els[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

els.dll
Size

176KB
MD5

70e99aa8bd30df66fe30444d161f3fc1
SHA1

4bb71e0e0766c0b8cd6495d269b63ed18ef94eea
SHA256

6a408da7aaae823c1706c3a1b20e186551a375f13c465aeb9386e347b942a14f
SHA512

e89899d3a09289d6eb9d8115062d269bc45f65907b84daaf9649be95e3bf82c46e386f0fde4828acc7665dcee3b53c396aea68bf9d2f836332e1022aa85ddc6e
SSDEEP

3072:c+5m+jGgnLpi4Uai1EqyHoQi1pP9P3XztFVXsuc6C5t/gr5liAb:c+5mBg4XaiLyIr1F9tFV8v6CMoAb

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
els.dll

Files

els.dll
.dll regsvr32 windows:10 windows x86 arch:x86

01c8f9596f05c5c278ae9a319296e313

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

els.pdb

Imports

msvcrt

swprintf_s
wcschr
_wcsupr
_snwprintf_s
wcsncpy_s
_wcsicmp
_vsnwprintf
wcscpy_s
wcsncmp
malloc
wcstoul
free
wcscat_s
qsort
_wcslwr
wcsspn
_vsnwprintf_s
towlower
_callnewh
__CxxFrameHandler3
??0exception@@QAE@ABQBD@Z
_wcsnicmp
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_CxxThrowException
memcpy
memmove
_XcptFilter
_amsg_exit
_initterm
_lock
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
_except_handler4_common
??1type_info@@UAE@XZ
memcmp
wcspbrk
??_V@YAXPAX@Z
_purecall
??3@YAXPAX@Z
??0exception@@QAE@ABQBDH@Z
wcsstr
_ultow
wcsrchr
_itow
memset

ntdll

RtlLengthSid
RtlTimeToSecondsSince1970
RtlSecondsSince1970ToTime

advapi32

RegEnumKeyExW
RegSetValueExW
EqualSid
RegQueryValueExW
RegDeleteValueW
RegDeleteKeyW
RegConnectRegistryW
RegCreateKeyExW
IsValidSid
ReadEventLogW
OpenEventLogW
OpenBackupEventLogW
GetOldestEventLogRecord
GetNumberOfEventLogRecords
CloseEventLog
ClearEventLogW
BackupEventLogW
ConvertStringSidToSidW
GetLengthSid
LookupAccountSidW
RegCloseKey
RegOpenKeyExW
RegGetValueW

kernel32

LoadLibraryExW
GetFileAttributesExW
DeleteFileW
GetCommandLineW
CreateFileW
GetSystemDirectoryW
CloseHandle
CreateThread
GetLocalTime
GetWindowsDirectoryW
WideCharToMultiByte
HeapFree
GetProcessHeap
GetFileSize
GetTimeZoneInformation
GetCurrentThreadId
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetDateFormatW
GetTimeFormatW
GetDriveTypeW
FileTimeToLocalFileTime
FileTimeToSystemTime
LocalFileTimeToFileTime
SystemTimeToFileTime
LeaveCriticalSection
HeapAlloc
GetComputerNameW
WriteFile
GetLastError
lstrcmpiW
lstrlenW
LocalFree
lstrcmpW
ExpandEnvironmentStringsW
FormatMessageW
FreeLibrary
SetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
LoadLibraryA
LoadLibraryW
GetModuleFileNameW
OutputDebugStringA
GlobalFree
GetSystemWindowsDirectoryW
GlobalAlloc
GlobalLock
GlobalUnlock
GetLocaleInfoW
LocalAlloc
GetTickCount
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
DisableThreadLibraryCalls

user32

CreateWindowExW
EnumThreadWindows
GetClassNameW
IsWindowEnabled
LoadIconW
LoadBitmapW
LoadImageW
SetForegroundWindow
RegisterClipboardFormatW
SendMessageW
GetDlgItem
SetWindowPos
GetParent
FindWindowExW
SetWindowLongW
GetWindowTextW
SetWindowTextW
GetDlgItemTextW
LoadCursorW
SetCursor
DestroyIcon
GetSysColor
CheckRadioButton
GetWindowRect
GetDC
ReleaseDC
GetSystemMetrics
EnableWindow
PostMessageW
OpenClipboard
EmptyClipboard
IsDlgButtonChecked
SetClipboardData
CloseClipboard
ShowWindow
SetDlgItemTextW
GetFocus
SetFocus
MessageBoxW
DialogBoxParamW
CreateDialogParamW
WinHelpW
DestroyWindow
GetClientRect
EndDialog
CharLowerBuffW
GetWindow
GetMessageW
IsDialogMessageW
TranslateMessage
DispatchMessageW
CheckDlgButton
PostQuitMessage
GetWindowTextLengthW
SetDlgItemInt
GetDlgItemInt
LoadStringW
RegisterClassW
GetWindowLongW
DefWindowProcW

gdi32

GetObjectW
GetTextMetricsW
SetMapMode
GetMapMode
DeleteObject
CreateFontIndirectW

ole32

ObjectStublessClient6
ObjectStublessClient5
ObjectStublessClient4
ObjectStublessClient3
CoCreateInstance
ReleaseStgMedium
CoUninitialize
CoInitialize
IIDFromString
CoGetInterfaceAndReleaseStream
CreateStreamOnHGlobal
CoTaskMemAlloc
CoMarshalInterThreadInterfaceInStream
ObjectStublessClient7

rpcrt4

CStdStubBuffer_Connect
IUnknown_QueryInterface_Proxy
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrOleAllocate
CStdStubBuffer_QueryInterface
CStdStubBuffer_CountRefs
CStdStubBuffer_IsIIDSupported
IUnknown_Release_Proxy
NdrOleFree
CStdStubBuffer_DebugServerQueryInterface
IUnknown_AddRef_Proxy
CStdStubBuffer_Invoke
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
CStdStubBuffer_AddRef

netutils

NetpwNameValidate
NetpwNameCanonicalize
NetApiBufferFree

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

logoncli

DsGetDcNameW

srvcli

NetShareGetInfo

wkscli

NetWkstaGetInfo

shlwapi

PathRemoveBlanksW
PathCombineW
wnsprintfW

shell32

CommandLineToArgvW
ShellExecuteW

ntdsapi

DsBindW
DsCrackNamesW
DsFreeSchemaGuidMapW
DsMapSchemaGuidsW
DsUnBindW
DsFreeNameResultW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

activeds

ord15
ord20
ord9

mpr

WNetGetUniversalNameW

wintrust

WTGetSignatureInfo

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 138KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

01c8f9596f05c5c278ae9a319296e313

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

advapi32

kernel32

user32

gdi32

ole32

rpcrt4

netutils

dsrole

logoncli

srvcli

wkscli

shlwapi

shell32

ntdsapi

version

activeds

mpr

wintrust

Exports

Exports

Sections

.text Size: 138KB - Virtual size: 137KB

.data Size: 2KB - Virtual size: 10KB

.idata Size: 8KB - Virtual size: 7KB

.rsrc Size: 19KB - Virtual size: 19KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 138KB - Virtual size: 137KB

.data
Size: 2KB - Virtual size: 10KB

.idata
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 19KB - Virtual size: 19KB

.reloc
Size: 8KB - Virtual size: 7KB