - Virtual size: 93KB

.pdata Size: 28KB - Virtual size: 28KB

.rsrc Size: 8KB - Virtual size: 7KB

.reloc Size: 4KB - Virtual size: 4KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

0d:49:f2:91:5f:be:d0:0e:38:ba:b5:fa:81:64:ee:d2
Certificate

ec:39:31:70:31:f0:b6:c3:f9:45:e4:36:0e:c0:6c:b0:b4:cc:e6:4a
Signer

.text
Size: 661KB - Virtual size: 660KB

.rdata
Size: 189KB - Virtual size: 188KB

.data
Size: 10KB - Virtual size: 93KB

.pdata
Size: 28KB - Virtual size: 28KB

.rsrc
Size: 8KB - Virtual size: 7KB

.reloc
Size: 4KB - Virtual size: 4KB