ws2_32[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

ws2_32.dll
Size

416KB
MD5

f1fafc04216614ec5c7b8c6a82394dfd
SHA1

5b6966d9af7bcf687aab982c26efe1c2adfaff18
SHA256

7e412388c871f5f1d1651da11689eb82a7e4c5785409ec2753cfc4be484d910e
SHA512

0828267f5036b105982b2fc351c1c40d06ae4853ace76f131dc44d8dec0f9281b4fecab52ce273e2d9de06b95b8ce47af093689b9f9304de3577d47a3853f599
SSDEEP

6144:0LYcepnIinzqyUMCLJ16iYRrKWr3GIIGepi6/GDQez5NzLJpyM7BVl7+jBSEYdRU:5d+iiYxKdns6+Dl5NpdqmU

Score

1^/10

Malware Config

Signatures

Files

ws2_32.dll
.dll windows:10 windows x64 arch:x64

6eee61ef7874aa59d1a3452c72e61d5c

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27-03-2019 19:21

Not After

27-03-2020 19:21

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f7:2d:ea:1b:f4:f8:16:43:1e:00:85:04:2e:19:2d:10:3a:fa:8a:63:4d:7e:d1:9c:5b:34:56:d8:d9:00:08:5e
Signer

Actual PE Digest

f7:2d:ea:1b:f4:f8:16:43:1e:00:85:04:2e:19:2d:10:3a:fa:8a:63:4d:7e:d1:9c:5b:34:56:d8:d9:00:08:5e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

ws2_32.pdb

Imports

api-ms-win-core-crt-l1-1-0

memcmp
strrchr
memcpy
memset
strcmp
_wcsicmp
wcsncmp
towupper
wcscpy_s
strcpy_s
atoi
strchr
_stricmp
wcsstr
_vsnprintf_s
strtoul
sprintf_s
memcpy_s
_wcsnicmp
wcschr
_vsnwprintf_s
isspace
__isascii
__C_specific_handler

api-ms-win-core-crt-l2-1-0

__dllonexit3
exit
hgets
_initterm_e
_initterm
_onexit

ntdll

EtwEventUnregister
EtwEventRegister
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
RtlCompareMemory
EtwEventEnabled
EtwEventWrite
RtlIpv6StringToAddressExW
RtlIpv4AddressToStringExW
RtlIpv6AddressToStringExW
RtlIpv4AddressToStringExA
RtlIpv6AddressToStringExA
RtlIpv4StringToAddressW
RtlIpv6StringToAddressW
RtlIpv6StringToAddressA
RtlIpv4StringToAddressA
EtwTraceMessageVa
EtwTraceMessage
NtCreateFile
RtlUnhandledExceptionFilter
RtlAllocateHeap
WinSqmIsOptedIn
RtlFreeHeap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnicodeStringToInteger
RtlInitUnicodeStringEx
RtlGetNtProductType
NtQueryDirectoryFile
NtOpenFile
NtWaitForSingleObject
NtFsControlFile
NtCreateNamedPipeFile
NtLoadDriver
RtlAdjustPrivilege
RtlImpersonateSelf
NtDelayExecution
NtDeviceIoControlFile
NtClose
RtlNtStatusToDosError
RtlInitUnicodeString

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
SetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

TlsSetValue
OpenThreadToken
ResumeThread
GetCurrentProcessId
SwitchToThread
GetCurrentThread
GetCurrentThreadId
GetCurrentProcess
QueueUserAPC
CreateThread
TerminateProcess
TlsAlloc
SetThreadToken
TerminateThread
OpenProcessToken
TlsGetValue
TlsFree

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-synch-l1-2-0

WakeAllConditionVariable
InitOnceExecuteOnce
SleepConditionVariableCS
Sleep
InitializeConditionVariable

api-ms-win-core-handle-l1-1-0

GetHandleInformation
DuplicateHandle
CloseHandle

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
CreateEventW
ReleaseMutex
CreateMutexA
SetEvent
ResetEvent
CreateEventA
WaitForSingleObject
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
TryEnterCriticalSection
LeaveCriticalSection
WaitForMultipleObjectsEx

api-ms-win-core-libraryloader-l1-2-0

LoadStringA
FreeLibraryAndExitThread
GetModuleHandleExA
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
LoadLibraryExA
GetModuleFileNameA
FreeLibrary
GetModuleHandleA
LoadStringW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer
TrySubmitThreadpoolCallback
WaitForThreadpoolTimerCallbacks

api-ms-win-security-base-l1-1-0

AddAccessDeniedAce
SetSecurityDescriptorDacl
GetTokenInformation
InitializeSecurityDescriptor
EqualSid
GetAce
GetAclInformation
GetLengthSid
AddAccessAllowedAce
FreeSid
AllocateAndInitializeSid
RevertToSelf
IsValidSid
GetSecurityDescriptorDacl
ImpersonateLoggedOnUser
InitializeAcl
CopySid
CheckTokenMembership

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
HeapReAlloc

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryValueExA
RegOpenKeyExW
RegEnumKeyExA
RegDeleteKeyExA
RegOpenKeyExA
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegDeleteTreeA
RegCreateKeyExA
RegNotifyChangeKeyValue
RegSetValueExA
RegGetKeySecurity

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsA
GetCommandLineW
GetEnvironmentVariableA
ExpandEnvironmentStringsW

api-ms-win-core-heap-l2-1-0

LocalFree
GlobalAlloc
LocalAlloc
GlobalFree

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemInfo
GetSystemTimeAsFileTime
GetComputerNameExA
GetSystemDirectoryA
GetComputerNameExW

api-ms-win-core-file-l1-1-0

CreateFileA

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpA
lstrlenA

api-ms-win-core-kernel32-legacy-l1-1-0

PulseEvent

rpcrt4

UuidCreate
RpcBindingVectorFree
RpcServerUnregisterIfEx
RpcServerUseProtseqW
RpcBindingInqObject
RpcServerUnregisterIf
RpcAsyncCompleteCall
RpcServerRegisterIfEx
RpcServerListen
RpcEpUnregister
RpcEpRegisterW
RpcServerInqBindings
NdrAsyncServerCall
NdrServerCallAll
Ndr64AsyncServerCallAll
NdrServerCall2
I_RpcBindingInqTransportType
RpcRevertToSelfEx
RpcImpersonateClient
RpcRevertToSelf
RpcServerInqCallAttributesW

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

FreeAddrInfoEx
FreeAddrInfoExW
FreeAddrInfoW
GetAddrInfoExA
GetAddrInfoExCancel
GetAddrInfoExOverlappedResult
GetAddrInfoExW
GetAddrInfoW
GetHostNameW
GetNameInfoW
InetNtopW
InetPtonW
SetAddrInfoExA
SetAddrInfoExW
WEP
WPUCompleteOverlappedRequest
WPUGetProviderPathEx
WSAAccept
WSAAddressToStringA
WSAAddressToStringW
WSAAdvertiseProvider
WSAAsyncGetHostByAddr
WSAAsyncGetHostByName
WSAAsyncGetProtoByName
WSAAsyncGetProtoByNumber
WSAAsyncGetServByName
WSAAsyncGetServByPort
WSAAsyncSelect
WSACancelAsyncRequest
WSACancelBlockingCall
WSACleanup
WSACloseEvent
WSAConnect
WSAConnectByList
WSAConnectByNameA
WSAConnectByNameW
WSACreateEvent
WSADuplicateSocketA
WSADuplicateSocketW
WSAEnumNameSpaceProvidersA
WSAEnumNameSpaceProvidersExA
WSAEnumNameSpaceProvidersExW
WSAEnumNameSpaceProvidersW
WSAEnumNetworkEvents
WSAEnumProtocolsA
WSAEnumProtocolsW
WSAEventSelect
WSAGetLastError
WSAGetOverlappedResult
WSAGetQOSByName
WSAGetServiceClassInfoA
WSAGetServiceClassInfoW
WSAGetServiceClassNameByClassIdA
WSAGetServiceClassNameByClassIdW
WSAHtonl
WSAHtons
WSAInstallServiceClassA
WSAInstallServiceClassW
WSAIoctl
WSAIsBlocking
WSAJoinLeaf
WSALookupServiceBeginA
WSALookupServiceBeginW
WSALookupServiceEnd
WSALookupServiceNextA
WSALookupServiceNextW
WSANSPIoctl
WSANtohl
WSANtohs
WSAPoll
WSAProviderCompleteAsyncCall
WSAProviderConfigChange
WSARecv
WSARecvDisconnect
WSARecvFrom
WSARemoveServiceClass
WSAResetEvent
WSASend
WSASendDisconnect
WSASendMsg
WSASendTo
WSASetBlockingHook
WSASetEvent
WSASetLastError
WSASetServiceA
WSASetServiceW
WSASocketA
WSASocketW
WSAStartup
WSAStringToAddressA
WSAStringToAddressW
WSAUnadvertiseProvider
WSAUnhookBlockingHook
WSAWaitForMultipleEvents
WSApSetPostRoutine
WSCDeinstallProvider
WSCDeinstallProvider32
WSCDeinstallProviderEx
WSCEnableNSProvider
WSCEnableNSProvider32
WSCEnumNameSpaceProviders32
WSCEnumNameSpaceProvidersEx32
WSCEnumProtocols
WSCEnumProtocols32
WSCEnumProtocolsEx
WSCGetApplicationCategory
WSCGetApplicationCategoryEx
WSCGetProviderInfo
WSCGetProviderInfo32
WSCGetProviderPath
WSCGetProviderPath32
WSCInstallNameSpace
WSCInstallNameSpace32
WSCInstallNameSpaceEx
WSCInstallNameSpaceEx2
WSCInstallNameSpaceEx32
WSCInstallProvider
WSCInstallProvider64_32
WSCInstallProviderAndChains64_32
WSCInstallProviderEx
WSCSetApplicationCategory
WSCSetApplicationCategoryEx
WSCSetProviderInfo
WSCSetProviderInfo32
WSCUnInstallNameSpace
WSCUnInstallNameSpace32
WSCUnInstallNameSpaceEx2
WSCUpdateProvider
WSCUpdateProvider32
WSCUpdateProviderEx
WSCWriteNameSpaceOrder
WSCWriteNameSpaceOrder32
WSCWriteProviderOrder
WSCWriteProviderOrder32
WSCWriteProviderOrderEx
WahCloseApcHelper
WahCloseHandleHelper
WahCloseNotificationHandleHelper
WahCloseSocketHandle
WahCloseThread
WahCompleteRequest
WahCreateHandleContextTable
WahCreateNotificationHandle
WahCreateSocketHandle
WahDestroyHandleContextTable
WahDisableNonIFSHandleSupport
WahEnableNonIFSHandleSupport
WahEnumerateHandleContexts
WahInsertHandleContext
WahNotifyAllProcesses
WahOpenApcHelper
WahOpenCurrentThread
WahOpenHandleHelper
WahOpenNotificationHandleHelper
WahQueueUserApc
WahReferenceContextByHandle
WahRemoveHandleContext
WahWaitForNotification
WahWriteLSPEvent
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyaddr
gethostbyname
gethostname
getnameinfo
getpeername
getprotobyname
getprotobynumber
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
inet_ntop
inet_pton
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 257KB - Virtual size: 256KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.wpp_sf
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6eee61ef7874aa59d1a3452c72e61d5c

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f7:2d:ea:1b:f4:f8:16:43:1e:00:85:04:2e:19:2d:10:3a:fa:8a:63:4d:7e:d1:9c:5b:34:56:d8:d9:00:08:5eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-crt-l1-1-0

api-ms-win-core-crt-l2-1-0

ntdll

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

rpcrt4

api-ms-win-core-debug-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 257KB - Virtual size: 256KB

.wpp_sf Size: 12KB - Virtual size: 11KB

.rdata Size: 51KB - Virtual size: 51KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 12KB - Virtual size: 12KB

.didat Size: 512B - Virtual size: 144B

.rsrc Size: 69KB - Virtual size: 68KB

.reloc Size: 512B - Virtual size: 336B

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f7:2d:ea:1b:f4:f8:16:43:1e:00:85:04:2e:19:2d:10:3a:fa:8a:63:4d:7e:d1:9c:5b:34:56:d8:d9:00:08:5e
Signer

.text
Size: 257KB - Virtual size: 256KB

.wpp_sf
Size: 12KB - Virtual size: 11KB

.rdata
Size: 51KB - Virtual size: 51KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 12KB - Virtual size: 12KB

.didat
Size: 512B - Virtual size: 144B

.rsrc
Size: 69KB - Virtual size: 68KB

.reloc
Size: 512B - Virtual size: 336B