oringo[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

oringo.dll
Size

2.0MB
MD5

473355fa4b769f1a1d5e1581dbfbd702
SHA1

f2da0b6ae86a1c72224e1df8b1c3b8106fc8f25c
SHA256

c1bea49c84c424abeb53becd24c55e1f2637d250780808889a5a5a2b34e49015
SHA512

99d82caa4afe96010ad9d44f172b24e61cd06a57ce7a86992154937401f4b5f89c073eed4e358bf6a3c7dad0dfbe7c12c430c71f41baad36d63ca9a78f25ac56
SSDEEP

49152:o7vX2xRW4f1I167Mbr3LgRqSiFq+Iq3sG:o705E8ISiFqEsG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
oringo.dll

Files

oringo.dll
.dll windows:6 windows x64 arch:x64

d85b3172927f1189c98b910bb88dfc57

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntdll

RtlUnwindEx
RtlPcToFileHeader
RtlVirtualUnwind
RtlLookupFunctionEntry
NtCancelIoFileEx
RtlGetVersion
NtQueryInformationProcess
NtQuerySystemInformation
NtReadFile
NtWriteFile
NtCreateFile
RtlNtStatusToDosError
NtDeviceIoControlFile
RtlCaptureContext

kernel32

QueryPerformanceFrequency
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
SwitchToThread
QueryPerformanceCounter
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
SleepConditionVariableSRW
WakeConditionVariable
WakeAllConditionVariable
GetSystemInfo
SetFilePointerEx
K32GetPerformanceInfo
GlobalMemoryStatusEx
GetFileInformationByHandleEx
GetFileInformationByHandle
CreateFileW
GetFullPathNameW
PostQueuedCompletionStatus
GetConsoleOutputCP
WriteFile
FlushFileBuffers
SetStdHandle
HeapSize
GetStringTypeW
SetLastError
GetFileType
GetLastError
CloseHandle
HeapFree
HeapAlloc
GetProcessHeap
LCMapStringW
FlsFree
WaitForSingleObject
GetCurrentProcess
FlsSetValue
FlsGetValue
GetModuleHandleA
GetProcAddress
GetCurrentThread
TryAcquireSRWLockExclusive
GetStdHandle
GetConsoleMode
MultiByteToWideChar
WriteConsoleW
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
FlsAlloc
FreeEnvironmentStringsW
GetEnvironmentStringsW
CreateThread
SetThreadStackGuarantee
TerminateProcess
ExitProcess
GetSystemTimeAsFileTime
SetHandleInformation
WideCharToMultiByte
GetCommandLineW
GetProcessTimes
OpenProcess
GetCommandLineA
IsProcessorFeaturePresent
GetCurrentProcessId
SetUnhandledExceptionFilter
VirtualQueryEx
GetSystemTimes
GetProcessIoCounters
GetCPInfo
GetOEMCP
LocalFree
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetModuleFileNameW
GetModuleHandleExW
RaiseException
EncodePointer
LoadLibraryExW
TlsFree
LoadLibraryExA
FreeLibrary
UnhandledExceptionFilter
GetStartupInfoW
HeapReAlloc
TlsSetValue
ReadProcessMemory
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InterlockedFlushSList

bcrypt

BCryptGenRandom

iphlpapi

GetAdaptersAddresses

ws2_32

WSAIoctl
ioctlsocket
WSASocketW
shutdown
connect
getsockopt
getaddrinfo
WSAStartup
WSACleanup
recv
setsockopt
send
WSASend
closesocket
bind
getsockname
WSAGetLastError
getpeername
freeaddrinfo

advapi32

RegOpenKeyExW
RegCloseKey
CopySid
GetLengthSid
IsValidSid
GetTokenInformation
OpenProcessToken
SystemFunction036
RegQueryValueExW

crypt32

CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertDuplicateCertificateChain
CertCloseStore
CertFreeCertificateContext
CertDuplicateStore
CertDuplicateCertificateContext
CertOpenStore
CertGetCertificateChain

secur32

InitializeSecurityContextW
FreeCredentialsHandle
EncryptMessage
ApplyControlToken
FreeContextBuffer
DeleteSecurityContext
QueryContextAttributesW
AcceptSecurityContext
DecryptMessage
AcquireCredentialsHandleA

user32

MessageBoxW

pdh

PdhRemoveCounter
PdhCollectQueryData
PdhCloseQuery
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhOpenQueryA

psapi

GetModuleFileNameExW
GetProcessMemoryInfo

shell32

CommandLineToArgvW

powrprof

CallNtPowerInformation

oleaut32

GetErrorInfo
SysStringLen
SysFreeString

Exports

Exports

Java_me_oringo_Native_a
Java_me_oringo_Native_b
Java_me_oringo_Native_c
bz_internal_error

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 543KB - Virtual size: 543KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d85b3172927f1189c98b910bb88dfc57

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

bcrypt

iphlpapi

ws2_32

advapi32

crypt32

secur32

user32

pdh

psapi

shell32

powrprof

oleaut32

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 543KB - Virtual size: 543KB

.data Size: 6KB - Virtual size: 10KB

.pdata Size: 24KB - Virtual size: 23KB

_RDATA Size: 512B - Virtual size: 500B

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 543KB - Virtual size: 543KB

.data
Size: 6KB - Virtual size: 10KB

.pdata
Size: 24KB - Virtual size: 23KB

_RDATA
Size: 512B - Virtual size: 500B

.reloc
Size: 6KB - Virtual size: 6KB