dumpcap[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dumpcap.exe
Size

402KB
MD5

a303ce5b7321683e90b94c21c48d9a64
SHA1

650935a3c269cd6cd3ce9c1d21be3ffdab337dbe
SHA256

2709c587ed3b2d38cc82c75e243a5b8b8014a36b8d261e14c517f93b53d7ad90
SHA512

25a9165d076bef23ebbaa37a5f3504aa76e50cc19386f654f02ab791e9e2806bb127c054e58b81cdc8557163743f09c0a9f519657be5b0b3ff8a4995c6711801
SSDEEP

3072:YxTQ6WX8JyNCzoI/j1Tgi5mkeptoDSPTtScv86S6NOyr2rFP0oBjjxDH:YxTQ0JyNm1J5qWDSf86GuSFP9NDH

Score

1^/10

Malware Config

Signatures

Files

dumpcap.exe
.exe windows:6 windows x64 arch:x64

210da3600d232e3551626f4639ce1ac6

Code Sign

02:cc:d9:9f:7d:55:6c:13:ce:87:10:c6:9d:09:b3:1a
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

15/04/2019, 00:00

Not After

14/04/2022, 23:59

Subject

CN=Wireshark Foundation\, Inc.,O=Wireshark Foundation\, Inc.,POSTALCODE=95616,STREET=711 4th street,L=Davis,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12/01/2016, 00:00

Not After

11/01/2031, 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

23/12/2017, 00:00

Not After

22/03/2029, 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

24:16:3f:5e:4f:00:6c:7e:08:6e:09:8b:b1:f4:c1:aa:e3:c3:9d:c0:c8:84:85:fe:b7:09:99:96:2e:66:bb:9e
Signer

Actual PE Digest

24:16:3f:5e:4f:00:6c:7e:08:6e:09:8b:b1:f4:c1:aa:e3:c3:9d:c0:c8:84:85:fe:b7:09:99:96:2e:66:bb:9e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\buildbot\builders\wireshark-3.4-64\windows-2019-x64\build\cmbuild\run\RelWithDebInfo\dumpcap.pdb

Imports

glib-2

g_slist_free_full
g_strlcpy
g_list_nth_data
g_async_queue_push_unlocked
g_slist_nth
g_list_free
g_strdup
g_mutex_trylock
g_ascii_strncasecmp
g_strdup_printf
g_realloc
g_strjoinv
g_strerror
g_async_queue_lock
g_rw_lock_writer_lock
g_async_queue_timeout_pop
g_async_queue_timeout_pop_unlocked
g_array_new
g_snprintf
g_malloc0
g_strfreev
g_timer_destroy
g_strconcat
g_free
g_list_foreach
g_memdup
g_string_append_printf
g_assertion_message_expr
g_array_free
g_ascii_table
g_strdup_vprintf
g_str_has_suffix
g_rw_lock_writer_unlock
g_rw_lock_reader_lock
g_mutex_init
g_thread_join
g_list_append
g_error_free
g_timer_new
g_async_queue_new
g_log_set_handler
g_string_append
g_timer_elapsed
g_timer_reset
g_array_set_size
g_mutex_lock
g_malloc
g_path_get_basename
g_string_truncate
g_thread_exit
g_mutex_unlock
g_array_remove_index
g_strsplit
g_malloc_n
g_list_first
g_utf16_to_utf8
g_list_prepend
g_slist_prepend
g_slist_reverse
g_string_new
g_file_test_utf8
g_hash_table_ref
g_ascii_strcasecmp
g_list_length
g_async_queue_unlock
g_hash_table_unref
g_strrstr
g_strsplit_set
g_string_free
g_str_has_prefix
g_slist_free
g_ascii_strtod
g_list_free_full
g_list_remove_link
g_rw_lock_reader_unlock
g_async_queue_push
g_log
g_thread_new
g_async_queue_pop
g_array_append_vals
g_list_last

ws2_32

recv
WSAGetLastError
closesocket
socket
connect
select

libwsutil

get_datafile_path
create_persconffile_dir
report_warning
ws_stdio_remove
ws_stdio_rename
report_failure
ws_strtoi32
ws_strtou32
ws_load_library
ieee80211_chan_to_mhz
ieee80211_mhz_to_chan
utf_16to8
ws_module_open
plugins_get_count
get_copyright_info
ws_add_crash_info
ws_stdio_stat64
ws_pipe_close
ws_stdio_fopen
ws_init_dll_search_path
ws_init_sockets
getopt_long
ws_inet_ntop6
optind
relinquish_special_privs_perm
ws_inet_ntop4
create_timestamp
utf_8to16
create_app_running_mutex
get_cpu_info
ws_socket_ptoa
get_os_version_info
init_process_policies
create_tempfile
ws_cleanup_sockets
optarg
ws_stdio_unlink
win32strerror
ws_stdio_open
please_report_bug
get_persconffile_path

gmodule-2

g_module_supported
g_module_symbol

iphlpapi

ConvertInterfaceLuidToAlias
ConvertInterfaceGuidToLuid

kernel32

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
GetCurrentProcess
ReadFile
SetConsoleCtrlHandler
GetStdHandle
PeekNamedPipe
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
UnhandledExceptionFilter
CreateFileW
GetProcAddress
MultiByteToWideChar
GetSystemTimeAsFileTime
GlobalMemoryStatusEx
WideCharToMultiByte
WaitNamedPipeW
GetTickCount
CloseHandle
GetLastError
Sleep
InitializeSListHead

advapi32

OpenSCManagerW
CloseServiceHandle
QueryServiceStatus
RegQueryValueExW
RegOpenKeyExW
OpenServiceW

vcruntime140

strchr
strrchr
__C_specific_handler
__std_type_info_destroy_list
__current_exception
__current_exception_context
memset
memcpy
strstr

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
_seh_filter_dll
_initialize_narrow_environment
exit
_get_initial_wide_environment
terminate
_errno
_crt_at_quick_exit
_crt_atexit
_execute_onexit_table
_seh_filter_exe
_set_app_type
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
__p___wargv
__p___argc
_exit
_initterm_e
_initterm
_register_onexit_function
_configure_wide_argv
_initialize_wide_environment
_initialize_onexit_table

api-ms-win-crt-stdio-l1-1-0

getc
putc
fwrite
ferror
_write
__stdio_common_vsscanf
setvbuf
ungetc
_close
_setmode
__stdio_common_vfprintf
fclose
fflush
__acrt_iob_func
_set_fmode
__p__commode

api-ms-win-crt-math-l1-1-0

__setusermatherr
_fdopen

api-ms-win-crt-string-l1-1-0

strncmp
strcmp

api-ms-win-crt-time-l1-1-0

_time64
_tzset
_localtime64
strftime

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc

api-ms-win-crt-locale-l1-1-0

setlocale
_configthreadlocale

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 285KB - Virtual size: 284KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

210da3600d232e3551626f4639ce1ac6

Code Sign

02:cc:d9:9f:7d:55:6c:13:ce:87:10:c6:9d:09:b3:1aCertificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate

Extended Key Usages

Key Usages

24:16:3f:5e:4f:00:6c:7e:08:6e:09:8b:b1:f4:c1:aa:e3:c3:9d:c0:c8:84:85:fe:b7:09:99:96:2e:66:bb:9eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

glib-2

ws2_32

libwsutil

gmodule-2

iphlpapi

kernel32

advapi32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 63KB - Virtual size: 63KB

.rdata Size: 41KB - Virtual size: 40KB

.data Size: 512B - Virtual size: 6KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 285KB - Virtual size: 284KB

.reloc Size: 512B - Virtual size: 296B

02:cc:d9:9f:7d:55:6c:13:ce:87:10:c6:9d:09:b3:1a
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

24:16:3f:5e:4f:00:6c:7e:08:6e:09:8b:b1:f4:c1:aa:e3:c3:9d:c0:c8:84:85:fe:b7:09:99:96:2e:66:bb:9e
Signer

.text
Size: 63KB - Virtual size: 63KB

.rdata
Size: 41KB - Virtual size: 40KB

.data
Size: 512B - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 285KB - Virtual size: 284KB

.reloc
Size: 512B - Virtual size: 296B